agenttesla | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-01-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

agenttesla gcleaner glupteba metasploit neshta smokeloader stealc pub2 backdoor dropper keylogger loader persistence spyware stealer trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

http://193.117.208.148:7800/-55P7pqBpQdijWOMB9Nd5w7x4wsLqUJqZS-N33VLPVJhDR2Aa4VA

Extracted

Family

gcleaner

185.172.128.90

5.42.64.3

5.42.65.85

Extracted

Family

agenttesla

https://api.telegram.org/bot6702604510:AAHhqcLx9PnHKK0GHfjoUU1QRG5B5kHI1FI/

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Neshta payload 40 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00060000000173ce-145.dat	family_neshta
behavioral1/files/0x00060000000173ce-142.dat	family_neshta
behavioral1/files/0x0006000000017499-218.dat	family_neshta
behavioral1/files/0x0006000000017478-223.dat	family_neshta
behavioral1/files/0x0006000000017478-227.dat	family_neshta
behavioral1/files/0x0006000000017478-240.dat	family_neshta
behavioral1/memory/884-239-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2316-245-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2616-279-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/564-333-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2500-353-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1048-352-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1148-391-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1360-400-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1688-399-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1848-413-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2272-412-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2752-450-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2708-433-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2320-432-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2388-425-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1600-424-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1912-390-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1668-332-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/348-318-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3040-317-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2600-309-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1964-308-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1016-277-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2964-266-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2284-265-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2740-244-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f76c-263.dat	family_neshta
behavioral1/files/0x000100000000f7ce-262.dat	family_neshta
behavioral1/files/0x000100000000f7c9-261.dat	family_neshta
behavioral1/files/0x0006000000017478-257.dat	family_neshta
behavioral1/memory/272-238-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000001030c-226.dat	family_neshta
behavioral1/files/0x000100000001030a-225.dat	family_neshta
behavioral1/files/0x00060000000173ce-144.dat	family_neshta

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1668-1716-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1668-1714-0x0000000002D70000-0x000000000365B000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1552-1791-0x0000000001060000-0x0000000001548000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
26	pastebin.com
27	pastebin.com

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016764-72.dat	nsis_installer_1
behavioral1/files/0x0008000000016764-72.dat	nsis_installer_2
behavioral1/files/0x0008000000016764-69.dat	nsis_installer_1
behavioral1/files/0x0008000000016764-69.dat	nsis_installer_2
behavioral1/files/0x0008000000016764-73.dat	nsis_installer_1
behavioral1/files/0x0008000000016764-73.dat	nsis_installer_2
behavioral1/files/0x0005000000019c1c-1735.dat	nsis_installer_1
behavioral1/files/0x0005000000019c1c-1735.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
1608	schtasks.exe
1728	schtasks.exe
2288	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2536	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4363463463464363463463463.exe

description	pid	Process
Token: SeDebugPrivilege	2356	4363463463464363463463463.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356
- C:\Users\Admin\AppData\Local\Temp\Files\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Payload.exe"
  2⤵
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\Files\12027.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\12027.exe"
  2⤵
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\Files\382498393934ena-rr.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\382498393934ena-rr.exe"
  2⤵
  PID:1924
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      PID:2152
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:1608
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System\svchost.exe" formal
    3⤵
    PID:2644
  - - C:\Windows\System\svchost.exe
      C:\Windows\System\svchost.exe formal
      4⤵
      PID:1324
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        5⤵
        
        PID:768
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath c:\windows\
        6⤵
        
        PID:1952
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        5⤵
        
        PID:1428
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath \\?\C:\Windows \
        6⤵
        
        PID:2196
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    PID:2504
- C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"
  2⤵
  PID:1288
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE"
  2⤵
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE
    3⤵
    PID:2572
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    3⤵
    PID:1504
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:2616
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
    C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
    3⤵
    PID:1624
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"
  2⤵
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\Files\miner.exe
    C:\Users\Admin\AppData\Local\Temp\Files\miner.exe
    3⤵
    PID:1660
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\miner.exe'; Add-MpPreference -ExclusionProcess 'miner'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\miner.exe'; Add-MpPreference -ExclusionProcess 'miner'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        5⤵
        
        PID:2548
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\901D3B~1.EXE"
  2⤵
  PID:688
- C:\Users\Admin\AppData\Local\Temp\Files\ugorichzx.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ugorichzx.exe"
  2⤵
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
  2⤵
  PID:2968
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SCREEN~1.EXE"
  2⤵
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\Files\SCREEN~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\SCREEN~1.EXE
    3⤵
    PID:1936
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe"
  2⤵
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe
    3⤵
    PID:2256
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\she.exe"
  2⤵
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\Files\she.exe
    C:\Users\Admin\AppData\Local\Temp\Files\she.exe
    3⤵
    PID:2504
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe"
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
    C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
    3⤵
    PID:2796
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\123.exe"
  2⤵
  PID:672
- - C:\Users\Admin\AppData\Local\Temp\Files\123.exe
    C:\Users\Admin\AppData\Local\Temp\Files\123.exe
    3⤵
    PID:2580
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
  2⤵
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
    C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
    3⤵
    PID:2548
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\data64_1.exe"
  2⤵
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\Files\data64_1.exe
    C:\Users\Admin\AppData\Local\Temp\Files\data64_1.exe
    3⤵
    PID:1696
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe"
  2⤵
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe
    C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe
    3⤵
    PID:2812
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\360TS_~1.EXE"
  2⤵
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\Files\360TS_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\360TS_~1.EXE
    3⤵
    PID:2568
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\csaff.exe"
  2⤵
  PID:1596

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
1⤵
PID:268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:2316
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2740

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2284
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1016

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:3040
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:564

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1912
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:880

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1688
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1848

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2272
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1600

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2708
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2752

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:3024
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:1036

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1792
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:348
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:864
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:776
      - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        6⤵
        
        PID:1992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        7⤵
        
        PID:596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        8⤵
        
        PID:1476

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1228
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:2000

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1856
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:484
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1040

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1276
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1912
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2344
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2384

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2576
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1044
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:2816
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2320

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2240
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2804

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:3036
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:1552

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1940
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:3024
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1988

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2920
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1800
- C:\Windows\SysWOW64\chcp.com
  chcp 1251
  2⤵
  PID:1992
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
  2⤵
  - Creates scheduled task(s)
  PID:1728

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:996

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2040
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2072

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:900
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:1608
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:1472
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:2152
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:3028
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:1664
      - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        6⤵
        
        PID:268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        7⤵
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        8⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
        7⤵
        
        PID:2828

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1140
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:2588
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        5⤵
        
        PID:672
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        6⤵
        
        PID:1592

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:2288
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:880
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2312
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2312

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1532
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2680

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2840
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:3068
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:2548
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        6⤵
        
        PID:2024

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2548
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2024
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2116

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1028
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:3036
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2584

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1792
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:2640
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:1660

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2736
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1116
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:948
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:1516

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:596
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:1048
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:2788
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:2268
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1148

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1788
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:1292
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:3052
      - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        6⤵
        
        PID:1148

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1616
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1908
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:912
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        5⤵
        
