umbral | dbe3ee56b5cc22b5309005a8624b7cc24f5f7260e9bc38d8d223875f2fb81ba4

Analysis

max time kernel
314s
max time network
898s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sultan cracked.exe
Size

2.0MB
MD5

000142d2c4961a9715157529ee679f27
SHA1

e12ef916e551260a295cad737602c897781cc656
SHA256

dbe3ee56b5cc22b5309005a8624b7cc24f5f7260e9bc38d8d223875f2fb81ba4
SHA512

b76fbacdc4bc8172c948d2d68b2506e4c69b43d4462765dbdab37cbc773c081132b555ed072e39e5a5666f734d62374512d9ae4a0660bc90c8e7db0218bba0dc
SSDEEP

24576:Vof3ZI06UZjoiAuB2Tu6kbRTYnnk2FbMNyBo4kx929bL3Hnx1I88:a/Zsxu0zq5QnJB+kn3HnxW

Score

10^/10

umbral defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1335254124253413517/uwBpTlieTdiOYJaHRQIeu3mJguPts6lG5cFLgccyNKTxKFm8dcpNOpkj0n1uwUr2-9OZ

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001944d-14.dat	family_umbral
behavioral1/memory/2928-40-0x0000000000FF0000-0x0000000001030000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Downloads MZ/PE file 4 IoCs

flow	pid	Process
327	1940	BlueStacksInstaller.exe
356	1848	BlueStacksInstaller.exe
212	2912	chrome.exe
311	3936	BlueStacksInstaller.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7780	netsh.exe
7740	netsh.exe
7708	netsh.exe
7652	netsh.exe

Executes dropped EXE 63 IoCs

pid	Process
2392	ERNS X!TERS.exe
2928	svchost.exe
476	Process not Found
2744	alg.exe
2748	aspnet_state.exe
2624	mscorsvw.exe
852	mscorsvw.exe
1796	mscorsvw.exe
1656	mscorsvw.exe
2940	ehRecvr.exe
576	ehsched.exe
1296	elevation_service.exe
1632	IEEtwCollector.exe
1308	GROOVE.EXE
1720	maintenanceservice.exe
3028	msdtc.exe
1116	msiexec.exe
376	OSE.EXE
1624	perfhost.exe
1580	locator.exe
3020	snmptrap.exe
1704	vds.exe
1692	vssvc.exe
2992	wbengine.exe
1564	WmiApSrv.exe
2496	wmpnetwk.exe
352	SearchIndexer.exe
1268	mscorsvw.exe
3056	mscorsvw.exe
2300	mscorsvw.exe
536	mscorsvw.exe
2864	mscorsvw.exe
776	mscorsvw.exe
3008	mscorsvw.exe
1112	mscorsvw.exe
2084	mscorsvw.exe
2704	mscorsvw.exe
2712	mscorsvw.exe
1920	mscorsvw.exe
2300	mscorsvw.exe
2588	mscorsvw.exe
2180	mscorsvw.exe
556	mscorsvw.exe
2028	mscorsvw.exe
2344	mscorsvw.exe
3008	mscorsvw.exe
2324	mscorsvw.exe
1524	mscorsvw.exe
1924	mscorsvw.exe
1920	mscorsvw.exe
2448	mscorsvw.exe
2312	mscorsvw.exe
3292	BlueStacksInstaller_5.22.0.2111_native_e86d899ef2879a6016fa9fa0da480f6c_MDs1LDM7MTUsMTsxNSw0OzE1LDU7MTU=.exe
3936	BlueStacksInstaller.exe
3784	HD-CheckCpu.exe
2196	BlueStacksMicroInstaller5.21.301.1005_native_e86d899ef2879a6016fa9fa0da480f6c.exe
1940	BlueStacksInstaller.exe
4020	HD-CheckCpu.exe
1988	BlueStacksMicroInstaller5.14.22.1003_native_.exe
1848	BlueStacksInstaller.exe
3600	HD-CheckCpu.exe
4068	HD-CheckCpu.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe

Loads dropped DLL 64 IoCs

pid	Process
3012	sultan cracked.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1116	msiexec.exe
1788	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
748	Process not Found
3292	BlueStacksInstaller_5.22.0.2111_native_e86d899ef2879a6016fa9fa0da480f6c_MDs1LDM7MTUsMTsxNSw0OzE1LDU7MTU=.exe
3292	BlueStacksInstaller_5.22.0.2111_native_e86d899ef2879a6016fa9fa0da480f6c_MDs1LDM7MTUsMTsxNSw0OzE1LDU7MTU=.exe
3292	BlueStacksInstaller_5.22.0.2111_native_e86d899ef2879a6016fa9fa0da480f6c_MDs1LDM7MTUsMTsxNSw0OzE1LDU7MTU=.exe
3292	BlueStacksInstaller_5.22.0.2111_native_e86d899ef2879a6016fa9fa0da480f6c_MDs1LDM7MTUsMTsxNSw0OzE1LDU7MTU=.exe
2196	BlueStacksMicroInstaller5.21.301.1005_native_e86d899ef2879a6016fa9fa0da480f6c.exe
2196	BlueStacksMicroInstaller5.21.301.1005_native_e86d899ef2879a6016fa9fa0da480f6c.exe
2196	BlueStacksMicroInstaller5.21.301.1005_native_e86d899ef2879a6016fa9fa0da480f6c.exe
2196	BlueStacksMicroInstaller5.21.301.1005_native_e86d899ef2879a6016fa9fa0da480f6c.exe
1988	BlueStacksMicroInstaller5.14.22.1003_native_.exe
1988	BlueStacksMicroInstaller5.14.22.1003_native_.exe
1988	BlueStacksMicroInstaller5.14.22.1003_native_.exe
1988	BlueStacksMicroInstaller5.14.22.1003_native_.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe
3252	BSX-Setup-5.14.22.1003_nxt.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	ip-api.com

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	GROOVE.EXE
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f63292cb7c3b6b19.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	GROOVE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	alg.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\locator.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\System32\vds.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\checkBox\checked_normal.svg	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\MyGames\back.svg	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\Search\History_ButtonDelete_normal.svg	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\Optional\Icon_Help_Hover.svg	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\msvcp140_2.dll	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libball_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\bn.pak	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qt_sk.qm	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\7z.exe	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\services_discovery\libmediadirs_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\stream_filter\libcache_block_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File created	C:\Program Files (x86)\BlueStacks X\image\Search\mini_cloud.svg	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\aws\aws-c-s3.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\resources\qtwebengine_resources.pak	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_chroma\libchain_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_output\libdirect3d11_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\BlueStacks X\Cloud Game.exe	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\aws\aws-cpp-sdk-core.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\misc\libaddonsfsstorage_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_output\libwingdi_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\CloudMode\Icon_instantly.svg	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\TypeIndicator\CS_hover.svg	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\resources\qtwebengine_resources_100p.pak	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\audio_filter\libstereo_widen_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	ERNS X!TERS.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File created	C:\Program Files (x86)\BlueStacks X\image\account\Choose_img1.png	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\help.svg	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\language\ru.qm	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\styles\qwindowsvistastyle.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	GROOVE.EXE
File opened for modification	C:\Program Files (x86)\BlueStacks X\cef\locales\sk.pak	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\mediaservice\wmfengine.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	GROOVE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	GROOVE.EXE
File created	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\am.pak	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\translations\qt_uk.qm	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\aws\aws-cpp-sdk-s3.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File created	C:\Program Files (x86)\BlueStacks X\image\now.gg.svg	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\www\localization\index.js	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\access\libshm_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\lua\liblua_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\video_chroma\libchain_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\liboldmovie_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\printsupport\windowsprintersupport.dll	BSX-Setup-5.14.22.1003_nxt.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\MyGames\pre_enable.svg	BSX-Setup-5.14.22.1003_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libfps_plugin.dll	BSX-Setup-5.14.22.1003_nxt.exe