        PID:2480
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        6⤵
        
        PID:684

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1564
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:1568
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1496

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:592
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2288
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:2312
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:2156

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2840
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:2824
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:2768
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:932

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1976
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:2604
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:1424

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2380
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\Files\ugorichzx.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ugorichzx.exe"
  2⤵
  PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1032
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1992

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1036
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2656
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:864
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:2060

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1240
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1964

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2196
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1732
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:408
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:1124
  - - C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:2228
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:844

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:3028
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:612
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:2424

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2200

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1768
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:2004
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        5⤵
        
        PID:2736
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        6⤵
        
        PID:348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        7⤵
        
        PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
1⤵
PID:2712
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\YHNGYF~1.EXE"
  2⤵
  PID:1620
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\IWAWC2~1.EXE"
  2⤵
  PID:2200
- - C:\Users\Admin\Pictures\IWAWC2~1.EXE
    C:\Users\Admin\Pictures\IWAWC2~1.EXE
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\nsdAE89.tmp
      C:\Users\Admin\AppData\Local\Temp\nsdAE89.tmp
      4⤵
      PID:2012
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsdAE89.tmp" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:2080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c timeout /t 5 & del /f /q C:\Users\Admin\AppData\Local\Temp\nsdAE89.tmp & del "C:\ProgramData\*.dll"" & exit
        6⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        7⤵
        Delays execution with timeout.exe
        
        PID:2536
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1008
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\T988QS~1.EXE"
  2⤵
  PID:2512
- - C:\Users\Admin\Pictures\T988QS~1.EXE
    C:\Users\Admin\Pictures\T988QS~1.EXE
    3⤵
    PID:1668
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:2500
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ATDRYI~1.EXE"
  2⤵
  PID:2664
- - C:\Users\Admin\Pictures\ATDRYI~1.EXE
    C:\Users\Admin\Pictures\ATDRYI~1.EXE
    3⤵
    PID:1500
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\WAP2VS~1.EXE" --silent --allusers=0
  2⤵
  PID:2100
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\QMBMA2~1.EXE"
  2⤵
  PID:2600
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\MZ0KPJ~1.EXE" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
  2⤵
  PID:2340
- - C:\Users\Admin\Pictures\MZ0KPJ~1.EXE
    C:\Users\Admin\Pictures\MZ0KPJ~1.EXE PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
    3⤵
    PID:2512
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\2042YF~1.EXE"
  2⤵
  PID:2952
- - C:\Users\Admin\Pictures\2042YF~1.EXE
    C:\Users\Admin\Pictures\2042YF~1.EXE
    3⤵
    PID:1864
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\XEXBER~1.EXE"
  2⤵
  PID:2572
- - C:\Users\Admin\Pictures\XEXBER~1.EXE
    C:\Users\Admin\Pictures\XEXBER~1.EXE
    3⤵
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\7zS2971.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\7zS39B6.tmp\Install.exe
        
        .\Install.exe /JzZdidJbWMX "385118" /S
        5⤵
        
        PID:2920
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:924
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:1484
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:1676
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:760
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gchSirUPT" /SC once /ST 00:33:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:2288
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gchSirUPT"
        6⤵
        
        PID:3004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE" -Force
1⤵
PID:1324
- C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
  C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE -Force
  2⤵
  PID:2616
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2600

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2896
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1980
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:996
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        5⤵
        
        PID:1788
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        6⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        7⤵
        
        PID:1608
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:1264
      - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        6⤵
        
        PID:608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        7⤵
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        7⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        8⤵
        
        PID:2968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        7⤵
        
        PID:1772

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1548
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:3004

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2032
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:328

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1148
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1928
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:1564
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:1360
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:916

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2664
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1728

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1316
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2740
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2964

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2564
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1500

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:3012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:1768
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2796
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:1620
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        6⤵
        
        PID:1092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        7⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        8⤵
        
        PID:2060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        9⤵
        
        PID:3000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        9⤵
        
        PID:1508

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2748
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1536

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1292
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1652
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        5⤵
        
        PID:612
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        6⤵
        
        PID:272
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:1096

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1792
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2676

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2772
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2824
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1660

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2716
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2116

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:3024
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:2928
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:776

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:2384
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2684
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1016

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2124
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1344

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2484
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2848

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2004
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1184

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:848
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:576

C:\Users\Admin\Pictures\QMBMA2~1.EXE
C:\Users\Admin\Pictures\QMBMA2~1.EXE
1⤵
PID:1124
- C:\Users\Admin\AppData\Local\Temp\is-K93VT.tmp\QMBMA2~1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K93VT.tmp\QMBMA2~1.tmp" /SL5="$301F6,7293273,54272,C:\Users\Admin\Pictures\QMBMA2~1.EXE"
  2⤵
  PID:2032

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:3052
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1764
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2840
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:2568
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:2092
      - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        6⤵
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        7⤵
        
        PID:2688
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:1720

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2044
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1908
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        5⤵
        
        PID:2392
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        6⤵
        
        PID:2148
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        5⤵
        
        PID:2588

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2884
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:3012
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2884
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:2772
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1664
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      PID:1632
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        5⤵
        
        PID:864
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        6⤵
        
        PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:1820
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:948
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1016

C:\Users\Admin\Pictures\WAP2VS~1.EXE
C:\Users\Admin\Pictures\WAP2VS~1.EXE --silent --allusers=0
1⤵
PID:1552
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1016

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:996
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2044

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath \\?\C:\Windows \
1⤵
PID:2912
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2840
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:1760
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1140
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2436

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:948
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:3060
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1352

C:\Users\Admin\AppData\Local\Temp\Files\901D3B~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\901D3B~1.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2232
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:2176
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:2620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:2280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2388

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:348

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:272

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:1732

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2204
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2912

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:2992
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1392

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1476
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:1664

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
1⤵
PID:1536
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
  2⤵
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
  2⤵
  PID:2004
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
      4⤵
      PID:444
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        5⤵
        
        PID:564
      - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        6⤵
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        7⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        8⤵
        
        PID:2288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
285KB

MD5
831270ac3db358cdbef5535b0b3a44e6

SHA1
c0423685c09bbe465f6bb7f8672c936e768f05a3

SHA256
a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0

SHA512
f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
313KB

MD5
8c4f4eb73490ca2445d8577cf4bb3c81

SHA1
0f7d1914b7aeabdb1f1e4caedd344878f48be075

SHA256
85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

SHA512
65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\Program Files (x86)\ClocX\SumatraPDF.exe

Filesize
2.0MB

MD5
0246d39bf288ab2b34b64e96de7dc11d

SHA1
eebeb18d6fe8d81d78946025bac8b3a794b23dd1

SHA256
4fc2a2200cb579a94dddc09d867f2d31addc0d09f0fa4efdfff049e0bec89147

SHA512
5837fc756db33bba860e0fde32c44f7adfa1da5da79f5cac9376de6e50b480aa622ca3da7ce488b8f4a32f0aacc1e55782de6f2899389c962878377c73ecf647

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e2299ea0bb6fa49bb9cd765befe10ab