Drops file in Windows directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\ehRecvr.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	GROOVE.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\ACTIVADA.wav	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	GROOVE.EXE
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	GROOVE.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	alg.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\0704.wav	ERNS X!TERS.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	GROOVE.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ERNS X!TERS.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	GROOVE.EXE
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueStacksInstaller_5.22.0.2111_native_e86d899ef2879a6016fa9fa0da480f6c_MDs1LDM7MTUsMTsxNSw0OzE1LDU7MTU=.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueStacksMicroInstaller5.14.22.1003_native_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueStacksMicroInstaller5.21.301.1005_native_e86d899ef2879a6016fa9fa0da480f6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BSX-Setup-5.14.22.1003_nxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\recdisc.exe,-2000 = "Create a System Repair Disc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{13678887-0611-48B7-AAE4-FBB48F58BDDD}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010c629e36f9ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	ehRec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\XpsRchVw.exe,-103 = "View, digitally sign, and set permissions for XPS documents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)."	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	ehRec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king."	SearchProtocolHost.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\command	BSX-Setup-5.14.22.1003_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\command\ = "\"C:\\Program Files (x86)\\BlueStacks X\\BlueStacks X.exe\" -open \"%1\""	BSX-Setup-5.14.22.1003_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\URL Protocol	BSX-Setup-5.14.22.1003_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\DefaultIcon	BSX-Setup-5.14.22.1003_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\DefaultIcon\ = "C:\\Program Files (x86)\\BlueStacks X\\BlueStacks X.exe,0"	BSX-Setup-5.14.22.1003_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\	BSX-Setup-5.14.22.1003_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open	BSX-Setup-5.14.22.1003_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\	BSX-Setup-5.14.22.1003_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX	BSX-Setup-5.14.22.1003_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\ = "URL:BlueStacksX Protocol Handler"	BSX-Setup-5.14.22.1003_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell	BSX-Setup-5.14.22.1003_nxt.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ERNS X!TERS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ERNS X!TERS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	BlueStacksInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	BlueStacksInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ERNS X!TERS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
1688	ehRec.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2392	ERNS X!TERS.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2392	ERNS X!TERS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2392	ERNS X!TERS.exe
Token: SeShutdownPrivilege	1796	mscorsvw.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeDebugPrivilege	2928	svchost.exe
Token: 33	3036	EhTray.exe
Token: SeIncBasePriorityPrivilege	3036	EhTray.exe
Token: SeDebugPrivilege	1688	ehRec.exe
Token: SeRestorePrivilege	1116	msiexec.exe
Token: SeTakeOwnershipPrivilege	1116	msiexec.exe
Token: SeSecurityPrivilege	1116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2460	wmic.exe
Token: SeSecurityPrivilege	2460	wmic.exe
Token: SeTakeOwnershipPrivilege	2460	wmic.exe
Token: SeLoadDriverPrivilege	2460	wmic.exe
Token: SeSystemProfilePrivilege	2460	wmic.exe
Token: SeSystemtimePrivilege	2460	wmic.exe
Token: SeProfSingleProcessPrivilege	2460	wmic.exe
Token: SeIncBasePriorityPrivilege	2460	wmic.exe
Token: SeCreatePagefilePrivilege	2460	wmic.exe
Token: SeBackupPrivilege	2460	wmic.exe
Token: SeRestorePrivilege	2460	wmic.exe
Token: SeShutdownPrivilege	2460	wmic.exe
Token: SeDebugPrivilege	2460	wmic.exe
Token: SeSystemEnvironmentPrivilege	2460	wmic.exe
Token: SeRemoteShutdownPrivilege	2460	wmic.exe
Token: SeUndockPrivilege	2460	wmic.exe
Token: SeManageVolumePrivilege	2460	wmic.exe
Token: 33	2460	wmic.exe
Token: 34	2460	wmic.exe
Token: 35	2460	wmic.exe
Token: SeIncreaseQuotaPrivilege	2460	wmic.exe
Token: SeSecurityPrivilege	2460	wmic.exe
Token: SeTakeOwnershipPrivilege	2460	wmic.exe
Token: SeLoadDriverPrivilege	2460	wmic.exe
Token: SeSystemProfilePrivilege	2460	wmic.exe
Token: SeSystemtimePrivilege	2460	wmic.exe
Token: SeProfSingleProcessPrivilege	2460	wmic.exe
Token: SeIncBasePriorityPrivilege	2460	wmic.exe
Token: SeCreatePagefilePrivilege	2460	wmic.exe
Token: SeBackupPrivilege	2460	wmic.exe
Token: SeRestorePrivilege	2460	wmic.exe
Token: SeShutdownPrivilege	2460	wmic.exe
Token: SeDebugPrivilege	2460	wmic.exe
Token: SeSystemEnvironmentPrivilege	2460	wmic.exe
Token: SeRemoteShutdownPrivilege	2460	wmic.exe
Token: SeUndockPrivilege	2460	wmic.exe
Token: SeManageVolumePrivilege	2460	wmic.exe
Token: 33	2460	wmic.exe
Token: 34	2460	wmic.exe
Token: 35	2460	wmic.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeShutdownPrivilege	1796	mscorsvw.exe
Token: 33	3036	EhTray.exe
Token: SeIncBasePriorityPrivilege	3036	EhTray.exe
Token: SeBackupPrivilege	1692	vssvc.exe
Token: SeRestorePrivilege	1692	vssvc.exe
Token: SeAuditPrivilege	1692	vssvc.exe
Token: SeBackupPrivilege	2992	wbengine.exe
Token: SeRestorePrivilege	2992	wbengine.exe
Token: SeSecurityPrivilege	2992	wbengine.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeShutdownPrivilege	1656	mscorsvw.exe
Token: SeShutdownPrivilege	1796	mscorsvw.exe
Token: SeShutdownPrivilege	1796	mscorsvw.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
3036	EhTray.exe
3036	EhTray.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
3036	EhTray.exe
3036	EhTray.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2392	ERNS X!TERS.exe
324	SearchProtocolHost.exe
324	SearchProtocolHost.exe
324	SearchProtocolHost.exe
324	SearchProtocolHost.exe
324	SearchProtocolHost.exe
324	SearchProtocolHost.exe
324	SearchProtocolHost.exe
324	SearchProtocolHost.exe
324	SearchProtocolHost.exe
324	SearchProtocolHost.exe
7952	SearchProtocolHost.exe
7952	SearchProtocolHost.exe
7952	SearchProtocolHost.exe
7952	SearchProtocolHost.exe
7952	SearchProtocolHost.exe
7952	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2392	3012	sultan cracked.exe	30
PID 3012 wrote to memory of 2392	3012	sultan cracked.exe	30
PID 3012 wrote to memory of 2392	3012	sultan cracked.exe	30
PID 3012 wrote to memory of 2928	3012	sultan cracked.exe	31
PID 3012 wrote to memory of 2928	3012	sultan cracked.exe	31
PID 3012 wrote to memory of 2928	3012	sultan cracked.exe	31
PID 2928 wrote to memory of 2460	2928	svchost.exe	50
PID 2928 wrote to memory of 2460	2928	svchost.exe	50
PID 2928 wrote to memory of 2460	2928	svchost.exe	50
PID 2392 wrote to memory of 2508	2392	ERNS X!TERS.exe	56
PID 2392 wrote to memory of 2508	2392	ERNS X!TERS.exe	56
PID 2392 wrote to memory of 2508	2392	ERNS X!TERS.exe	56
PID 2508 wrote to memory of 1720	2508	cmd.exe	57
PID 2508 wrote to memory of 1720	2508	cmd.exe	57
PID 2508 wrote to memory of 1720	2508	cmd.exe	57
PID 2508 wrote to memory of 1968	2508	cmd.exe	58
PID 2508 wrote to memory of 1968	2508	cmd.exe	58
PID 2508 wrote to memory of 1968	2508	cmd.exe	58
PID 2508 wrote to memory of 2504	2508	cmd.exe	59
PID 2508 wrote to memory of 2504	2508	cmd.exe	59
PID 2508 wrote to memory of 2504	2508	cmd.exe	59
PID 1796 wrote to memory of 1268	1796	mscorsvw.exe	67
PID 1796 wrote to memory of 1268	1796	mscorsvw.exe	67
PID 1796 wrote to memory of 1268	1796	mscorsvw.exe	67
PID 1796 wrote to memory of 1268	1796	mscorsvw.exe	67
PID 352 wrote to memory of 324	352	SearchIndexer.exe	68
PID 352 wrote to memory of 324	352	SearchIndexer.exe	68
PID 352 wrote to memory of 324	352	SearchIndexer.exe	68
PID 352 wrote to memory of 1712	352	SearchIndexer.exe	69
PID 352 wrote to memory of 1712	352	SearchIndexer.exe	69
PID 352 wrote to memory of 1712	352	SearchIndexer.exe	69
PID 1796 wrote to memory of 3056	1796	mscorsvw.exe	70
PID 1796 wrote to memory of 3056	1796	mscorsvw.exe	70
PID 1796 wrote to memory of 3056	1796	mscorsvw.exe	70
PID 1796 wrote to memory of 3056	1796	mscorsvw.exe	70
PID 1796 wrote to memory of 2300	1796	mscorsvw.exe	82
PID 1796 wrote to memory of 2300	1796	mscorsvw.exe	82
PID 1796 wrote to memory of 2300	1796	mscorsvw.exe	82
PID 1796 wrote to memory of 2300	1796	mscorsvw.exe	82
PID 1796 wrote to memory of 536	1796	mscorsvw.exe	72
PID 1796 wrote to memory of 536	1796	mscorsvw.exe	72
PID 1796 wrote to memory of 536	1796	mscorsvw.exe	72
PID 1796 wrote to memory of 536	1796	mscorsvw.exe	72
PID 1796 wrote to memory of 2864	1796	mscorsvw.exe	73
PID 1796 wrote to memory of 2864	1796	mscorsvw.exe	73
PID 1796 wrote to memory of 2864	1796	mscorsvw.exe	73
PID 1796 wrote to memory of 2864	1796	mscorsvw.exe	73
PID 1796 wrote to memory of 776	1796	mscorsvw.exe	74
PID 1796 wrote to memory of 776	1796	mscorsvw.exe	74
PID 1796 wrote to memory of 776	1796	mscorsvw.exe	74
PID 1796 wrote to memory of 776	1796	mscorsvw.exe	74
PID 1796 wrote to memory of 3008	1796	mscorsvw.exe	88
PID 1796 wrote to memory of 3008	1796	mscorsvw.exe	88
PID 1796 wrote to memory of 3008	1796	mscorsvw.exe	88
PID 1796 wrote to memory of 3008	1796	mscorsvw.exe	88
PID 1796 wrote to memory of 1112	1796	mscorsvw.exe	76
PID 1796 wrote to memory of 1112	1796	mscorsvw.exe	76
PID 1796 wrote to memory of 1112	1796	mscorsvw.exe	76
PID 1796 wrote to memory of 1112	1796	mscorsvw.exe	76
PID 1796 wrote to memory of 2084	1796	mscorsvw.exe	77
PID 1796 wrote to memory of 2084	1796	mscorsvw.exe	77
PID 1796 wrote to memory of 2084	1796	mscorsvw.exe	77
PID 1796 wrote to memory of 2084	1796	mscorsvw.exe	77
PID 1796 wrote to memory of 2704	1796	mscorsvw.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sultan cracked.exe
"C:\Users\Admin\AppData\Local\Temp\sultan cracked.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe
  "C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe" MD5
      4⤵
      PID:1720
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:1968
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2504
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2460

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2624

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 238 -NGENProcess 1ec -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 264 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 1d4 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 24c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 270 -NGENProcess 1d4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 25c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 26c -NGENProcess 270 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 250 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 284 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 280 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 23c -NGENProcess 28c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 244 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 294 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 26c -NGENProcess 280 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 290 -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 284 -NGENProcess 280 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 298 -NGENProcess 2a4 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 280 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1e4 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:6400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 234 -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 228 -NGENProcess 1d0 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1c0 -NGENProcess 288 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  PID:4144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 294 -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 288 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:3272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 27c -NGENProcess 288 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  PID:4216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:4100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 29c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:4352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b0 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:4416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 288 -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:4548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2b8 -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:4616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 29c -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:4744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:4808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:4672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:5920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2b0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:5604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:5076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:6816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:3860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:5420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:3612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:7980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:7888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:7736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 28c -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:4004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 28c -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:7504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:7136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 300 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:4112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 294 -NGENProcess 2e0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:4628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2e0 -NGENProcess 284 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:6120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 308 -NGENProcess 300 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:6252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 300 -NGENProcess 294 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:6324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2f8 -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:6360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2f8 -NGENProcess 294 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:6368

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:576

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3036

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1632

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1308

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2496

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:324
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:1712
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:3776
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:7952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  PID:7872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feec279758,0x7feec279768,0x7feec279778
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:2
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1584 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  - Downloads MZ/PE file
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:1
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1468 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:2
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1516 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3432 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3564 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3912 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=284 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2308 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2612 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1672 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3820 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1764 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2912 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4088 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4208 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4184 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4160 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4184 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1068 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4212 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 --field-trial-handle=1344,i,5171715688489940943,18074952191054259741,131072 /prefetch:8
  2⤵
  PID:576
- C:\Users\Admin\Downloads\BlueStacksInstaller_5.22.0.2111_native_e86d899ef2879a6016fa9fa0da480f6c_MDs1LDM7MTUsMTsxNSw0OzE1LDU7MTU=.exe
  "C:\Users\Admin\Downloads\BlueStacksInstaller_5.22.0.2111_native_e86d899ef2879a6016fa9fa0da480f6c_MDs1LDM7MTUsMTsxNSw0OzE1LDU7MTU=.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\7zSCDCA9DF8\BlueStacksInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCDCA9DF8\BlueStacksInstaller.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Modifies system certificate store
    PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\7zSCDCA9DF8\HD-CheckCpu.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSCDCA9DF8\HD-CheckCpu.exe" --cmd checkHypervEnabled
      4⤵
      Executes dropped EXE
      PID:3784
  - - C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_e86d899ef2879a6016fa9fa0da480f6c.exe
      "C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_e86d899ef2879a6016fa9fa0da480f6c.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\7zS498E93E8\BlueStacksInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS498E93E8\BlueStacksInstaller.exe"
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        
        PID:1940
      - C:\Users\Admin\AppData\Local\Temp\7zS498E93E8\HD-CheckCpu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS498E93E8\HD-CheckCpu.exe" --cmd checkHypervEnabled
        6⤵
        Executes dropped EXE
        
        PID:4020
      - C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.14.22.1003_native_.exe
        
        "C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.14.22.1003_native_.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\BlueStacksInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\BlueStacksInstaller.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\HD-CheckCpu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\HD-CheckCpu.exe" --cmd checkHypervEnabled
        8⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\HD-CheckCpu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\HD-CheckCpu.exe" --cmd checkSSE4
        8⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.14.22.1003_nxt.exe
        
        "C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.14.22.1003_nxt.exe" -s
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\BlueStacks X\green.vbs"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c green.bat
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name="BlueStacksWeb"
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:7780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name="Cloud Game"
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:7740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="BlueStacksWeb" dir=in action=allow program="C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe"
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:7708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Cloud Game" dir=in action=allow program="C:\Program Files (x86)\BlueStacks X\Cloud Game.exe"
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:7652
        
        C:\Users\Admin\AppData\Local\BlueStacksSetup\1117256376BlueStacksMicroInstaller5.14.22.1003_native_.exe
        
        "C:\Users\Admin\AppData\Local\BlueStacksSetup\1117256376BlueStacksMicroInstaller5.14.22.1003_native_.exe" -versionMachineID=324dd889-51b0-4a9e-96dd-3a647f52876e -machineID=7739baa1-dfb4-4805-8e09-fc1ec1cb3f04 -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName=Nougat32 -imageToLaunch=Nougat32 -isSSE4Available=1 -appToLaunch=bs5 -bsxVersion=10.5.22.1006
        8⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\Bootstrapper.exe" -versionMachineID=324dd889-51b0-4a9e-96dd-3a647f52876e -machineID=7739baa1-dfb4-4805-8e09-fc1ec1cb3f04 -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName=Nougat32 -imageToLaunch=Nougat32 -isSSE4Available=1 -appToLaunch=bs5 -bsxVersion=10.5.22.1006
        9⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\BlueStacksInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\BlueStacksInstaller.exe" -versionMachineID="324dd889-51b0-4a9e-96dd-3a647f52876e" -machineID="7739baa1-dfb4-4805-8e09-fc1ec1cb3f04" -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName="Nougat32" -imageToLaunch="Nougat32" -appToLaunch="bs5" -bsxVersion="10.5.22.1006" -parentpath="C:\Users\Admin\AppData\Local\BlueStacksSetup\1117256376BlueStacksMicroInstaller5.14.22.1003_native_.exe"
        10⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\CommonInstallUtils.zip" -o"C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\" -aoa
        11⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\QtRedistx64.zip" -o"C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\" -aoa
        11⤵
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-ForceGPU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-ForceGPU.exe" 1 "C:\Program Files\BlueStacks_nxt"
        11⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe" 1 2
        11⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe" 4 2
        11⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe" 2 2
        11⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe" 1 1
        11⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe" 4 1
        11⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\HD-GLCheck.exe" 2 1
        11⤵
        
        PID:6424
        
        C:\Windows\system32\reg.exe
        
        "reg.exe" EXPORT HKLM\Software\BlueStacks_nxt "C:\Users\Admin\AppData\Local\Temp\3ytanli2.yc0\RegHKLM.txt"
        11⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\7zr.exe" a "C:\Users\Admin\AppData\Local\Temp\Installer.zip" -m0=LZMA:a=1 "C:\Users\Admin\AppData\Local\Temp\3ytanli2.yc0\*"
        11⤵
        
        PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe

Filesize
475KB

MD5
62e4a0fff6c786b95c6ef4808e3e64b8

SHA1
da5be7cf6a5858c8afdffd716c966b561cb17942

SHA256
217a85a670f12953bd4039ab0b89180b46e32b3ebe820877cf587e6bfcef0bbd

SHA512
19e72fbba7ae7aaafbef30658d3e66ccb6200a56dd6ffaeee1d476ddc1d8ea71ea01da2804e98605e819367b53681747f6129d1be332248c49134b909d1ae2ed

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_disabled.svg

Filesize
569B

MD5
e7fdf6a9c8cae1fc1108dc5a803a1905

SHA1
2853f9ff5e63685ebb1449dcf693176b17e4ab60

SHA256
8ee5aa84139b2ea5549f7272523aeb203d73954c5ccdcf6f7407bf1a3469f13e

SHA512
a6388b24926934e20ccf7fcab41bd219dc6c0053428481d7f466bf89f26bf1a36fdff716a9ddd9ab268df73b04dff1449c6bac1f5c707e31ae2ee71c2087e0d9

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_hover.svg

Filesize
653B

MD5
76166804e6ce35e8a0c92917b8abc071

SHA1
8bd38726a11a9633ac937b9c6f205ce5d36348b0

SHA256
1bca2e912184b8168ee8961de68d1d839f4f9827fde6f48ab100fb61e82eff90

SHA512
93c4f1af7e9f89091a207ab308e05ddd4c92406c039f7465d3b8aca7e0cc7a6c922a22e1eee2f5c88db5e89016ef69294b2a0905d7d6a90fd32835bc11929005

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_normal.svg

Filesize
569B

MD5
3221ac69d7facd8aa90ffa15aea991b0

SHA1
e0571f30f4708ec78addc726a743679ca0f05e45

SHA256
92aeae68e9e0973d9e0dc575941f1cb2e24afd0574341a46b870be7384eaa537

SHA512
5e2de0abfe60a4db16ea5e8739260c19962fbfc60869a77bde6ab3547ad8ee3ad88e74e97da31fa23be096afddad018e431d152d6d0fa21a75357a11dacb1328

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_pressed.svg

Filesize
653B

MD5
dfddf8d0788988c3e48fcbfb2a76cd20

SHA1
463bb61f0012289e860c32f1885a3a8f57467f2e

SHA256
9585f41eb6202e89f2087266fa31852d7f41ca8cc659b907c96753fe165f937d

SHA512
e708c5114c60f7574589d6a56c9faedda26ee4a40f0eeb25f5e12eadcf790f24fdbf393fa0aa6ad449b5337d625b092d6f8822472fa8a6ce1339aca59c50c3ca

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
05ce1b42282250663c3aa82acb5eefb7

SHA1
3da561e90965685aa7e5845d3835286b958ab2b4

SHA256
361b6628db9a8933a6c2b749304c9a3939b97a5c970f28f68ef4af36063e9a87

SHA512
ba16ea0a5182d0f7ed0d9ea27a689b7d0834d55458678f81c6cff049bfaaa38a71418f86c580e68a43ffecebe4ab37782174869cf6574cb19f37c4ab908bcda1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
0a19c9d834c6553d77945943d6afe324

SHA1
54376b70f2c94a3bbcc8ca3f0e9d7b7f499e939b

SHA256
8ca282139994a49f15e8b43842aeebd2058cc3a6f53054300eda635a09de0e8e

SHA512
4046a06a314fb329c12105e0f457635879756313c8631e89189a34940bd9c219ae016df7deca904af97f71382efe2f29b409895c5dc4bb31b5afd90b74604571

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c296fce1b15c25ed1f17b518c9e14318

SHA1
8a90575c066c617fd7de0e092979e2932f7e0b4e

SHA256
2157e989e8e779d2bdeb2e4066737918366cd09ff2f0bb0eb3edbf733395ec8e

SHA512
78bdfe6a0948984094ad021b6d56a626efda6e31e87f504bbe7796e00917cfdee61ab6df6111ca35fb09f9513bcf747a423f761b45c0c5855ca1306c3eba822c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
99a3a792b0d01b0e70e3ea028a7c75cd

SHA1
5915ce9e022a83b9145bc9ca07fb23204f9ab493

SHA256
161b1ad5a4b51d10c79ae6d6ed9010342666e913e44898b036c587876fe7c109

SHA512
ecf7c82f686b1dd24778b7977210e801cbc18f280e9e1d64bb567ae48c41ceab48bbea9a6bc764309dd22c02d3218aa26c19f967c572941639e4dd6520dd1837

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e0707a7fc169d2dafee527a575942dd4

SHA1
9934b6f171208092a010f8b5437a9023a50a489e

SHA256
1dad898b201bbca3ba2484872447d1e184522c88178e4da6d9a374920980fb20

SHA512
7c863def97ce71dd123070a2d0b63e9787c0e5671f552eced86fac5fdbb082adbf895d94e88b731e48f9ff2de8d7f03a7ade02113e84577eb50c1a638508b23a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
687385d4600b837a11d00e5b067fb019

SHA1
c374ef259d343d451887a8097ce69c44e916756c

SHA256
7408b13ae54adddf275ce5241e56856452f0855d3f939e7eac87d359d7ead68f

SHA512
f342ae73d0c1a6385e80640bcf5859cea8058ce6492789be96282b5285ddf72cb97b4273c0f150ee8db27103cea1a9717fd50f8f4f2197e1e163db94fd9ed4ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70fe3fcd95ab037cfd364b971888ebeb

SHA1
5ede4974ba5bf991fc99c246ed414ca640633017

SHA256
c1cbbf7a20b439ff4495c2c674c2e79c02e67e7d3a5f64290bf507d390ddba67

SHA512
dc8d2c3eb72e416bec1cf553ae83bc53f44ca44e4662aff1523dd14a08c0fb7d4841f80afa08e5ef074811086d5ea7c1eb29eb07398019d5dd06ae6fefa9a7b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a241a44c6fc14458e0c4e8e0b1df07a3

SHA1
ccbfed50db176b11018980701337f4e5a5183d9f

SHA256
0b79ba7438f1294a1582d1b1373bc2646250623fb1edd761eda0b62b5b22eee3

SHA512
270dbae8595c6d5fa634ba4a447b20ba20286811905e15d605464b32f787e58303112aab31d977d556a316dc9106301bf9cf4a7a500b05830b3c837c626e8168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2107f821525b083bb962079b36420211

SHA1
e0d42aa1b4d7963fb6a3d5485f2793ee6be88880

SHA256
2f0f8b8c942826665bfbf52d0fae30d7ba03eae7a03a3c0e27d9c30080717fa8

SHA512
6c9e4fbdc09f3e8ddc4c5f02fab6f6428acb9c6feda5f38ca22d04560716a32f3ed6c9cd8c28d51fe1dd26e71efabdf2a7279de967d1ef5747ec502be4c74c5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6bd4a3c44be3e3521e5a0216ff26d01

SHA1
37fdff03844a9260fc9927965731997307a732be

SHA256
5a527959d61434d63c9fa91ae398bac681d6608ba772003abf9f9f3290b64b56

SHA512
01e240aeacd82743c411d9dc54c78a2b875525344f54203b121f59c8f36d1869de8302f34db6baac492cb6f78052cc78467a8a20f78a9603057ac76fbdf412b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f4e5337f87c99db9eaa7c43520fdf51

SHA1
c20d9d84d2f37602aa674b5915b04995dbf763e3

SHA256
03a57c245b21f99ddd12b0ed733630dc9fddadac6a92cd15182b7bfa4d92b612

SHA512
11561e28f8617ecc060a725fb08b2138929d360f40766884c39c65629270bab66dc4ee89d158510c1325057ba8d8d52e94bcc531ee48a228c3d5368077cb437f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ad2967e40d16049835c1824534f59f8

SHA1
f3a78799128534a029f6f308b41dd83eb04581cb

SHA256
d34c2bf684e819db55229306aee50978d9ea8a7f883c6232c8367a6ebf084f79

SHA512
84f4bd99f76c6839c8b2cb78c716df9a3b2c4cd3e375d650c228cd889d0e365e403a651f1570f6e173352b3af5151773e9de7370c342a9b346070c11f290afe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a067127c9cf8b278173ff555b841d5e1

SHA1
4b535be94dbc6619f31d8840953eee4f8c4bd7cc

SHA256
d4a72a5ac080194e523ef26973b2a0d66c460c52b533275ec033b128d99f3d16

SHA512
5f4819fbd455579bc17ce5f878d78a4b6a25fa8722d4e76e13bcf81e9bc9c03bc363ee52f8817efdb0d3171929e7617d67c2af66f864cfde0d5b7856e9662b77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00082662a2ef725ac62da6dda5509524

SHA1
1c5d7fe9ab119e94b6265d57e41649f2c83bb71b

SHA256
ae0f357064998e6f1c3007192813568f7d45035556ed45bc7c598c19d9a10c0a

SHA512
d23f412e3d646f0aa0fa241a15539a976291ca5fcf99ebf50d9420ddced58ab6f0c1ea8eedec2d7b3a3efa4da9df411eeca468873cf9154d418b183474915bea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
702b75bcd28f65c6c266c9e7511804c8

SHA1
dd38954bbbe0d56c837b0e03453b3712e9a298b5

SHA256
8b6817462b303512a5fb0a17a42595499269f5ee8d18c9c20f5ebe2d72057e22

SHA512
9fa07f89d74ef706e1c8593ca34f3f3e40527ae02b2865cfc705711e531fd20e95bc6d79da137137708268d561f4b3a377fdbf1001bee5bea35235c04be4ef3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74fe29a9d44e0e96982c36b0cdcc036f

SHA1
31addbab91979704ed376789a85aa488788abb44

SHA256
802541d45b78bf47568d8631c0d2dcadb355f91e096ec980cd0d822b9ad1d0e5

SHA512
494990999f6bbc2d1dff57de5848185c9077e7f117b1dd0130e467b539f771377c9603be077653b83728bc4281f969ecfb32c11e64a4c12ee058027ecab8a6a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c33d55efe4c3ccfca19104625bf72e7

SHA1
84b464412962fcd149faac52a55a0ba78188f410

SHA256
30eb7621e5ede0338d0180defb1ccd30c9f07d220ee23e5575d39bc64dedc483

SHA512
5245a816bebaf4993577dd2f40b85ad8c51f4315c5c0ac1334be05de9a1980a88f696903da64a019e6e095777fd7d6f518ffd65470fe4a0c5d5209279ceaad9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5258329b713b0e88fe870987e72981c7

SHA1
f0d5bfc9ea8a51c7ac3db3fa0246410d17d39acb

SHA256
09e966b1146c4f96e715f891db169bc37dc9d8260fd05a175e5c176c7673aff4

SHA512
14f654e6e53c727d30ef10a25bf1d118225dc53cec1cb5d4bedef410b704796cbfa401ce461f0d2527ddc8920603b3e45589b5393f8f63bb6c8e4d25dccfd9b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7cad25185dfb21f19e28f168559b5eae

SHA1
35f2d230b34e374861d6a2d0125d2b93fbb5d167

SHA256
af3183be51e0a608c080d7a5cb5849fe6e29d421f60d112fb55a91cb449c56e8

SHA512
8885356ecef5a66722204d4cc6a4639e0d0c7e85cb8d109b7e3931894ec4e5f51987cb03494c42262df4685168c3d21448e653c48df4ecdef1c3c7e8ce28c64f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0d8133b8d7e8c822246f4648cc98614

SHA1
937e82e3864d4e84d2dad0ae65528ab48870d727

SHA256
0762de2071b1c49c8dc4aee1aa8c3b6385a05a46a11db4acf918f336444934e4

SHA512
3d39a9258df7a9f1350bda9cadea98ba62ac799fe25e182b09244d054c22df09fca98ce73dc753341001376febd3737d1b0c5dcc235d47fbe689ad16c189a539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
788004c6b51ef6307b2476b789158b1b

SHA1
22d3c0fef69cd18859ac299811f6e36aa80a8d3c

SHA256
c3a14897edb8ed382cefb0be3b85959559be45fdc25a6e513d0add986b8a2747

SHA512
83ff2df0b1a46d3277354f3a508cb12562ec84a16288fa865b9dcd14a1decaf247f486af949901ae9b2d69976f125e44c9d17a68cc13a81805fb5fed2daabe93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e08080af8d6b2d515d93b71af952d7c5