SHA1
d10c83ed1affd10f3558f56b21c13a0b9b3b5d21

SHA256
04bcb49ed7fc255f011f8a775c1c2f5de0014c3b566009d0eb78a380dac0efb8

SHA512
3fe4482774fc8a937e1007f4898e9d9e1df2e24ef1524c40fc81740bac3c9622c97d42a81342bb305312c5d79a0a6049308e64d40d72a0f185902c1b6d77035c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cffb7da3b956957242ad1cd33f391be0

SHA1
7a83d5c0f12a0824f3d30efe8b91bfd84ff09b88

SHA256
6a0c4730c289b090ec289a7cfd76f92891cede1c97b77f103b23e6b1f5877045

SHA512
8baadbc1de31a52422cccb137f1003438a1efdf41c6485e42979274f52d1a11a8ed329bd84d17b577eb05ba327b111e4a99040b3142da5e677bed16a5d94afd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eee18fca7e833730bc9c51a0cfcc37df

SHA1
31deee117dff41f153301c796de8533d8b75851a

SHA256
acee19da4c730a70cb839839b8ba54db3422c4a140445362dcf6b183a90ad92a

SHA512
0b91131453457fdcd38722386867c1a75696fa88071c80cb879c161c1d89b203879d7ca314e1a6d3d552db5b5ff768fb5d06d56b05c1da47182a159713d1e1eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
162b3226fcdf8d831393addf80edd7d4

SHA1
9cecaaee59a79027e554529923cd3611aed51a4a

SHA256
a630332cbdf684e8bf41c36c34bcc856b9b116f0af785e71babc61077ce5ce44

SHA512
7a940b665cf4b432172f2dacc6ef9918e5bd47f40d5c46076bfb2a840e266b92c7dddef465a2e6a9a9833d64a646eef24fa236f7145f8061f43b804791d52d24

Download Submit
C:\Users\Admin\AppData\Local\K28U5Qpcmn7SKQL04KANw7rl.exe

Filesize
260KB

MD5
d4be068cfe16186a754c17e1402dccbb

SHA1
27aea353db3fa89dadf123d29f14939478a593bc

SHA256
ebfa9cf1dca144bf64a6c929e3a7ec1281875232909eba0d7cc008e73f638838

SHA512
828187caaa23680230a5a12525fefebc18c37fdb12af6b9bd172b6f41a0ecdeb2bd664f25bbbc748ff99ae71caaa14098bf2da01c0da3bd520e7d0a8b7e50696

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe

Filesize
8KB

MD5
37c98a45ea852eb31de5794309b9cb58

SHA1
59ca5655deb16c6dd9ce5e1cdba25a0fc94cb049

SHA256
e873099eb9bc737a78e35f38e67a79f4a998460a66240f6e286384efd51d5f6a

SHA512
e1bf4745b696ab9888b3e56a6a7b36d678cdd4ff048b8480e98e889d5e9a66507a5f549e4227f397c2a9066baeac704ef681b2506b1def682be31808915dc87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe

Filesize
26KB

MD5
4aeb554edf7006517b595cbbade59c83

SHA1
94c466b29d91892ea9d254f50f6d660d9046e936

SHA256
ef3a948ffa1cac118424a07d932b9883ef10634d094e99c9c4cad3e462129117

SHA512
a76452c5c527a5bb0a076ab13d39ba13ac83a4058992b5b8872c6e697614ef319dba3d840fc5e96dab81d863f7a555be576cc99c75038146eede5e0f15c3e2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2971.tmp\Install.exe

Filesize
32KB

MD5
c2e7a1b5749409f4d5a82f8f0093b1d5

SHA1
0c8c16069ef94261861fd07a72479ca34affa3d1

SHA256
98e8488f9678ac675ecef04e36ddc053e26a4b6ca6d90d4f7e08274d5734527e

SHA512
73aced73d8dd98379519a0b7720834494f1679e606228954414bc254853071799c1819145295c4ed7bdf4f1e7105edad916eff82d33db74e71112be337b90dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20DB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\12027.exe

Filesize
445KB

MD5
97fa4f6ddc8e0ef56d29177452de332b

SHA1
d11d9192d4dc29e0a52d30bdaf8b1fa34fb2df8c

SHA256
fe3e3cd78b924e48b5334142f977fad98276147f53172e1a7ec1eb8c8dd9fcf1

SHA512
f02e33c13c2ca07a00132fc7638438b986405471e5b3f050b7581aa91dcb2963c41fb2873afb5187825601b2907c9497e73116f5a1269eb2d52d051b1eaa393b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\12027.exe

Filesize
663KB

MD5
0c7ba5018d7e448b0c800012c6d7d0bb

SHA1
794c8e3c9ce24903492c20e22e5eae6861b78ac7

SHA256
51826e915d1351b374970d2a904cc04407a6de22740fb2a2e131738607add921

SHA512
838d00eb0e845d1e963b3f2f927916a542762e2ee725bded16bd8a409bfa887d07f6e45c713a150a146d2cf915d5021d4783f5e1c05c5cc4949916d82eb8a5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\382498393934ena-rr.exe

Filesize
419KB

MD5
868da2f5e377bcf17fdd4f06726175d3

SHA1
896f68046aadf4713dbf89ecd89fdf2a6377e39d

SHA256
d51099714e34af6cd9ad1d7642bec3cddeaaafa52483a4feb583aa6e1adb2601

SHA512
673a736dd43c3bac71a1719f81d605a55fd9fc969ed256bb8ce13b1e0c364aa5a7402b93127469af213fc8605908331559a33f4274bab3f45c5bf9fcc95f6241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\382498393934ena-rr.exe

Filesize
529KB

MD5
eca19acd077a73aa53d1d6598fd48986

SHA1
38d8b538c49f5af1fe346ecc8548e70c390c90bb

SHA256
5f3774e6909bc5000d0cf95ffc94a2bc89d5ff530f285b86590e8dbd5105e448

SHA512
580e63f08c86d43549c90fa84cc595f76f1d4688400179f67fe48f0cb60a4851c4dfa46ca7769e6bfbe1f0fbd74b03cdc44c8b38f5f72b6c42df1cee0710cb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Payload.exe

Filesize
72KB

MD5
9f4a5ffa55c42cdc2b338b2988064a68

SHA1
e31b8ea636cef840ae500fbf95cf76caa75a7c1c

SHA256
ca62c0c61f385358ca0217b114e31eef2949f1ad95ed8604d756999dac40c643

SHA512
32161f450d1f411092ac1b18977ee559df59b84a143ccfcc23001deb99e2fb4c1990246bc174540045ca37a2f3aef4728ed7ca2e478585e48aeb544137c38a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
151KB

MD5
2ca7d0c801694a8960f71417453d7ded

SHA1
969e42cb3ea0c7981a778ddfabf15ebab1433ff4

SHA256
f3a32fa2dbf22181e9d4bbda5c0294835eadc69368b28bb73b9d7ad9ac6f8829

SHA512
9e7932d516a9744ae24d3cf1e3ecfbbd6533f038b74f82358bd09f632aac6b2b8d66464fe589e42547f99189cc54cbc80cdcf34e9dce91bde40b7cc0b431b70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
232KB

MD5
263a151fa1ba2a1254fa190a8d91a707

SHA1
4fdabe355884c00a4b3d35653ce8d7fab5c8dbab

SHA256
170facbb1f8d0da63307ae09b3fecc518b1e95a2cc111631865a038677053190

SHA512
80071cc5c0b31d8e85bda5a95bdff5776b0c372ddac26982f473536ba29bc2a97b6e80afef0d63a7e68c3d16cd914604ec8c8bef7264cc9e53d595c0a25a9bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
68KB

MD5
834f4e943037c931d7ba909b7e7e2045

SHA1
7e9c196fd2f8ca98c9ac09557f88b7fa22e20c2e

SHA256
4d497a5aa77ec38d89ac9a3e97017aa581b8dfe4939aac67eb7ef4ba2a764b14

SHA512
63dff0881f53e3981fb50a4196c81e01f116df1b435aef373c6afd97e29ba5ec84fa69b09103892f4ac5c2e3b1ddbb91ba5e997c983fd50671afd83494301fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
71KB

MD5
e11d03a0f9b119eb331f74897c89bf5f

SHA1
e4d501ca9cfd89cc8b8b7f96e6f89e7fe4a7f1d9

SHA256
1072289c832ed1e8cd3508674a7a0edce42d37c3c526b0c842923af8a038995a

SHA512
b6cb9ca434eb4b6bb0f48bcccfe9aaac5e6fece5729850af2ca58489fd98ff56e5919e91846e8f5b6f1f4296613af9fdecde1e76e483390631032544ef00ca29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
315KB

MD5
a298857ad0f136bbacb3497eda96827d

SHA1
f47e3269a7d36d04c9a10a5b02a77d2e00fb00d2

SHA256
10e81816afb5aa0f02c9ab37286e31005849745cdb2e3f63fef6fa35e3743a52

SHA512
042dc4beaed8188e667f184adc05603237da042d90e9f8e0325328f915855e01a92db12b06e10986f0737491f70f1f995100feed8b561b98f824f90f5c4413b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
97KB

MD5
603209993b1dc75ea0a04f5bea0406c2

SHA1
f943e7da27b8501d2b7215d30931899e04227d1c

SHA256
d8e43596eb369930f9e762485e3c1499fbe1ced4744825d43989d0c9db001130

SHA512
97d2095a7586e7bded32e810b42a717d02f1ec2b11acb42f3e8dff05144a1cc59da0c8bea5917aa7e898793c15f84b7ea339b1e1617f44751a939779ef532139

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\univ.exe

Filesize
234KB

MD5
39d19848d11f105b8271760bcabfd79f

SHA1
d74fe12af9547d022e59123da89e58b84f3268cf

SHA256
59a3b09f15807077353511a9b20f07c7b4d5ec0283dd1729d6a1b458ab34cc88

SHA512
3fff55cda3afe0b5a2bbb471ddecbf2c0d40a45105630dee0f1b21464e606216c68de4cfc02dc0c0dfe1344375040448f174c1a7047ae316a09016711488914e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20EE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdAE89.tmp

Filesize
309KB

MD5
002ae434861fa9076efe4aec951254bc

SHA1
2af2fb78f609f8902adc6f8d19ba115761a60179

SHA256
ea0220b1c2355dff7178d9fc9a7c60e3b1477010b8ebb78cac066933d8647d96

SHA512
b0a6f77b595cb001ed976981e53d0982ef25b796f1d72f5f504efce974e1f87c79dfb585ca401d9437b5d6d01133ba37d9ea3265cdce9c6be6e0b56c495c86af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB405.tmp

Filesize
700KB

MD5
312bf7e258db9a297152c3dee831e93b

SHA1
edc25d1776a1199428e094696979baa3689a4798

SHA256
3c31fc7d7619db4ee285685d622b82cffa3834c1f2d0ba77d0f6e75690397d10

SHA512
1efdd5adc7b1bef60a8238534cc52eb706b10602ce657da74785878ce5d5585a255e4daab810d487c78905a64bcb3e1f908aba6648a0b9db7b4409c2ee0ff998

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA7E4.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy360F.tmp\Checker.dll

Filesize
41KB

MD5
15d08cdf9b65dd72719cba1465e43739

SHA1
49023d696e3fe9141f22a4b88e67f1e05deaacc1

SHA256
a34cdbe03e066f4ffb7431c806c0600e5e7d4dba239174c373b2445dba3f66ae

SHA512
34af6a638e538703af3ef9b52b2a68a48daec1be14f77b6e464882f8f6d2ad670903cfe8d310c750d39624facf14184d6222196aec92231253ba868585b9f885

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy360F.tmp\Zip.dll

Filesize
76KB

MD5
542567398f77e95808afac5f96083c11

SHA1
d85c2129928188bee8fd48c5549aa3db4aebc462

SHA256
e5234c4c4b82edcf6936eea28b0f9a447423c9358c4c5a4f230897296f3f2d42

SHA512
3ae6c87d543d8822bcc26e327365218b6cb16d711ba1def06f8b796760badcab248bccc74309d8eb27e363d65af92307f76f38f013966188f1f1463152ea8b19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\95O4E64LD89KRWEOGZ1W.temp

Filesize
7KB

MD5
4ea1209b0fd8d3012dbb9e8c1af69014

SHA1
de9dbdca1e9a70285c11bbe8373d020125a0ef52

SHA256
279d24afcd937c70db72910ba6f282d1ad5e1b729f3e378bc78dc7bfb6918a5b

SHA512
c17187ca35aedadc76346fae423591fb4d6f21a2189dd5dc75554dbdaf6c455a54e59f7b8368006cb4d4ecb78155f6d9573b3cadb188a000656b6c379b4265c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PD2VXKTASAVUZOO0296X.temp

Filesize
7KB

MD5
0a6267badcc9448b993642f56cf55c5a

SHA1
779baa51312132f3082c25b2a09c03491be61950

SHA256
4a88b3b9c6eb019c3ac14839917933c75ae5646498b04e4075d9035e95568122

SHA512
72d98dcdb181f7ec5630382219623f30a65175b8ff80b24ef4fbc808e5958349ccb6f232de690e0a7091598b1b9ab4a39b0c8f3b288d9a8e271c6ba2227e7fad

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\ccfcjue

Filesize
49KB

MD5
021eb1d658077f01369da777fd605b3d

SHA1
a2baa909d73d576e3f79126fa9d798d0c122dff0

SHA256
f5071feb9186f17764f9d2f63bc8f409a208a0df4bc42a3f81c32fa8ad152a2f

SHA512
c31aec1f414943af30c18c444115d06208a1dd78db39094e5b37a549413037716a1076379b57e05fea50c1335a4428d4c640c0561511b7b15a50ea21f84e30dc

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
192KB

MD5
a4bc988675f206a405a2260313e70c95

SHA1
c9a932564c45e35b05984e4de8aa6d288269a8d3

SHA256
dde114d3b7b13344f1a0cfa60270f2c441e470539f03949802e1f3325abdfb70

SHA512
f25f53e2a241651783921dbee876992f927186ea0a0fd9f6e9a0342b8ea2695e03707b6d2259a9b4dcd0801359a6261d4347245c026decfd4762101859fe6598