SHA1
4039a72020385c5d15f6b88ebc144a3e0a0dab26

SHA256
196fff95d013e88cab419e25d2b8fe492867218302c7a9681ec6d4f4f263089a

SHA512
8bb33283e2e8ccf63cfe05400a663c3d9633411f4aab560c498e9f636dc6f0bee2c024d9777f69b1a04e7fb11b11ecc388eb44ceca46e496b2b1e84a3978644b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e00411f51825d6313094d68dc25261cc

SHA1
f00b2fb152c3cafa4d9fb02c7d5a080f6565188b

SHA256
aab0db4a8dce385a211185643d9b4cef198ee868e5fa1e06282fe1ef75b18f73

SHA512
777ca8380943573a2fb51903a0eb5f2dea47fba0aca442c937c00c827600c87291321f7a9c31a4321bee9b428edeefd844f3a728a6bb23343f1a00bd51e987e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2289caa660ba32d31f3e4ad29d37f172

SHA1
57e215eb4801beda674d734e93609a410d006c3f

SHA256
d944893242c5eeb257099de29925cf588cc5a2f9844a1fed65b846b5f4e271b4

SHA512
287999a4c11b8dd1b61bb7a1c76d2621dd884ef996de59c7ff5fc8ff2b491870b73cce3c3f2b3d9a81509c971979c5229e3965cb8ffc78de9a56f735623cb93c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9965f76a4170b1bd78252329b9ab05f0

SHA1
da2d00fac182012adeefb00e856982d051cc37ad

SHA256
e2deb6a3afd9466a362e653ee489193984c7521a44f1a391ba055babc4e6fcc2

SHA512
398c4d7a3be06c87f39044ab9f79294fb17301589e803d54d71ea27886bfcd6421f82bd3f340317b21c9623c0d4f1cb521e3f8ae31da5032428053f0b6a92705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9f7ecfe03c354a5692611551d967d52

SHA1
fb18e1d487d3a25bf071137382b0bd37b77a3f55

SHA256
e297000c91a9745d3c72b24e236f228845b0889a36bc1a017cfb465c8b16e15d

SHA512
f691f5733fdc592f29e8304b43089f4aa33897425fd0dcab8427fc478be60d418f04f170d1164313ac6c249ec4a60028c60878b0e1196396acddf422b275867a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b865ed400f82bc6b73b4a2c56388bac

SHA1
8f939bc01d70a44038b61af0857cfb5dae5a85d8

SHA256
b5a72697c89db594a3a22417e4fca53d97c1b7f8dae98eaf271126e4d9b32555

SHA512
3dfb9ce70fd7ccbd675d9fa6e36d1d1ebaf2cbf0d6733c7682199df7eabd7a26731eb0dd4584a267ea9434e8a5fbb13d0e53f9dd81d3d5516395d6005178121a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
757f5e9274784ff87858fe4efba14dcf

SHA1
4f9a97ffd352ede11bb9902b88be721e6a0afb38

SHA256
e96ded2af165651be13bc00c89dca53e5e904d10079f9248f2153cbe4a5cc875

SHA512
a01167d4391b174174304df0885b59f95cae2b6cfb28d8dd623e6a3d3c5c9154ed1ec40e06bba552175953bd7bf7a285719e5463f07332381d6a6faab2fd2ddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0af2c04d7b92b15df9be06bf5eb29b5

SHA1
b8f0fa1cfb9da57c2be1466d0057d9275728f318

SHA256
5d3c6b45297f94a66b1e2e6ec929b690847b6142a6d97fb41e831b04ea000a06

SHA512
38b7d26d71e327bf5ae3a7e4c135feb8de9b6480c7f2d1a0cde353bf3ff96f9908f64c2b3f287ba19fa96144be382d84aa671beaa66822f3e64f5d119b4e0aa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0a8b0a5762fc9daaa935ef824d5b680

SHA1
531077319e876bf9d87d55997bdb7fadb0a25694

SHA256
ea449f9e2aa97a66258827c342bf255646eb7ac2dccc24549ac368f0470ad819

SHA512
9271ebbacd7e3a42c2ce89e7c1db94b68b090b7f20180915363f088dd94be8e89b85ee451dbbc9f6f4dc7ef5628f39260a759c7320fa8d6343818917421ae274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df70d3a448ede6d41d98d223e8e5f7e0

SHA1
e92af9f0d3d2c4652f0e4a145ebfe22d68ddc9fa

SHA256
cac9bc0f9bf142b20d1b95409b07849912bcf12ad589edb279d1b6ed3cbbcc54

SHA512
22ed0284a5e30307b2d89cde8ba9ac3335c407272b7a04580cb74147fd59bf785143f47589ebf5ad1b3b397704f820ffa3fab680573cefc91e09bc129b6291cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
656d6b80bd4105ad325ffcff759db3db

SHA1
90942806e0c44ab584daaaa1cf29430540bdc6b9

SHA256
d2936b8f71f5fd3235127e3d2d284f9a03a82b2e2cb7145b3b8c8dca0aae2049

SHA512
4b1bf0c95f81f66bed2e4d6fe9a4fc32ee2d6c7ea124104f7a85d2390a6b53ee9c664a23677d59a35fab11f6ddbac9784b3f9475598b10a54a52cbdd99c47916

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
884751955b426f21a039d3df0d6dcd89

SHA1
2ba9478405e008694d3e10ef1f425751744d8d65

SHA256
1e1c8250249fb75282164d0742f0c53109b8e0859ff9c98e53b6f68a6fa665cb

SHA512
69ba64bcc5641961cf7cf5244be2518799c83e6b642c1e1bd6513a9e20ddecbf55108df35900468a251e3fe5d11ee595063810305f5558cdac745031f83a11cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d677026517d37677e8ced514a1d21e9

SHA1
af4530b9a10072ff13b8f946791489aa9f2fd51e

SHA256
2b2b6cf0801cfde5c0f66e60ca5243110ea896c3c0f6403b591eb6f311155183

SHA512
5e46a1bd8f5e930c2ced5a8d1b0af64a9fa3320269b3c3cb2caf7c3ffbdb3cbd2fad56b019d3ee4e4d68f38aeb4d9d11669c70e702f687ffbf5fb7df339db176

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
007db4e43a43545f5771e26760c8acd5

SHA1
ed8642f5cbf6dc83cc1460d9aa87bdaa6fed1ed2

SHA256
e520cfe3b2482d71ea68ec688d3ededc00270a9987d4d25fce1e173abefa0502

SHA512
c3db8a58400c638c5834d563bca611bae02b0d20d2c854d4c8fa1b2036675ca33a7044334ddb54957eaa038c017a03f64e185b9ad4e0a8fdc7fa95dd4cb7fd8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ceb8baf30409aceae80a09bac0e7b34b

SHA1
a0e5a3871f711e5bfee28ef4a790563b026a2755

SHA256
7f23abf0f998f4b36d31e1ad23a08b664530f03b8f5e137577abf793658d7000

SHA512
f2e648391a5d3301a5eff6dd1712d3253e2e070a02642902827d244730ffbd180e5fd76b572a709cd806bab92e5675497294cd9421dd38142bef0b413f5e9e66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb26e9e25b0d96e4df1949e659826179

SHA1
2394e8a2459075e8bbac20fb76e2da5efd6d77a1

SHA256
14bb8e8f7a23e9e6e8a666981069f4a488e37d81d58bcc8d35d7574c8a9fcdbc

SHA512
c1d8c7724dd01347f4bb17a3c6a8972d567ae51718620c586e83031b3a35d33ae10fb8625dcf9a051cc477c0f87c0fc690606b68c30abd4017492ae8e043ab9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
533e2375b5cb47656d01fe37b4a95930

SHA1
4bff86b791182a54c67a2f1c60fbdd5d4b62e917

SHA256
3613af2d1094f86d0cea6bcdf2a0fcd47e5114d46a9ad821c35d8ea9c88e9909

SHA512
69689c209abf88006690e7f6b160674d0b94a47338e9f2041b72a5f5d5a6beaf1049b6d818f97ad8eabbe51ef86aa3c74d023d5316cbe8c88cbdba6131509146

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04beaa4d7d239b0ee624d0f614b785ad

SHA1
c459c436489ebbb5dcd906933a83fa64dc35a65c

SHA256
10594082501142f9956a4a42e186ba3c5102fd746e4163407a891da12fda0294

SHA512
d890c04d4dee24bc7950c44e889763e659d8d9ca504850f8f69e0764eb642b0725bf52af591385d0dc41563e0d895927680cfde058e037743a9fa97e46317731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b507ea96acbf628acb8bfaf3f170e67d

SHA1
55c7263b964e8207a4402110cfd0786873d9801d

SHA256
9d852924bdd0d1ab474acf47e424ecae5a5ccab7e0d40d7108179323bdb490cb

SHA512
b12616c9bf571a0e09517e1b42c242ac6ef39cfa493d855ec3ceb83c6e06aed24a16717a3370abab54974e4d5c08f4bb582714896371661b8e193f90ba5007b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3e97022b90815654fc95ffe68755c75

SHA1
7e580f8bbebe7e9ce4debc82a6960b78737137fb

SHA256
65cd9fb89a41eb932a8df94c04d6dc84821f287a5714fb5f0c426a0112192531

SHA512
49dd0de179fca3354d983a71b91b4927d75bfd945ecfc5f893749446abacc924e8db4fc527dc8277fc09ba43128eae7de00736aebc10a16900bbcfa0d2e3666d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db17e8292b5ee887a2194089d93a6fcb

SHA1
5e3f78e9e4f0b57c16943da5fc539abf20c7f5f9

SHA256
04b0ca6ebe5910eac76d8d03536e8773cf7e78cc31371a124e71d98d83a525a7

SHA512
289f078ebaa259f726a941eca301192c2ae8fc4c3fd1ecf842d3b19d7eb89b088d1b717f67c396b16c7f5675361fbf28be63358c9ca5f964938f7a100ecc484e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea9c3d7202a348b6f33c3074674ee2db

SHA1
4b54ef18cb08e6a61a27ec1c6b6cd2a23a32bddf

SHA256
80c18739eb5d74ec50a7a8f09a81e376fff9626b1aa8fd7ca090de19968dac8e

SHA512
60f5761ec460a8775ccd040494b8d9b5e9ba763c41b6b21931ee954b100098d1316bc666f57a65577d12b3ce653d384a8bc7b48fad4c1faf0b57603b642e6253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
28c7b14b92ef52d745eba780b52bfe10

SHA1
e8ccbb16feb9de0469f2c4fe23818e5f65847a18

SHA256
fd55875210dac971a00fe44b2d48c7b32ae7657adb83d0d5e37759d140231dc4

SHA512
5b3621f07c29c9be6ec089eafcedd0fe2491dc16d3a80ac56d5fdb582c63486bb052d71926b253ce8cad281fb6b07c2e974916ceee673f98a516c74815a98f60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0bcf11c1aece51d0d40ae33e91f13abd

SHA1
e050a0c3bb2c237fadae5ee075faf51b0e7c0d1a

SHA256
1cc0ba26d0cd17a5bf1221b528249a67659c5f94c76838fa834c7d2e9cffa744

SHA512
53cb0ffa3c6c9fd0fd5a21ac9a7e57dbc8f2683f3ba7f61195e9210b24a82c2d524485bf431107c205bf6d2bfbf0153ddda3be058c3e4131123564d9879d8c22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7053a8de8055712d12a1e355b611fbd6

SHA1
43e16fd2e36443f3a873329e7b82d0810716d083

SHA256
3f11f1f2b72ee75898e35971e64718ab564427dbb3528cf50a366003d6f2315a

SHA512
7a5f7d9611562cce3f85a87d8d7eb5107fe514f1515c4d40789af13616432997fc17bbc8fcb56d460418e611dfa3b35c35dc19a31b5defd11b0d90648325ad75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f198d398186d6771470c3ac3f5d68382

SHA1
b83aef304a1a5eca58871dc77c36243a73cb78b2

SHA256
658960536640c8962428d8cd5b9d36cc0943567a0c22d450ccb1e1a7c8a32e00

SHA512
7cf08ba546109cdd25b53df673f05dfba36919300740d5619dd0562339dbc69dfde3f007c0e3af30587f3d1ba6f21c8e90d22ce5fdcb363d69ba87d0bdbe6a8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24632b5d551095cfdbf854f5c3aab736

SHA1
cb894c9fcfd155fc5eb8a7857bf9a6fc134aadf5

SHA256
9d5ecf4cf5205aed9ee67b2fb01df4a0b4c844f5ab84dbdf7b09f83ce74dd453

SHA512
eef5634f3836eaa5bebdcc01298a65a95f0cdd0ea0f96365f58ca0a17a5db94df8712a81f01a626da7f3b955cb04d796858d0cffd938a638aadaeedf5f650660

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ceeb9c64837feaef29dc1c0013a05af