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
64KB

MD5
fde43191bd272f1880ed255702e90c79

SHA1
06f6397b338e4bd83bef918728072887df353b88

SHA256
ea705565d7297ffd629348813d40d49b0626748784a39e244bdad8dfcc46f9bf

SHA512
f7fa5a77100311b0b7d9a48b8598ba8f45de2513e2800c4a746196c97fb08652ab540c358a6cb2c23e4145806121b8c6f9e777989d2126f7bf1f5c136e7c0ff0

Download Submit
C:\Users\Admin\AppData\Roaming\xStXz\xStXz.exe

Filesize
496KB

MD5
0b26f7b7a37aec280212b187c006f3b7

SHA1
dcd0e19aa5a0d7f7bb1b8bfcd89f4e31ea6c50b3

SHA256
30a3aefa3d3f44de2ed5effb8d7607c676b05d4c761b42f5151bd9fa0de5f959

SHA512
ff789b64caf0837278282ee8dea34b4c9a84a2fde9adf131cc0e6bad67bd3bd8e849dc7be9ce02498db2cf763d6cc887906374f88805334b2e3d9228c5715a5b

Download Submit
C:\Windows\directx.sys

Filesize
104B

MD5
6dd5bccb636ded7476a32231524c5568

SHA1
6f48fe463d0f8f10a5afe966da1a3c7fdab24a6d

SHA256
642497c10f8166804e01a98d52ac72338e21fb853b0f38298dfbfe1b5c34187f

SHA512
e41bb24ab36591ca6664a30eea06a1125b3b5e4890f4e083fe066a74f3233d015fd25394d79cf8ad36eff10c0c9eb3522707202096eccac9d63514ee223ce611

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
c0b10143454d77739a368e04e0f35df5

SHA1
f3af68a474210444d81d85902d20e1b358dee3cf

SHA256
2917e6960136a725e02b583e48084f2d01e6f067b0e0c48a903cb9e87cbcc084

SHA512
d7a195e2a204bb8735770e8b69ecaadd209b59f0f80548f19294301cc11b7f4e8b818d0fe4075faed3cc6012654afb0447057867bb4d2e96311bc9474ed6c01b

Download Submit
C:\Windows\directx.sys

Filesize
38B

MD5
d4b9fe4367f2831c9754d1245b5942e4

SHA1
a5f8569ebd2b1be3e0e6c35c575b59a349f292fd

SHA256
5ceea6257c272c379962bfcb2cc3b739f2a3bf25a09a4f53b5c68c25b833108f

SHA512
98c5def97c7deef89ef27673f899273ada07098bedf8c13e67da0eaf760aa62e365dd5e4372171b2b291e3be9aa5cd7acef2582d78da8699c126e7e319ff8dcd

Download Submit
C:\Windows\directx.sys

Filesize
91B

MD5
cb1eb0eaf9029edecf08245bde75c390

SHA1
dd37ad0d3e9b1edb1c6f90fe938436cb796d28a4

SHA256
96fe181c5da71dc12f568c15a3652edad781c76f661f9bd55434e760b36a35e0

SHA512
7b4ee5047c6b173503b9b4027d58e077ac09cbd0aafc4122eb73ca78bc2aa72425d38ba1829b0dff16687cc8017f814c33760dbd5c446dd22b07961c778000a6

Download Submit
C:\Windows\directx.sys

Filesize
76B

MD5
aff1c1103f7e7fa8949777b1a14e2dba

SHA1
e465065cfbb345f53451d95d11308215b752767b

SHA256
8a34a96dbcef503aa017cf4ea8343f5e828347af582153585639daa27d9b6f8d

SHA512
4aebe41e73d6c78d5e5ad6b1185b5c9f3dae3134e965ad70b51b51e3e6d06d0d91989f70d67cfd315a012efadc07dbaf0443537c31b5c4f67aa7eaf88d01c610

Download Submit
C:\Windows\directx.sys

Filesize
129B

MD5
d0dd735becf364ff6afc11415c4dfaf7

SHA1
d29b35f1de2873caab477d8d1b2e55ac9a2fbdcb

SHA256
3c65dd8c3fbdb013521767e727330d51270058bd4f1a41bc942059ba6fccc55e

SHA512
fc96a222007e43ea9687d9d6f79305aaa662bde1e83ed3b0036d4ae4977a0cdab2688a435b285525d337f28a11905678a0e31a81ebad8856dc2181b294738c18

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
ff00a133611084ee2620f5946a27eb9d

SHA1
8aa9fbf9a8008a0368f887a1d9158923491c30fa

SHA256
1250683fe83cea1c64c7bc54859c708b06df6ef80628370dec8c3e7c83741e77

SHA512
9d933ff05c5da94436635e811bea69e3a70f2bd73a55076bd449ec26fabcb2997e8f0f071e050c859ca042ac72e7741d29fa62c60a65128cb50b695619c906b0

Download Submit
C:\Windows\directx.sys

Filesize
167B

MD5
9c455430d46c4a1fbb3edfa1b91c18a7

SHA1
aa8091465c54760b7ccfe0c299b511a975f12bac

SHA256
9920d37cb6c1090cb7c6b2c26e94d5d01bbe2143ac489092faa93e96d90c7dca

SHA512
a9a42e78256a278e1e43fe8cbfbdda2800c75e166c1160c6e54e52430e13db0b176322cbb01ec4a38021a3b7bb0c1018f0421ec26bf4b2e96a34194af2486363

Download Submit
C:\Windows\directx.sys

Filesize
152B

MD5
7b2b8cd2bdc523725deaeac52772ceb7

SHA1
27e8df28445a7a5f27fc9213120fea72b75786a6

SHA256
c5ae8c7087f93f5113d10cf9ebc77cd86c10dfc1e3af11206ce259d81a94e2e9

SHA512
fc0e5af909c1fdae44c9f75644cf2381030bd77dbbe9aa26f7ce01d21a737a1c8e5261980615a1f642907cd98b24c9a404dabab7bdafd150d5f9d1cdb26e6145

Download Submit
C:\Windows\directx.sys

Filesize
190B

MD5
94aa7a8e4a6bafc416cc8d8c612a9cc8

SHA1
cda0f69fee52df9cbad3197954c5fe50c03f878e

SHA256
c0a6c98f8e8d21b0cad040d6cb4721d0eaad46d0181e84fa4969c9d40a1203d6

SHA512
0e9ced1ac98db5a90f2ab2e576fd5cbe4bf99925ca1d6e89f27394e61ad0c655ae9b04e36ae9f408aa22ee5aae4bb2f384bb469c971feeee3e6f62f75ca85218

Download Submit
C:\Windows\directx.sys

Filesize
205B

MD5
08190d039f9f3c6dec25e1b89c60f551

SHA1
b753de68d7a4e0a78188148b297cc6c7845564d7

SHA256
9f307d916bc4b6447c65ad92a672ff536688c31f1990c1febaa4f485a549cffd

SHA512
f56e89a0a4a6c30178dd75198975490cd20d858f878be9c53fec64fd39c52d367f6db7492306913d70b5d3277e6565902a1b3a1a27837576f584c56874fa84a9