SHA1
45a98ba7287aa3d1b0ad3bd7e6e43ec0faf8fd26

SHA256
17914bb980ba8105aaa2ca6d7769ebc5896f449035690706505aa823921e9bab

SHA512
b27727a9e1c0cbc66cb0deb30ec302aa0e89d5814c62f85fea2ea279cd9497613e8215db813fc5dac7771ea863550dd103f57c03eefc815cf6dc6c3c98b48976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ce108a447632b9805e4b67b2dcc6026

SHA1
13500aef4d50932e1b6ad9641f85b652c12d7e13

SHA256
b2aed2647246f95a3558ab1c21cbbceb709e5b5c8474cc09eed6bfdb62bc25ac

SHA512
d531e088682ad309986a9abd979a42e319ef6c3ad7a062a6c7e337f0726a2a86d906fff8c917f7ba25e7b29bfc0d62a166ba522339d3e69b8bea9d884be2072b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35c12543472014dd53f5bf313343d911

SHA1
209cd0a7775a8f390d60c606ffdc495978ce826e

SHA256
c4f1dab58837ec637234c63d8dce69f7b6aafcd3ec48d675d35d6187d00f3d26

SHA512
70afe8fdf091435ce51e573c42d188b86bfbe04bee5733d3e8e75e1f47634459d87e5f68a6c957c85c5d9fa0687dc06451fb8bea300e41816ea3bab886c05214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aae4ec85245ea6840615874ab64ce6be

SHA1
24d9296ac14a8237bc53c48229e5ccaa380b1708

SHA256
e40e5c9ee52ba5e78e98fa67205726a38e8c2332899ec98bc4b5455ec06c48b9

SHA512
3789f1d47112cc18ebeb633b0b827d7bc0c42705191435d63a992205e53787b8bac0b7bdbf5827e90bfe6be8c69ff25eb1206e9e4ec0ddd76513658c202f3f25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82b5d305f2fed5d86f4b30094468dee1

SHA1
89ad085e1eecd3781509763b02e67a0d09ff890f

SHA256
ffaea6ce72822d4e9692a33d8668dc858a79e274c41538802b79cc8782432260

SHA512
62b23d8bfb8c9321ec4f5800b5da2f3b7f0e13d7f24c8219d9ee5f7ba9e5943eb7273dd101fcef3489a5f857ddc1a8de13281f396f1fb345cc774eec80291839

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd1da74307990d983a780428a245148b

SHA1
07e31452b4e9b033dd328ac829056867d267b160

SHA256
08caec30f34fa3063e856951317f48dd708dfda56365cc3af520ac22b63ebec1

SHA512
9d71e3abdc8e6086246d05b564b11165a867c9955dc281551dd88cd6559693d333820b462b78218191e79e38c7b38ed81157f45f876cae3c7e68605e110ea9fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9acd5d18f9601e40d610b62415944d4e

SHA1
7bf65a0437064e45562c4e43b0bad9a0cc95e123

SHA256
016e08b11ebf4f615514eaf6eb5feded9bc67aca9e806732417396647af7237a

SHA512
1242e0491f30920a778bc2788437c42795c210d0661e446854a8b1bc348fe72c4d8073a27eef3fd2e4aa23f1a6422143709cc91a4715f1e290439c8fa8d1895d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d5fb08e83bbb113bf88d412326c7786

SHA1
7cbeb2c494a46da03aeafe4bec923be2873a381f

SHA256
bb3083002255a6b7eb00da8b66700038a8006ec4ee9f7e3a76f2f1b7be17b939

SHA512
6832d0320dbe0554aecd7729a902dadfc4a3808544605fd298a5129f65175c9045e7846eba8f44eae840dcaa088ca5061ff62bedf9ace841395053ea3129568c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ee47a4fb241b9c235465023c361fc063

SHA1
ddab5e5e05b57b9a79fc7fe173c7a534df04bd00

SHA256
7dc5313ea63314c8bb02ab21f9cb7158da1340f38216c2de1c146b7e69c59057

SHA512
497a779c14f8414de3bae89893e8a18a23ac4f789d94714f4c11dc09294e682c95fc274c8ccd7d19586fb0ea448255dd9e0b0bec769e24aa19b0bcb0d964450f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\97b9a950-7b4f-42a4-a1ad-b42985b5885f.tmp

Filesize
7KB

MD5
686e0e298aedc6a111676e1605be1aa9

SHA1
b8b550c0c875cb10f695251c343c4f91216950a9

SHA256
89cd5b8a8806de5564d1e55328575b1a97a851bc928d95a26fa2725137f3ef9a

SHA512
c3f9195709213461452d1df7570daee598df54d8a7442e5f8742b320819772f12cde2088ccda73eec9b422cd8730bc5154b1484a07e2f71ceea4ba13171e9e54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
918KB

MD5
b44da0efa069ec5b8264e9a374e33482

SHA1
9ed179e9d4c5630bbbcbb8056cc210adc19d84f6

SHA256
9946eef6de28d831cabfdce87581621fef2df433d0ec3b8b74718a38f63f0212

SHA512
6ae17ad82920edd71a469b90986306207a5657765f19578bceeb8d4013c3b34523d41a382a65e037bcd4af8cc128533dae222b92cf2cccb1f118f538e01457af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf783ee4.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\4e4421b8-68b6-4058-84db-153beaf9c445.tmp

Filesize
5KB

MD5
1537744dd6c42f0e319940f2b0e11307

SHA1
51e9811243a9453121a97de5aa62e9506652895e

SHA256
5091796fdb429ad004f10288cc85e808ef3568f650a957e7c9aeaf1c47f86364

SHA512
79d76affee3702ee7c9c8cf94a6413bfa12d9d9eb318a3234cddaf904e65e3d409ff7f00c3da179733bf6443c5cb702031078f9510c0d657ac84214aeeebafad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0ffd7dc03449206606a57f08f08d9c44

SHA1
b79d99d79304a2bfce547b8e585594e808b6d0d3

SHA256
16ad6e21c7f08435b673db445835ff1549b48d67ab904b8413da5d20cc0b4446

SHA512
520e228368e78adf39c1fb14183ab37f4bf710b8788575d8883cc471a7f9ccddded456cd487b68147f8136c8833fea6af9641884232097fad3e98717112dac1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
a315fef4c458758ee17ef26099bc7f32

SHA1
94f7367659578775e9b9ae3c3b442addfe2d806b

SHA256
bdb374eb5ad9d55911dcb5b3d14c310245a704d18b495eb38092b21701dfed9e

SHA512
f81bf23f1a426608e06511eb6c93f8e34f80f0158f336b783f0d4b7810c4814d47cc2e64814f63dffd0f2a190de8b5540a3a220e768de27b7f1c9bc20dbb7673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
784f5cbfb21944fb96aa10d7b04527e5

SHA1
7be6ca925924f1411b0afb7c16ab363d7783a63a

SHA256
48dd778be64f7787b7c704db6f5eb7dd42d5c63878e61d92f605b52ddb5a2c5f

SHA512
ea0183d4d034466dfad571c34948b2d855f2c7cede90bec79547b15110ce7aeb1851f3db01710e154b0ebdfee86db4bf2da45c7066250aa7524c8554718bd17f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
48f6fd2d308003752c5c22da4f63e952

SHA1
0909a45ce6654fd6bc83d9afc29360362cea0e54

SHA256
0045a58c029f08e1efa39c5c4e3555a2607921f61bc3f9b37e0c1bb043560393

SHA512
64bfcc16d033fdf674280b2be09d7043d88526dff3e596eefdad2aee94b4b6452531c4616adc1027d9e87b209680a8b45023312bc2be7379458335fa8ef2b173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
333843ca970e01f3824dd41e7497fca3

SHA1
b6094c85b017f09fe625001fcc303cbcb76f6cfc

SHA256
dbe21a013f6c10e256b94013e183de7f3e5c8bee8da5c6dee7c688ee4f185b25

SHA512
194ab7fd30a0a3ceac34302801543edad21f4403937f73dd415274b1093c2d764ee621f7a0512120591f57ba08a593412bb43be0f11de6251edaf912ff8275b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eb07a2d2af0e6e8ffc2c7c13bf575a20

SHA1
5cbf81667e42febc13cba306f3e0386f1082b505

SHA256
14a824533e1feb3f9c02120692b92e18a2039e7c8f20154022aa317d61af0b08

SHA512
f2c3cbb8f998983494b3f07c5ee12e39d2640c62d6f9a56ed5158fd523ceeed1cd22964b8e1c0972706484f1d7b821ff81cea48f5cb934bff631ea1c0d63e0c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
336f10ea54264765509008d60b85f169

SHA1
ba504220692b4f267525a2c41b721c9d27c8588c

SHA256
2bedaae475816419bc74e0ca7984e58e79168904b2349def1d12d1ada0238b9c

SHA512
054c1ea6dbea74254ef8c0bb851b02919612bfe4c8e2b4ae46e5f6e3020c0e15d5df7e24bdc05259f9da19519396778067e1da1c4f96cfd23eafba0fcd443665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
913d5f13790461ba28c8df020a7eb680

SHA1
d19fb025f7032515049be87993cfc091be22bb9a

SHA256
ab346ef62b91bcbc4f4d1115dac06151de045fc81568904d4ea39e309ed4ea6c

SHA512
75a3e7fefbde9fb0170371b10f055a208f1d80a0ba750eaf16871cb9153716c0b33ea52e95255cbc1c6b1b6b33550226a110bbc2c808252e0f0e85413d40bd7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
db47a32a2be8df69a005208b8255f55f

SHA1
37f10d48644c59ee9c78b029f07677505679f245

SHA256
464a2c7dd03df42eedccb91a88ceb3a93c491f191f5880568f8ddc4ee8966bc1

SHA512
51653f64e745eeeec883b39a385bfcdeddb29f6f8d1068ca0f4f91f62ac9db4e30e2ff1998dc19a62517d883a5e110afe614c16e44140e3b2585328a08c27bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
353KB

MD5
527f06bcd237014a4001e3e82cc528b0

SHA1
7a5f3bafcb898e4b48caed052d1a2363521dd18a

SHA256
e0a35cc9304a842d11f53abe630e3d63bb94c9afc9214fd578758be2d49b85f6

SHA512
6d40232c0a1ee60684acb1809899453cb426a12f0e9cfbd29249717348a4008e970ae3e65ee4628be198009e3fd8a9a704ec433281e0df3267b437dcd2a111c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
353KB

MD5
47ac3ef807afb96d8f93f26a4b32b093

SHA1
f09d99efd81748f2898a00ce2d6433be8cb1df84

SHA256
55fc91d2a5c1ac17be8594b8e8c8d50b10bcbae2bae02fc924c13dc05bf54f5f

SHA512
35f4e5329dca9a23fd7f6bc902250c4fa2ebe7bd07e2fbc3ff0759a3048ab27e90bffb3dff571db41a903f8c137e600279754f021b8345bac56167b2114729d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
404KB

MD5
7ae3248a084da1fc5c413edffdbbe5eb

SHA1
b46681f74ec6431a878417fe2818fb881ed83acb

SHA256
a15c7d62e4ae5bacf098bd8a434b29a877efab11a19c978e9e7c7a1fb72ddf3d

SHA512
10674838ab8b39bc8ee681e9060ead984e150712ab3b9d36f93fd134fdc01736e270688f85c200f1121fced0bd29544f7978fa126feb1f4da25d2905d097e4a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
83KB

MD5
a95b56dc7152008dec0fffa16c402881

SHA1
1e7f62121fe916a95afcb6af0882ef91a59f02c4

SHA256
eaf4a61406991744e50aba2318778d28d3699c21ec7008f3b6f3bdfc118537cb

SHA512
df39b135ac89baa2a9b9b2140827f78965ff8972f2ff240a5f8bf68063f4dcb983567a961cd5eb75bf0f9939ed11b9c2d0aa326bd4b20dba71498c3d08cfa59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ytanli2.yc0\BlueStacks-Installer_5.14.22.1003.log

Filesize
88KB

MD5
7857b5ab5cfc385f21adad77ee354c08

SHA1
fa8a6d1f64f15927c87074a4adaeeb9a079950da

SHA256
b3268196796d77338265dcf8c057fd404f22c98b572fb523da3e1658e8db8049

SHA512
0177e773c94da34468ced2abe0e09d174df649024b48ca64ed3eab91b9472bad750d6518bdb5cc64e561fc402609f9e9365c803f80e92e5cbdc86afd6dc8b517

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS498E93E8\Assets\exit_close.png

Filesize
670B

MD5
26eb04b9e0105a7b121ea9c6601bbf2a

SHA1
efc08370d90c8173df8d8c4b122d2bb64c07ccd8

SHA256
7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157

SHA512
9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS498E93E8\Assets\minimize_progress.png