Download Submit
C:\Windows\directx.sys

Filesize
200B

MD5
8e71e5bb85be30156ad106c6a606fb79

SHA1
87f6245bb5a443db50d6376112b926c7e9be663f

SHA256
5a2de611fa8fd7f21d2d0cc198da7a5e702754b61ce7968f6711d34f58c88297

SHA512
f88a02e3535a20757b3aa325a1096abac25905629d076bcfb7f239585ec67e5c14ab8b2f5986b5b82eab52dcd2d6c80881ddd4226030b62d973f07e1e4606557

Download Submit
C:\Windows\directx.sys

Filesize
200B

MD5
d111050b2ba960b2a512f00b8530af81

SHA1
d41e78d633738336c35dd0558cb328a8a560fd15

SHA256
bde004f411199b9550316ec9382eb37869b9e45d714838d8bebd1f2096337c3f

SHA512
b5fbd3ff02ed890fac557221cf6ac549b46f1d6ea3cabbe953568e761a1bdc5abae15ada8c7bf30f34f9ef3c6df74aecb52499c9481a5e276b8b6e982fd16a97

Download Submit
C:\Windows\directx.sys

Filesize
203B

MD5
5bde5334c5f11f8b3fdb71d11b8d8916

SHA1
ad2c57b7e925aa52dcef8a7c1676dd3d536b4359

SHA256
7162dcfae22545113629bfa858587efd27c6cba919a15cf301beb717ab28a961

SHA512
32878df6e6d1cd687f6a488f328ff3ab749c353ed1d8d72bffb343dbe93664c3f62be8cb79945389ab23a920d1e643a221a55bd44ddc4e477bf8150c2b7dcbf1

Download Submit
C:\Windows\directx.sys

Filesize
183B

MD5
c7c3b4bfaed9de1ed9eeccd631829f1b

SHA1
7e4ede4179632871ef8c41f15f9267043fb73198

SHA256
5e0b23305217190f2650c84fecef219fce64fd7a39b08385ad33d848f449f4d9

SHA512
8eff43bd53aa2d7ea749c1d4baf6f23a5bdfd9d1b322c6412da15650e3f4aa750ccfe4e5398aec7686c8b4aa9049e5e1381652e138c1dcd65a91e2d5b1f11e8e

Download Submit
C:\Windows\directx.sys

Filesize
190B

MD5
705bf1756c4a1dc6c1a2f68ba228d26e

SHA1
489eba841a7659ca888b8e04cb0d9acffd75ca1e

SHA256
935e120a75dfe8587eb174edce0468c1a3fb89b7f4b72992ee91b56da6129165

SHA512
523f51d7a969766e9d92d62008caff0adf103be8b538b3e6dc3fb50817eeedcd3b9b1f163cf9c63ebbdd4ade7e960b4e384a0aec76392fd5d067a1ce36406146

Download Submit
C:\Windows\directx.sys

Filesize
240B

MD5
4fa49db023461d6a6140b204cdf60e5e

SHA1
e89c92610b5d1ce22a5cf2c1309306ce6406d929

SHA256
dc07f81d4bf482873d39ec70527c9deaba193655561e93dce4d94b3ff5b11f1d

SHA512
ed35e8e2f660657d84aee8c2ccb2418a89f95e10b59184d41561601c939feb474cb121a28b5aaef8bdd05c2491ea799a3a534f12b18da5e695347eeda89ae34e

Download Submit
C:\Windows\directx.sys

Filesize
243B

MD5
d9233cbe947fab27859a4be10f4bec12

SHA1
e3d1a2d8208e97d5b8e4315bee5d7665cfee5e0f

SHA256
223623c8cecfa5cc478e45b4e25e6682f18a84ac25337f053e2c2b7b1b871faa

SHA512
d90c0d3542c83210b3f67a1ebba03dd2b3248d751edf6fcaf8aa1d2fddf515b71f9569cad79f65b57626fd994cb008a802ff212217abcac04e991d867e282fe0

Download Submit
C:\Windows\directx.sys

Filesize
219B

MD5
73fcf0799a1aca469e5eb9e95167fcb7

SHA1
a25feeadabe0830c89b4f7d4c435b7c00183ea9d

SHA256
cf8b760681c2cbbb075bfb87051109243ee5be0831613658c6e2ba31ed240d0d

SHA512
1d97ec986ec5bee0b0a379fd4f12c2cc3c59e8e5a66cb14725195f15a610d749084d9cb38928ab59994162828e85267711bad9b1cd7ba75a4b863fd5cfdd9809

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
243B

MD5
a2573f38357cf20efdeaa419e5d8b157

SHA1
fa03c8583831d84fab282a6d20f87caa8d77c2c4

SHA256
71c2b8e17ae74890ada1888d3f91c91d64d16e3063546c80d4ffcf09f788332c

SHA512
94dc81fd33571dbda8a54e0660e71f35383a0ae26e980c2d795dc9b1c7695104d571331b61494694f20c141206ec3b3287ee30bda7ce621990debd4025be1904

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
399c35b4f86b376533e886c6e59f5ba4

SHA1
037567c80353ac2badc913452c3a176c5dbcb7a0

SHA256
81b61fd24260e4abbc1eff8a76bb617047cf96865237c566732e0e73a369300f

SHA512
d978ca27d76cd8801f167e81f496669b8ed0d646b8904b1161c6b812c82270d3679e53805ba6b89b82371c7eea7232b84711e71e8495850ae701037716fb6fcc

Download Submit
C:\Windows\directx.sys

Filesize
152B

MD5
04d162a7849ef42cba80c1c15ce1c9d3

SHA1
1275dced20dd79bc2963e05152f4da743b956b8b

SHA256
a95b73e201c10728648dc78b2a4e574d92f3d8a584da562f4078710fd26a2180

SHA512
ad4280e06cef95879084031a9951a608b5d1b81e524b84e87a88c6149f11b4f57cdb9cb76d2a7ff4532c8dd431229bb7a58d20365bd1423cd29b5abe12618ffd

Download Submit
C:\Windows\directx.sys

Filesize
203B

MD5
5033fb73d38e36693dc8c70364311485

SHA1
1459eb0f54b0fd9a5f1b301c8b0ec129b7ebbe52

SHA256
50e9d7916f32b8a3667cff79abbca0e867ceb0b5bffe794253e787442314fcd9

SHA512
6bd216084eff0cd913def8a26a9b08b53dbc50b410754b460ec9694e5dabe8b0f7472ffb40e035eab4b1e9045c3c9944b6438d8ba005e3eb8fe0a94e8d92fac9

Download Submit
C:\Windows\directx.sys

Filesize
202B

MD5
847d27794d61a37b5bc772d13ff011dd

SHA1
f720dd3881839a10b8b5682e7f14666f6461fa0d

SHA256
30a6efae8566425158447663971cf18c7d24c8fb9c181b0f968eff962dcb60e9

SHA512
31f547da5adc32611f67f199986fea596ab5be2c6121ead2e59d8865361c34bf9434cf2c4e97200417b97c4aa2e0aba7dbea21f68be9f3fa7c5ff385dbf34f51

Download Submit
C:\Windows\directx.sys

Filesize
205B

MD5
7682fa2d123dd9786e75f98a425f5e1d

SHA1
c3b9b6aab87585539c1f18eca1412820cc26c429

SHA256
c9324b28c4dd7b6ab2b5eee17fa18a103facec8f9de512d01ff222ba7bba15e7

SHA512
0746b0a357ea33027eabe536eeb58c1543047736a8f2522127f963143dbb3f82f3b1005f67ca4f178c0c110fa2fe02d138ad103a405f282ee4138dce8969a025

Download Submit
C:\Windows\directx.sys

Filesize
205B

MD5
a0cbe44711932c7a29e6159c8c9d38de

SHA1
39808d746d3f7ac3d68dbe23901de46182dfca52

SHA256
e57937b82198d3e6ccf911621ff37e5fad6ad7ced34b955fbc8cb19391336815

SHA512
1b41b70edff23dc4bcb770e1e580ea3c04320233e0e0300550913e1682e366c4bced55ea2befb753918f07bd7c84cccb794464479419c1fefb9e9b273a185c6f

Download Submit
C:\Windows\directx.sys

Filesize
195B

MD5
5823910510b645072b1e35a763ef8eef

SHA1
dbfd31cf599758593a11cbc4e798d6f432aa2df1

SHA256
e72bfc06bd7894765bde1e13af6ceab8f97ad9a150f4d747e70e7c8e542e957c

SHA512
57f1878ea2285d31eeb0990d06bb2f466b97e420f873fb787325ab3d6bfcb91c3483a1973c803d2f92cc30de15917485f266839d0efd816e95f666ed03978609

Download Submit
C:\Windows\directx.sys

Filesize
167B

MD5
0c853ae0371937ee639d55450a0c9975

SHA1
f2d44162c84838491fe687a153769d6f1fcb702a

SHA256
9b1b4c3e41085d8d50179002c041327af3dcf6717a46fb67304c166ede6b9eee

SHA512
573e1830fb97ad2ffa23e572f0312a3c8e73fec0bfdf35f9b590949b49d7caf93cfba14fa9b82fef35e881d64a3c52ffb50c5e5924f076058f30125dcb9758e7

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
b2e2de2a1ee99c9ca3cf8813ad70069e

SHA1
f70c4e98dc32f6ea0807a40ef055a65439676456

SHA256
e0d4c06d9b6bd2ebc829bebf73ead14e599ac85435345c9f9a257d5ff0a205c1

SHA512
8be70540423f6537c4fe7a5a4063dd981aa2c6cc38ab97fbc966c15be5f423f3f4be401c94fb5749aac05958afb339cf379c611db020f831d37747476f2f07c9

Download Submit
C:\Windows\directx.sys

Filesize
165B

MD5
c4b6d75d6927bdcfe40d76659ccbecae

SHA1
4f7f3157e5b0fcd85ed0abb9beec17050a648515

SHA256
0bf1c0fe18d86a5f382e155c888f73828c34cd952cb4794fbcf376c86fe86a88

SHA512
a983e8b0b13f79223aefa9d78589cc7210be143b7c60124ee860e05124169e9f209fed803fc96ba39ca6b1f69be4b7a42bd377f6c5739665ede6b06ef1864a8f

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
3a5010f04d65af79439be4213dd381ac

SHA1
dc4cda205252ba27ce3b844db76fa8b163a984a0

SHA256
1e023aa8cab516c6f29504d6d3df35df19dd69c86919bcfc1bd85c4df6913312

SHA512
1d96bd63a17f9e6ca93dc1016327a8299b5b99521480a1f5966b89973c3dae1e7eb87cf2d1982354df93e63d2de0c6b05822c93e60b12c0cc3e309aed8cad0a3

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
15e2192b38b8c6162f477113b8ce027d

SHA1
673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

SHA256
4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

SHA512
d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\stub.exe

Filesize
275KB

MD5
009187518d3c0f556c240f6376c93835

SHA1
be59741a375e9861be50b67813b260df078f01f1

SHA256
833a6a2641f9d77e8879833222783e75d49b7e56ca9f4badab816b2ad37f6e70

SHA512
8f25908e157435816a87557a2d8bbbf1a203fb2520d9a6b7c8f2b968dcb5976908445ac2f435c927f67a4aae93d318236bcc90960612bcc156243824d3008799

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\stub.exe

Filesize
126KB

MD5
06e0ddb22cb22a57d634ddd1910a02b7

SHA1
20a9f18a39ea664d4cb31ccd25ab9e8f002cad0b

SHA256
20103a316d26d7584115155fa57b2be5c847500ea83df8d36703130486e717ad

SHA512
e693f0382861a04da5feb7fb6fbced80d77b6e7e2e020443baa6e127a56bea0e039364199e0dac600caac0a680ad0d94c5e20b83c17f4f82285b213b34149734

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\stub.exe

Filesize
75KB

MD5
02c0caa4b682db7fa2924243739c7b90

SHA1
b5c8ef719de8d238b9f598175c2f614d42cc30ab

SHA256
425d63cf4dbc91c81aa11ca51f671b31fa654e55f4755fcb14f89c235d98b417

SHA512
a65e4dcff032aa9983666a6cf4b0dd36fe0dd8c8c7f1254e97f9d0b05f5135535cb443f205e77d374e83fa718f36fb382778ce950a67f4584ba348dda0702d4c

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\stub.exe

Filesize
239KB

MD5
2237e52c3c4dd11082f2e332ceb03f2d

SHA1
45c85ca0c84da45d10038d5aa8b7fe5e8cc18c7c

SHA256
60c661843516b22d38430f320d54fbee57d3df84a72d2b0ac54fcdacd69d1b83

SHA512
16271dba25b6778908c94bc00ce1bdde77ee6e1b2fd6d695765ebc78ec59184af49102334af2e1ec58af5e366adad4c1b6cfb90d83f76316a46e7d9aecf05387

Download Submit
\Users\Admin\AppData\Local\Temp\Files\12027.exe

Filesize
547KB

MD5
f03c928645d0e8b2955178e4a32032b7

SHA1
e475ce6670cabee16f99c707b6fb24c1b96675df

SHA256
80d96543b0d7d4f526cc0f889d636527410025126f6f68c0f432f9e26a08b540

SHA512
cbd0b07d0a3ee4e402ec04cd9f0d5f9e23bb09681f6f0eba2ca5f1ec49752d5490e176c07fc68e53e1ce809870a1c8119d00fd98647c5a829473cc91f3d6d21c

Download Submit
\Users\Admin\AppData\Local\Temp\Files\382498393934ena-rr.exe

Filesize
380KB

MD5
738b4877d2e1345bb2f2d5104d7cd86e

SHA1
b6f554b7280b0243375e40946ec21e0508c3d95c

SHA256
824d3aa9bfe100b9b296b05e7b5a508528b584ffdf9150c41a7be044f4f21073

SHA512
9de93d67b7b009823c5ecfb9af00abd0420260a5cc627f4e3a46b70b3219b3d8e1812b3fac302ce3ae19021a6b42e2614d337534547f47434b2c2521ea41406e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\382498393934ena-rr.exe