Filesize
212B

MD5
1504b80f2a6f2d3fefc305da54a2a6c2

SHA1
432a9d89ebc2f693836d3c2f0743ea5d2077848d

SHA256
2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6

SHA512
675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS498E93E8\BlueStacksInstaller.exe

Filesize
623KB

MD5
8734859b771d26d4b937371217d8d4da

SHA1
83b5b32715718a90ddb68db49fc5e4405e456313

SHA256
aed0c389f812cfe56c4ca0423935c7eed17e85318be99f654b57428dd6c0b881

SHA512
453900ddcd101f750b634c4c89f9bf81a4a267e8af5a2989727bc035d61b65e140838b7f12214cde491f9f7564f3511de625d7d7f65fb25a7d98a4646c3a930f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\backicon.png

Filesize
15KB

MD5
7ff5dc8270b5fa7ef6c4a1420bd67a7f

SHA1
b224300372feaa97d882ca2552b227c0f2ef4e3e

SHA256
fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1

SHA512
f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\checked_gray.png

Filesize
538B

MD5
ce144d2aab3bf213af693d4e18f87a59

SHA1
df59dc3dbba88bdc5ffc25f2e5e7b73ac3de5afa

SHA256
d8e502fab00b0c6f06ba6abede6922ab3b423fe6f2d2f56941dabc887b229ad3

SHA512
0f930edd485a0d49ef157f6cc8856609c087c91b77845adeb5cc8c8a80ebc7ec5416df351ffa1af780caad884dbb49dcc778b0b30de6fb7c85ffef22d7220ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\checked_gray_hover.png

Filesize
412B

MD5
ea22933e94c7ab813b639627f2b38286

SHA1
c5358c5cb7fb1a0744c775f8148c2376928fb509

SHA256
d7c79677d2ef897fa0ad1efc90e916c46da29f571208f78f24505603b7165c20

SHA512
ba447a1aedec49419e2b4a8de85c6047886f1a5ebb94f1c45e205a3780c6826f412a3892e97115b35e43839f43e346f3c72ffbf0c57d57f6d26b360ae61b3964

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\close_red.png

Filesize
15KB

MD5
93216b2f9d66d423b3e1311c0573332d

SHA1
5efaebec5f20f91f164f80d1e36f98c9ddaff805

SHA256
d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb

SHA512
922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\close_red_click.png

Filesize
15KB

MD5
6db7460b73a6641c7621d0a6203a0a90

SHA1
d39b488b96f3e5b5fe93ee3eecb6d28bb5b03cf3

SHA256
d5a7e6fc5e92e0b29a4f65625030447f3379b4e3ac4bed051a0646a7932ce0cd

SHA512
a0e6911853f51d73605e8f1a61442391fad25ff7b50a3f84d140d510fd98e262c971f130fb8a237a63704b8162c24b8440a5f235f51a5c343389f64e67c1c852

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\close_red_hover.png

Filesize
15KB

MD5
5ceab43aa527bc146f9453a1586ddf03

SHA1
88ffb3cadccb54d4be3aabf31cf4d64210b5f553

SHA256
7c625ae4668cc03e37e4ffc478b87eace06b49b77e71e3209f431c23d98acdd0

SHA512
8a5c81c048fb7d02b246ed23a098ae5f95cdf6f4ca58fd3d30e4fe3001c933444310ca6391096cfaeed86b13f568236f84df4ea9a3d205c0677e31025616f19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\custom.png

Filesize
17KB

MD5
03b17f0b1c067826b0fcc6746cced2cb

SHA1
e07e4434e10df4d6c81b55fceb6eca2281362477

SHA256
fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b

SHA512
67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\custom_click.png

Filesize
15KB

MD5
ced07c9db242115400e159d9a02bb7b7

SHA1
6f2bebd1714dd7522479b5f3e3f2b3f0d18e8c77

SHA256
1318e0f34a551edae1e82818fdf7de5ac627493db5b24556d919f525052d5b90

SHA512
d52e63792a5b4172d4ac4e2d369b22b170578616d04de5a40be15b260a2741bf8158b3aed9509760c334283360dd13a4fa21538fc4547ba464be5dd700a22b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\custom_hover.png

Filesize
15KB

MD5
f3e05f142e742e25a98d4f5af3ae0623

SHA1
88363e81ddef700803f4859d2f3f0b4af516bbf3

SHA256
d588ef0eaa334ed8482f32e5839a7ee0d0b544d5b8d5f7720b8c57010e080424

SHA512
5f07a7163c9834564dc4de5a1a484ac8208151bc244f8e72d64556abf88c35f6a81dd6718a3e6f681265c10e2dbbadb07570fa64c31113342a88fd605019496a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\error_icon.png

Filesize
1KB

MD5
dab2c4538a83422b5deae0e0de9b7a30

SHA1
78c2ab2271aa4020df1e0289bc3c1ba9a43fd424

SHA256
666ad4fe456216ddc06618967846ed31f81d8db5be97da6531842c0667352b89

SHA512
24cb30a68ce117ba16edd1e94c7d066343eb265c874cd55467db2f913c01b9d776b2ad846e3414cd820c0ba10d93f132aea27739d16165b6e9dd5fbc8890bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\exit_close_hover.png

Filesize
575B

MD5
92c2bf222d6ab81fe7a0c072bf31c107

SHA1
8853eb08a2aa3e99fae6dabb9cff6461704f2a2e

SHA256
bcc053a9a087e077d58114106d29701a34f7851f4052f3157102811355d3e709

SHA512
6548d0038f4bda1db69de0729cc9648725d744953649a396b9147afb16abf018a5aef7ff7d3bb019031863f20c81bc202d6e37d171027ab9fde3b37402e179c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\installer_bg.jpg

Filesize
78KB

MD5
3478e24ba1dd52c80a0ff0d43828b6b5

SHA1
b5b13bbf3fb645efb81d3562296599e76a2abac0

SHA256
4c7471c986e16de0cd451be27d4b3171e595fe2916b4b3bf7ca52df6ec368904

SHA512
5c8c9cc76d6dbc7ce482d0d1b6c2f3d48a7a510cd9ed01c191328763e1bccb56daeb3d18c33a9b10ac7c9780127007aa13799fa82d838de27fbe0a02ad98119d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\installer_logo.png

Filesize
14KB

MD5
e33432b5d6dafb8b58f161cf38b8f177

SHA1
d7f520887ce1bfa0a1abd49c5a7b215c24cbbf6a

SHA256
9f3104493216c1fa114ff935d23e3e41c7c3511792a30b10a40b507936c0d183

SHA512
520dc99f3176117ebc28da5ef5439b132486ef67d02fa17f28b7eab0c59db0fa99566e44c0ca7bb75c9e7bd5244e4a23d87611a55c841c6f9c9776e457fb1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\installer_minimize.png

Filesize
113B

MD5
38b539a1e4229738e5c196eedb4eb225

SHA1
f027b08dce77c47aaed75a28a2fce218ff8c936c

SHA256
a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2

SHA512
2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\installer_minimize_click.png

Filesize
112B

MD5
08fc39a69fa17e0f529915919cea1633

SHA1
2966a3f739698e2ce368585fb7f6ac4eae4497b1

SHA256
2599d6a55a8e12b1f05a6e8982d55559151a25ae3690e6637510b6283622dd95

SHA512
f5eae902f9b631410b03b6d4f9be1b4cf6547a94f1a2eee6bf70b0f3036499c01a42c9d58cf98ffbe10edbe79577a01e64faf0e527a70bc9470a1c3d9263b805

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\installer_minimize_hover.png

Filesize
112B

MD5
18fb6465b029206477d0222e8da6fdf9

SHA1
b7f91e5e3002a5d3c84a30ca6cebe1a89a65ba7b

SHA256
57aae4bf49dcbb0ad6cff6263200015c89d7752dc75c2ad918bf846e1ce9646d

SHA512
f045dfed35ea9ff31336cd354a0dd2e9a7ac2582cea1d25a444fffa3bd01e03d73611f786873a81a27a370e5ddb3a6043713e29f064d274088df1c925eb6785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\installer_upgrade_image_bg.jpg

Filesize
19KB

MD5
3bb85d2c8cef28c89a2d07adf931e955

SHA1
596d13e7742455afce8a534382b28cfd2f6aa185

SHA256
b7f75233e633107d50f24ca82099225c83a832571cd2ce92901f2db3897f058b

SHA512
7075fe989d69ad5f0f4cca5fbbbabad16e0949c2ab8538f3f96020b831a4ec1cc3a701dcb7332e577b5eceba230449efbbf8e288dad47a53d76e40c2337dc730

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\loader.png

Filesize
279B

MD5
03903fd42ed2ee3cb014f0f3b410bcb4

SHA1
762a95240607fe8a304867a46bc2d677f494f5c2

SHA256
076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1

SHA512
8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\minimize_progress_hover.png

Filesize
214B

MD5
fc2a0361a751177d3aacdba9c31b2682

SHA1
0a8f672d7a8777d1106e3b8ee36bd6e45bd322ab

SHA256
1a4aaa46893e2a9b011c478fbb0cd0e84c199f9f3520703189640088969ef5cd

SHA512
a15542c90972387133d86f6a94c17435432b1493b02502533c4d7978428ed7d44a7d3c5564fe08946561638f8a5a3dd0b35b81979c2929dcc386ee5f6f7ecccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\powered_by_bs.png

Filesize
9KB

MD5
7a2e5c21140aa8269c2aafd207f5dbaa

SHA1
4e0d9e7e1b09e67eba10100d73dc51623517821e

SHA256
3d2afe5236ec813d9e8063bc43eb34b88c2155784e1bce19c6a533c32767af35

SHA512
63f512559f2068a9702c7c527c126f6017cd8d1d16af52e41b884aa9a64ff4294a57243ec78c3a416f70fb6178a79877d68345357725ff92c935709a2ef8adde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\setpath.png

Filesize
15KB

MD5
b2e7f40179744c74fded932e829cb12a

SHA1
a0059ab8158a497d2cf583a292b13f87326ec3f0

SHA256
5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b

SHA512
b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\setpath_click.png

Filesize
15KB

MD5
624e84e9b49bc150043aa9fb0eed2822

SHA1
f23f2a4ec609e3e9cff9319533e561968ccabb22

SHA256
c94924e95a49b175c8fc00bdc2821bb70a85b864cc193becc553b32f0024dde1

SHA512
288e1954d29bd3d22b56fadb2e0d3d10580a540fa1f2bab1284d957708bad96df5e38b67c6dc14784e1e275b89082c57370b786c0d0c4307601c0d2bf3704460

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\setpath_hover.png

Filesize
15KB

MD5
b1e53a76b6ddb3ecff52bfc1a8e5b09d

SHA1
012b5879e879fa25bf48e4bb62c35ee829eea571

SHA256
2da3f9367c847e47131370dd163f611c4639287512a47f487e0025c5665830e0

SHA512
4369891858b4adaf9144636c44b55979290177bcff57f67f341071e42e90f992531024e122c0bc5436ddb8c55e994e7b913ec37137a642dc0164e6e2516f0b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\unchecked_gray.png

Filesize
192B

MD5
e50df2a0768f7fc4c3fe8d784564fea3

SHA1
d1fc4db50fe8e534019eb7ce70a61fd4c954621a

SHA256
671f26795b12008fbea1943143f660095f3dca5d925f67d765e2352fd7ee2396

SHA512
c87a8308a73b17cbdd179737631fb1ba7fdaeb65e82263f6617727519b70a81266bb695867b9e599c1306ee2cf0de525452f77ce367ca89bf870ea3ae7189998

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Assets\unchecked_gray_hover.png

Filesize
176B

MD5
62d7f14c26608f8392537d68f43dece1

SHA1
add4f30e7c3af4f7622e6bc55d960db612f3bb0a

SHA256
a631e26bd5b6ea19c8c65b766a056c92ba8a47e1483768dcf12b05293c9a7a0d

SHA512
e41210a78e6076954f75a2f73c0f7628e8604a09ecbb1d2ee0972741d4ef1d814b366828977c02944736b03ed116bc559a2ae47ddb7cbc6f4e54578c8263edf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\BlueStacksInstaller.exe

Filesize
607KB

MD5
1744edd4e585a5efbd49ad0593810af1

SHA1
57dbda1bac0b48803933da6940c3b88376774c69

SHA256
3b136c884fb6e21acfcca33538f9b2e472f0eb83ae9a5a128cb1d5a6098b7f31

SHA512
f7690f5cbb08f2b7f801aecb24c826dee1fc08cd9d324b54359ab258be92577e72dcbab146bc4f55ab58dee0a01ff32070ef0f4a58385ba928f3f01bfe15d018