Filesize
323KB

MD5
c40555f144abefba1c6c46cc874a4e6a

SHA1
1e14ac89dcd03807abc6b389fbac69b59c4f92c2

SHA256
33055ececb1af58cd941683e0b37444d92902f89ec2116d5d7a32f469f5807a7

SHA512
b9916e10f054199f7a4c4164a772ee8d88c4bb29febcc0aa7bdf2e2ebfd465d900ca96438c91b77cdfd471099e72ef46ecbc008d118f78cf5cae0cbef8578d4f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
81KB

MD5
301a6b8fc48d58328c42d730293952dd

SHA1
c16476046bc177c8b04e05954d3590cf26ceb667

SHA256
d18115903bbc8cca255be47fd6209c7e18429b710f873fbbc1d3e685e4e5e468

SHA512
49f9c9726dfab05638cff9c63a52979a5bb53ed9eae4a44b21094fa3619ce4dcd2e747b0e50db73dcf0b8954cd81b4108ad7879f904071d3d393a05314a741f8

Download Submit
\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
33KB

MD5
72e6e9f41331b51132b4a5f36e286e73

SHA1
4b71e0cbdaa2e2df1385e61ff9b8499b77fcfbda

SHA256
0e6e49b4f7558ecaf7f7335bd8cd4129db4ddeac2715c3dd55de242c02f9ee99

SHA512
b59b0b418415ad4402a31d7bc040f01cf22d341396a126fc539bedad57d7084890a8aba6c9cdff736a17655ad7948454eb400058c26f932e1cbd3e25a762c7f0

Download Submit
\Users\Admin\AppData\Local\Temp\Files\ugorichzx.exe

Filesize
45KB

MD5
cb5bccc3952eb5ccecdf7aa5436d05eb

SHA1
8424a71de3d418ce24434024bc54aa91c5c31487

SHA256
487f7f9e883ccfceb5f08e54ba968702626172c05877c4253af1ce3c5801e600

SHA512
859b5c3b6260e52417dfb37d78b73363ce95f7e397c3bd48bb582fbafa6b64febcf0a1183ccdf33f7e300bb647365d1238dec29bb5858ade3414b3412f32cf9c

Download Submit
\Users\Admin\AppData\Local\Temp\Files\univ.exe

Filesize
181KB

MD5
0c71024a3287d2bd531a4d1183549a2f

SHA1
2dfa2bd64a35ffb1a9c89b04e4432a0d42f5819e

SHA256
0d0f68336e53cdea8a4ad018b701a47e10ae052c3787553eae64a2a413400a69

SHA512
5dfc9b2d8f209416602e3c3909aa8d4d08d702a954b907e65d08982a512b6285d0c6a8be1023482fb8be37335d2f8d533939c93c658e390d991fb6c4ce7107cb

Download Submit
memory/268-148-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/272-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/348-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/564-333-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/884-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1016-277-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1048-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1124-1574-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1148-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-1007-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1352-1009-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1352-596-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1352-605-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1352-595-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/1360-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1504-1906-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/1552-1791-0x0000000001060000-0x0000000001548000-memory.dmp

Filesize
4.9MB

Download
memory/1600-424-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1668-1714-0x0000000002D70000-0x000000000365B000-memory.dmp

Filesize
8.9MB

Download
memory/1668-1684-0x0000000002970000-0x0000000002D68000-memory.dmp

Filesize
4.0MB

Download
memory/1668-1716-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1668-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1688-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1732-167-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1840-1218-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/1840-200-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1840-211-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/1840-186-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1840-214-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/1840-182-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1840-1191-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/1840-188-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1840-197-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1840-184-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1840-191-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1840-193-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1840-180-0x0000000000080000-0x00000000000C2000-memory.dmp

Filesize
264KB

Download
memory/1848-413-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1912-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1924-1039-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1924-1909-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1924-111-0x0000000140000000-0x0000000140645400-memory.dmp

Filesize
6.3MB

Download
memory/1964-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-1852-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2012-1848-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2012-1847-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/2032-1608-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2100-1789-0x0000000002040000-0x0000000002528000-memory.dmp

Filesize
4.9MB

Download
memory/2108-92-0x0000000004390000-0x0000000004FB8000-memory.dmp

Filesize
12.2MB

Download
memory/2108-87-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2108-91-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2108-96-0x0000000001EB0000-0x0000000001EEA000-memory.dmp

Filesize
232KB

Download
memory/2152-1512-0x0000000002A20000-0x0000000002A60000-memory.dmp

Filesize
256KB

Download
memory/2152-1543-0x000000006EDE0000-0x000000006F38B000-memory.dmp

Filesize
5.7MB

Download
memory/2152-1505-0x000000006EDE0000-0x000000006F38B000-memory.dmp

Filesize
5.7MB

Download
memory/2152-1510-0x0000000002A20000-0x0000000002A60000-memory.dmp

Filesize
256KB

Download
memory/2152-1511-0x000000006EDE0000-0x000000006F38B000-memory.dmp

Filesize
5.7MB

Download
memory/2152-1521-0x0000000002A20000-0x0000000002A60000-memory.dmp

Filesize
256KB

Download
memory/2228-210-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2272-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2284-265-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2316-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-432-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2356-2-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2356-0-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2356-1-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2356-176-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2356-201-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2380-171-0x00000000003E0000-0x0000000000462000-memory.dmp

Filesize
520KB

Download
memory/2380-178-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/2380-170-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-192-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-175-0x00000000005E0000-0x0000000000650000-memory.dmp

Filesize
448KB

Download
memory/2380-177-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/2388-425-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2552-66-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2560-1670-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2572-447-0x0000000000200000-0x000000000021A000-memory.dmp

Filesize
104KB

Download
memory/2572-1067-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-1006-0x0000000000750000-0x0000000000778000-memory.dmp

Filesize
160KB

Download
memory/2572-448-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-468-0x0000000000F80000-0x0000000000FC0000-memory.dmp

Filesize
256KB

Download
memory/2572-446-0x00000000010E0000-0x00000000010E8000-memory.dmp

Filesize
32KB

Download
memory/2600-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2616-1143-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-1148-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-1144-0x0000000002B50000-0x0000000002B90000-memory.dmp

Filesize
256KB

Download
memory/2616-1154-0x0000000002B50000-0x0000000002B90000-memory.dmp

Filesize
256KB

Download
memory/2616-1155-0x0000000002B50000-0x0000000002B90000-memory.dmp

Filesize
256KB

Download
memory/2616-1180-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-433-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-1201-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-1195-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-1802-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-1835-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/2740-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-450-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-1533-0x0000000002A20000-0x0000000002A60000-memory.dmp

Filesize
256KB

Download
memory/2912-1534-0x000000006EDE0000-0x000000006F38B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-1523-0x000000006EDE0000-0x000000006F38B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-1524-0x0000000002A20000-0x0000000002A60000-memory.dmp

Filesize
256KB

Download
memory/2912-1522-0x0000000002A20000-0x0000000002A60000-memory.dmp

Filesize
256KB

Download
memory/2912-1552-0x000000006EDE0000-0x000000006F38B000-memory.dmp

Filesize
5.7MB

Download
memory/2964-266-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2968-133-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3040-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download