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.ar-EG.txt

Filesize
24KB

MD5
2cbe2f0936384cc7729ca9b15e869955

SHA1
cbd351ef412b7fb52e2ac582f4eb58944020ee33

SHA256
057074129e8f390aa07851d6eb59e892440e7994c4c6f3b78618e7fb6f07ca92

SHA512
fb9e0fe5b138df8e36f334bcf7e4cc7c024d2d8828b63486c3ac19c8279e0e9e09d82d391b536eac0e52160992dc6bc3672523b5edb2cb63d7a96e4128b48b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.ar-IL.txt

Filesize
14KB

MD5
9fb07e066cc2f213a64d35a97a8c2922

SHA1
a70db989f5c562bc69caad89a1402c8ad7c9b80e

SHA256
65e7b0f37b5e2aa805ac8d57969804d803430186f34e9703ca9fa09ba908ef90

SHA512
81680bff55b475a62a4bf29a8c219230b84894c1165f60e372209a5aacdba8e4819c3dfb76f3b55c15d472ababeabf0cd4b30c04e7daa26df63c8a5101970c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.de-DE.txt

Filesize
20KB

MD5
995c4504c8e8e71b372e6d9b64b070f3

SHA1
9ff5eaec585c416446c3f7ad7f3985f42cdf6226

SHA256
c28bcb07bdf32e5221ce919354cab0349891dfcbb87540f241fb3f58cf9028b7

SHA512
f1fc68f8bcf923f4f682eb30ea980e6da36355eff9a8ad7eb93d558d96e831b19dbf167b2e6d2287c6532c2b2c5591c66191d1005ebb0d56eb1647904b804066

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.en-US.txt

Filesize
18KB

MD5
bc0bfbf0fa8b40c2f72957c2f57afb8f

SHA1
644765340a713413e159ff57f0098501ca8304f4

SHA256
819b673bc98a9aefa9e480b3df2a5f9558033fce38c2a2f5be08d10b9a859e28

SHA512
6e7e88ac28190011c1e1e2a78517e3bb858e35ac90f125882c64bfa26d5a6f7ee6718c558b9446f3aeead0a8fc53c825fca66ad2f6d82819ede19b88ff658e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.es-ES.txt

Filesize
20KB

MD5
67f8aef2c5208468ce113a47edfedb4c

SHA1
4d482c81f65dc7c7b23a6dd2cdaec0eb7fee69fa

SHA256
341df1d9ce68b161f1728bd466dd9da64d4723530f3bc0f7fa66a3dba3825917

SHA512
e3bd1e8b69fc28a257e9024bc0b783f161c6574e5f9aab9737c02a2c4b1ebca59cc761ecc9ef3c08e62a1f325072164899ae9c984f37bf385e05fc011255857d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.fr-FR.txt

Filesize
21KB

MD5
3ba087f6afff180795610e8ac5bb5aaa

SHA1
f2d5c5f10694e51fed09d5b3a0397561beb331f9

SHA256
d2d2f4d6e554132fa86d0bfa0ac1892f10f53f30638599b17979cadb5d011f4c

SHA512
f9bbce232b486b51352f6c0386e515f0824b0b0ba56400e3f804f322b0a7e90e73b6917044bb8e0eb37509a0b4bdc1d37deeebae43547b9d8f35d2f34d5f55e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.ja-JP.txt

Filesize
23KB

MD5
6977d12f436990c3f655c22bb44566af

SHA1
d0a04169354ab49104bc123e90494115dbd1539b

SHA256
c7b19642434a9e918003564b30cfbee5c0710463a74cb7fa86f9da2334d6d38c

SHA512
ff9ee652a79379cbdd7b2974fb6f61f4efaf2b73a79b28bf86b34288c42ccc343039110f5abd2c50ebe13f080e6f5eeb9196ba7eae3c61a782f6971d914a996d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.ko-KR.txt

Filesize
20KB

MD5
f13198caa789feab1906e69736d1bf8e

SHA1
6087394d95723256c9eaa084cbbd03b800b8a7ad

SHA256
0a9b0ecd030084ad3f48791e991a9dc4d6bd78c1245db75ff7e48f33f8578986

SHA512
3b8e4f9b9395a2b512fa460845a5f4546971a31e1203d81c078955b5361888ad70176f143f50c9b963b0b4370c66ddfff3a7dbedb0a0d47ad881f8a6af44d2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.pl-PL.txt

Filesize
19KB

MD5
54f8558a0112610cc516958482672cf7

SHA1
3422b440364816c7e96d7f598e03df90b8ab74a3

SHA256
783d0131154663e7fa6b069b5ad5d3a86d94f4e97b5a58b88f71a1912bb9eae4

SHA512
23507a21e88574980f6de8905dcf6099346c5160356889675b318c575ceed9274d65574d882ae32936958f9f4810556a650467069e52a978efb03dd208ea2b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.ru-RU.txt

Filesize
27KB

MD5
5e617de676c07bb3ab766d5678df38a4

SHA1
cf69fc6e6c0b6d3a9a6bb6934b18752cb722b14f

SHA256
f07976072e28b0fbbf9bfbabe60f843874d2f72cb9ac76bf2980c1a8208a3793

SHA512
997178e8d5850b929d3f870036000021c17c3b28d73991dda7e0408b32186e328c08b1eff4ff76bc9d8567c07a1be0defd44fe0ab925d561a5c3b95386051009

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.th-TH.txt

Filesize
32KB

MD5
c964784c1444bc7e9488acdec13990bc

SHA1
9ca7ac8a620fdb37aaf21fea1df37e388dab6eb1

SHA256
889ee3e31b027985b05bfd356470baf62a221617f37bdce444f2b60f7bb1f91e

SHA512
903f4554e0b2f602186837f39158a52bbb035d085cad49c03b8614219e22469eb63e9390e101c3312bcdca0751134accd37e0ed71d3db8eac096dff5a2b9e3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\Locales\i18n.tr-TR.txt

Filesize
19KB

MD5
2b5f2c757a4d42de2f98e31139b676b2

SHA1
cd40cc682b112f60c6dd460596cffb3b994bd882

SHA256
598ab5abf69d1de2c04e6e7fa807606f4a2924f966fa0c373fef99a474244487

SHA512
2055d884d2e39962801f1c69f997d58d6db5fe01784cb1202cbe72973a48f8bfc399642fd46d28dda9d56ef5558aab32b341d79ff7d0920af7f4769ffd986d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C78DD19\ThemeFile

Filesize
80KB

MD5
c3e6bab4f92ee40b9453821136878993

SHA1
94493a6b3dfb3135e5775b7d3be227659856fbc4

SHA256
de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6

SHA512
a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCDCA9DF8\Assets\change_hover.png

Filesize
310B

MD5
57092634754fc26e5515e3ed5ca7d461

SHA1
3ae4d01db9d6bba535f5292298502193dfc02710

SHA256
8e5847487da148ebb3ea029cc92165afd215cdc08f7122271e13eb37f94e6dc1

SHA512
553baf9967847292c8e9249dc3b1d55069f51c79f4d1d3832a0036e79691f433a3ce8296a68c774b5797caf7000037637ce61b8365885d2a4eed3ff0730e5e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCDCA9DF8\BlueStacksInstaller.exe

Filesize
640KB

MD5
5735b7fcc2420115768169156cad25f1

SHA1
d21a111228170ab6cad960de3b6878f85250dc97

SHA256
735a2e01a4866dd204d80b5a984d2455c2b27a22616cb0f080ee824fe87e980f

SHA512
782b430742e2513cbc181774cfaa0656905f782261de00cfda0e9922aeb7818b2328bfd8f4c56c17dd8f114e262149d9997736890e9f8fb29659b4d9901487a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF4D05DF\Bootstrapper.exe

Filesize
153KB

MD5
84374e0d11c463624448d139f6c17dac

SHA1
2db5057242c766bf53748a9d23b9e0b18e699d1e

SHA256
218cf6acbc7a1a4b9fef00b8dc9660f2452099fbd0a6a459d364e61017cbae59

SHA512
4b258f34250d2374a941a4902ee4b2d9454a8cd9f1b27772a7729f2f72607b4fca28e932d0aa2d36cad527f5b1166e6e32ea087da9df4506ea05c64148fa8d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assets\installer_bg_1.jpg

Filesize
89KB

MD5
d5521b02ccbe5e1716de2922e5a663f4

SHA1
e850ab791b7aa465c0d676a0bcf17e4ca60ea1bd

SHA256
427039f8968a4e518c37bddde86de314b476d55a52a0cdaa8f45e6266a8ed08b

SHA512
025d3bdaa02e93e309d187a34a3b1fdaada262b444363d5d36eba5888f0449efbbe118622cfeee09123693b783844ee094078ad243fd8c070a670126dd08c8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assets\installer_bg_2.jpg

Filesize
121KB

MD5
2f0acb01bbfd565f803eff0e12d4f74f

SHA1
521f2cde14fa7be049ba11336cd344ce335b487f

SHA256
7cc477b38d05c7002621a51d04d2c2d9f943be5115abae1d8bcbd2def49de54e

SHA512
c3c97c7a2d66bd6c5f901ba06282fbc1c7cbf8a62d9b3e5c1f63882113addcfc9dfefcf03c6abe96c52bc4c2c4e09939e35a1e8cb9615a82024e0d50d9dd5eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assets\installer_bg_3.jpg

Filesize
99KB

MD5
1d5e7e72dcb6d1141976c6519ed381ea

SHA1
b478ad52c2d116c121d4a95b150790975d6b34bc

SHA256
e5488121a3155d4d770105ab35d2d50270cc8fe0e71db4c46b4aec72580357f1

SHA512
04857e8b9735bdcd876a8cdae0857a7700403c83cb069156b0db0d23851f5a3af2e632a6ecda5291bc7c06427c905ce2b6db74ea427a8b3047812533b2105dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assets\installer_bg_4.jpg

Filesize
94KB

MD5
29c1bfef2bda9451a54554492d56a66b

SHA1
644788f16bf137546fddec47bdf6596dfb5e32fa

SHA256
3ff5f2fe5659543e141f0abb835e9e3d21adac4f36206ec6454d0d182dd64443

SHA512
cc1f640f36a2907c9ba133be6a5214c49e912bd0b0e7c54d59a7d67938c79a2a5d9d047eb9c92680fb657a22da8a3ddc9a48c5983399f8ad4406108c37755e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assets\installer_bg_5.jpg

Filesize
87KB

MD5
ffa3db7ab9e75972e5e8ba1f9f2b61de

SHA1
4229e04326e71bd1eae100377316e6b3c6206901

SHA256
423dba72b462e2595f608bc6e66bfe35869aa5b240791a30432b89b3ab0547ba

SHA512
2afed67571e384f79d3d15ce154166f27c4e5c12f36e8f1a4f497d0d2de1b64d0795692a7ab48bcb71278b3ed67dcb97520ec79932560e348c1d4a59ca8e2d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assets\installer_bg_6.jpg

Filesize
101KB

MD5
fd5577e8af1f1c05f24ec84b503d5161

SHA1
334a43f4601802e0b3fc48e3f9ab1bc2f4185a59

SHA256
9d97256abf52aab13fdaecac6addfb999a27abce3023a70c77664e68663c6fc9

SHA512
3617d78682ebf6f814f6e6d7ee6907c924f4bde36f0def24b947b2eba2310678be28ac56af5e9948080a0277ccddaa34157768144e5778875ba697bed767c6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assets\installer_bg_7.jpg

Filesize
104KB

MD5
55324be215073dbb15e94c8badac14df

SHA1
175679549fba2d1fe5cde27462165e31464cab01

SHA256
1ab4953190aeb9e7e5c2cb7d58aa13508906d982c2a8435ba50c709cd6b597c8

SHA512
fb60240ed1d7dc2735a5f458ef2f4361521d8c1ea9e583280bb0c29d10e5a66afbf63113e5b794b559d1db7b29dd32e0d403f971bfe4740c5a68c942455acf9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assets\installer_bg_8.jpg

Filesize
93KB

MD5
3510f0529819708a1594e65e90148be6

SHA1
0d14b8237d35a17e97135ea6eef03e4851b00b6f

SHA256
3c947b7946c9e92318880bb5d31fb600b9d32476fade9ed0ee9c9c7c714f6a57

SHA512
53441e7bf99d462a62cf50c1151bb73702fe14bfa638630995aa1e119498c23cb11ff5bbef8e46310215515ed3284d6d64687a18a2427b40e212409cbad9daef

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAD37.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqD99.tmp\BgWorker.dll

Filesize
12KB

MD5
36c81676ada53ceb99e06693108d8cce

SHA1
d31fa4aebd584238b3edc4768dd5414494610889

SHA256
a9e4f7ec65670d2ce375ffaf09b6d07f4cd531132ca002452287a4d540154a38

SHA512
1300de7b3e1ac9e706e0aad0b70e3e2a21db8c860e05b314a52e63dd66b5dffdf6be1e38ab6ede13bfd3a64631cc909486bf4b1403e7d821e3b566edc514c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqD99.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqD99.tmp\nsDui.dll

Filesize
3.0MB

MD5
c40a4e327c43f7f51a20c38b1bae840f

SHA1
0f56fe0a357a71ef32cb138258366f743f8fc398

SHA256
ef94f69593fd376e52a46934629b634a6365590b7102cd45a2dfe45533139060

SHA512
f379dc79899744160f21d6c8f11341b2251e58c09dd510b035cf08ce8bfcd38e290b96af3baa656ec85be8753dca7e32d3b95098ced1cfb481142d454b178565

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
230KB

MD5
e8b96113d79f611db9ef00ef0a3f9dfe

SHA1
2b1031c270cbb9aa3f0f60f41aca340c43540e6a

SHA256
4611c4fed4d9baf0bff00023a23a5e039208452da1460c4d0ea0ff90a04ec54e

SHA512
7121fe3982912f345ac07bbe823ccc04e5a03d9d4097ac167e3aa5544803aef31a76cc9395337b3d0f8483e626e9567f113bb89db8c60375fa84ba65a50f1f7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
de8553a6fc78cdbef52162ba0a6eec36

SHA1
4664944cf7b6b20c1e1e8f56e27f0f0d1191413b

SHA256
ae8385edab730a03e9fb69ca9dae6eb2c0fe1e3ac7d6dc092b52bdccc9d15a22

SHA512
005b5a425ba9fb58ff2253145a295030e829ceafff2a8b0c2efa6308f1f45bc4bc6ec9eb3814267f22addeb43e16a9407f48836a4a7ad7e228d3d26541f1a894

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
90e3e31e069d9d2c588599e041a1d3fd

SHA1
861aa328f7048694154eb60b942d2c850113dbee

SHA256
3a2ecfc62dded1a271690031969e411a0ae15e4e7d147d2fa3da135e44f11bcd

SHA512
c09436b8dbdecfc43e1f10ce95a913ceffa8d55305fb2e3dedcff0c567e9980e80c4f0e0a85dff046eff86f678505460ce0429697b932b50c02e683e7d2a562b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
d431ddc18bb3fa81c729a8e737e15861

SHA1
5406121148ea83070e82171e7e3795250a4c06ea

SHA256
73b9d6e41dea459f26c6abcbb0a801d5e8829c0de95e1cf07f328dd31433153d

SHA512
74c4b40b22820bc21ee55557d8cb72a37f252d8110a67500feb9a7c3b2f913a2b99fb15d8512a768aec8f9ccbf3c60af8b12307d5c5897d73bf00d6947e7fe5f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
f7681b588b8eb2e9a916b264795c1900

SHA1
da04631e2a77c49a5f1e89d2f5e1b179597392d1

SHA256
d4848f55d4cf73d88efdae8e4057f94c55dbb13c8af09d320c07bf1875c368f6

SHA512
597ac6efeeba9859d5b1ec9b3b605e18918fbf82a1cdbf5f1e91ac59ad187fd38200e626445ad76c2db1f947329b2d1a221e1c3abad0af1baa28b02d322ebed1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
dc46baccbb7cfc8e8403fa363002e5e7

SHA1
c144cce71906460069ef5710286350727db16a7c

SHA256
dccc9211bcf6527324566ca376d0ed9981ee91f0bcdbec5dcc04b6f025e3fff3

SHA512
0ad31257c417f21a957b4a7e1ec8669efb1bc6a5609efd042d456baa7fa406c5271bcdf7e2a9a1d51d8bb777e6c1884c5ce8af3cf165a3cc4b77ca37c8fb6c6e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.3MB

MD5
a8717f31e62501cd8904c38478d8e268

SHA1
078003232f3fd499fdba15cab5db1d08d0d63823

SHA256
1f2c5ca6bbf7027f9be93a99273397bb187516acca7eab42b6cb7f016c573783

SHA512
c79200dbcaafd3cbcef797a568a142ac76b689a52bf59fb170c8be347a37b863b57a2a125ca02ae2e9040bceebfba302c4adb7cfcda68361ede8e4ab78fb93a8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0dc159ee11701274fab768fcfc1292f6

SHA1
9a26ba99e28ff402792c8c171e1bbf4b39f277c3

SHA256
9b6356c3d3e3e2dc7024206bac75ad48bf13a8a2c7240f34d5bcaa36d52883ef

SHA512
eade1fd1d83584434004d78a141e61f65d8520ac91f4f5dbe1f63179982e54332cd96df1b2d9872597787eec088202707f868e62becb3f0abdeda3d1888f66cb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
e6741ba9a8663d31331f781afc7c3e3c

SHA1
0e86c037ba0a282027d441a87840f0239ca7253a

SHA256
d218245f048819048faa542b3adb9bdd061ca43cf0cfad25429ef70279bae5f8

SHA512
cc1a58560b1d1b21534d13aaa779a6692c73d18d516f2a86da391ca1dbc1b64c41e56fe5724c14bfdd7c51e10b167e6a363a5e23900562236b6cbf57922bd3d7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
fac578b4485bdf79d0a60a9a02fc991c

SHA1
5c734d9e7283931343e881f35e1facf86c6b2362

SHA256
2a939501a9c4443589db7e8e0eb34ac13d0edc40c0d67bd44ef1b816e26362ba

SHA512
dcb397fd8f4606888594f06a689474f54158a47f261bdcb20f875f569535fe3b6ebaed0378f9d2ebfe229196cadf87c5fa949461590f368397f955f7fe7c6dcb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
21668bd957d4b4fcf732df730fb96530

SHA1
cad281c4fef7719aeaa2e5ea73f6335fe78d9a1c

SHA256
ea160cc19911c749a352a5ad254ebfb3ac36c0c66be64ab0dbd74d4fbb743102

SHA512
747f71e3fe3bd9afaed4063b0b3573c4b70d47d6f45a34994983ce822d7e1870663ed92266d0ce73438404c588ec3670ba2ec791bbce13a339cc04dbf22be634

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.7MB

MD5
7a6f6fc6f56780cebfe28ade96f8494b

SHA1
9aa97506fd8767b5940a6c140f06b1172a733b8a

SHA256
37344343b0621f44170c77cfaee11014b2782d972e4c9d05cdce8b706a51f0d4

SHA512
2a58073f6b77a7b6fb39b1fc0501e16be2a55026381ae9eb32f7a45cb175aa362969dde16b5538d0929db10331e3801889cd043236134aea5c182bfeb954a637

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ba69d015c902e4925ede79ae2f027649

SHA1
50b03f79b3d7d88893165872230c845dd1ba0f2d

SHA256
5f133f7b93123ecbf16a7b240cc5de3f5d84ef46af412f2d154c8d5f7f893dea

SHA512
ce1c8aa81480ac0b9bef86598a89dfd5a6ea2268b578fdd8f97048577222ee505add9b867c205654bf006e866747f46438b55a95b6893a463f874133de58c3ef

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
f4e46f5a44815c6bc32dae4c5d65d1ad

SHA1
8312720fc91704424a5b236fcf0c20f088f06dc9

SHA256
19f71574d3efe6f6f3fe2bd9215b35e9243a8426c2589c543c9a1c1201d71323

SHA512
14797ac1d686e59220a73d6ece0a7e44b70df08e135343a6c4a5860752a99a559892f5db3264c65e7082c33f1ac6f18110074db970d2545152bae130df6efccd

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
1.3MB

MD5
a3cd1295d04cb7ec25b14492ed910486

SHA1
27cdb39391e2135a7258e6711c24b343619a1a33

SHA256
858a1c07462fcf0b67d2df429e6b89d1a81e161357e7360214beb40c086343ad

SHA512
d6540741298a4ee807a5fe47f64f23f336e62273930cffafe5dd9a441d4051cf214001fe623dbcc6b963d08761398fdfd35b2016f72b95dd8cdcab22cd2c7756

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
7433d98be0a81d5725f61762e3ed76cb

SHA1
5042322c067485c3fddac8db94fbff007fe8c1fa

SHA256
ac4ecffdce3909b0bbfbe449198c1ced1578e798cb3a5f68c80ed6d3509c7e6a

SHA512
5d21ec07cbf8200d2aec4e700acd1d4acdafe458284c98d4201b41ebcfa7df91f6381cc71ffa8b03c16c12ae4785b756395b497417697470c21adffe0d2db443

Download Submit
\Users\Admin\AppData\Local\Temp\ERNS X!TERS.exe

Filesize
1.8MB

MD5
8c110834053f57e14ced24c9e8b135c0

SHA1
e244e2a297059871cb28b75b1ea755d356ae60ec

SHA256
63ad8f6ab5596ed4ea35936d726fdecf520d5f70d6a976c765d8c59341f1e118

SHA512
77c25c6f2cb8aa004760c845358074bf2995382965578048ca7be3b32a10646983dfef6dda3ccbc022b7546bd12da5eb293406c39ba44e7679879750c0ac58b7

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
ea0dc2defacafc7815538beb9284cc7e

SHA1
63b04c32d82a4700b2e66a291e597b84fb958322

SHA256
392c0f96a0d98136cb98dbcc0abf85a310c0f9b92fdf1e8aef27bbe4b4654012

SHA512
ca42df4cabd45c0c5ebc26edfe4919fd6fde04c358e1e24e529421b928bdd897112ffaea27dd74f2704c5e02b60c99adc9688153150740d9f578cff11b03d460

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
b37ca3b297a040849ebb66c0b1532078

SHA1
8bc55406a187f198dffcaa6922fa76399f7c250c

SHA256
b1725ca8400870fee42a95445d480ee2d615fac1bf93331523c0fcc1258d8381

SHA512
3df3d67ccf344b5736f1215ae91770e18248fdace2c75629842280681bf4c146e61f989638606bc5c0ccefffc13e659524757583ade6b72a1ca52e9dc8f54f34

Download Submit
\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9b97360a07ec77c8ea60e4e2c0b8f018

SHA1
5b68570196e3cc20b46b43b787eb014f63779d70

SHA256
397f2e8d0ee7b423bef5177be580b63990bf8dea178ed585217190753bbcb15e

SHA512
e59fdb349467591a906751c9f0c911e79af573cac4ce39a8faf223125f7fa75347fffd83b8150049a365e7c0438265c82d14949034bbd7039e52e9d3719695ea

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
34eb0b99adea7bd4d7871fe45ccddf3d

SHA1
1464e781d60901fa6e733b4483e6197c0c0e8ece

SHA256
67fd253020ddc731666a78d50f471615c3bf8c7590b5d2394d911baf586af92e

SHA512
988d2aae2f7cc3ec8d8df309ac5b1f05b4b53de0f7b3489d8050e450135db52831964b0e4bc2d2223373223c776d435aa735cd6a436ece007aae53980a7b7554

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.3MB

MD5
4b7330acd48b7dd50412e19901c76d45

SHA1
1ed69efe120ff79832c7733fef45d050c31174ab

SHA256
651ce4e14ffd1706a0e8baf0797f1275a5cebad6105bd32d852004b8d3bebd3e

SHA512
363208831ce2c62c7de1d3455d8e168abd0686afb9e829ba348258e8f382d2d012bef9dcf958395a482cb22a2677b8d8daf11ac3cdb7be6f89f455aea4872194

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.3MB

MD5
3cddf380b5f2dbeb4b740731cc605149

SHA1
a5f08bf5a7e73a06e31148b58d00acbe01d68872

SHA256
da6b3f2bd6852fed3219a8918fa0d95e565efb02e34d44a0f4e5fabdd2485d01

SHA512
225ddc952f6094cdb080e8fe4d62d3602cae4b5d09bd8c3d2d28be4610ae54ad32e2cc977e3fb3cd541654dc55222c232d630c621811ba7cb6623990d4df55b5

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4c9942dd0a3165a440e2481051969f92

SHA1
bb7b510739106c15e4070be0340707c3f4b03379

SHA256
64a4f80d60df8b01b9ebcee62aa43dc26ebb459b6ba7f189f08383049f6bdef1

SHA512
673ba53f093975c4cf591019d47755d0eb6ae5d2db56e683a8c88d7ed8d105ba07cfa77428b725e7b01a95241eea0ccd8268ad7ff10799e6b003d59bf909dcad

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
8f2d19d8e76403edfdf2e44fc19f26b6

SHA1
a88f46187bf9b3870f1cef8c3f0fb986492e8457

SHA256
e912eb9e21822c39332c2bd56ef1bc3fdf2acb1b0fa3dfbc7aa27830a7bad528

SHA512
dae6043c2d99b2e51e0f02d28f1d686dbfc414a28301504a8ca41cfa6ea69bb19555540ea3f5c70ebe445916107c7f9a3bf51c111f4c67e0474168d3765138a1

Download Submit
memory/352-413-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/352-726-0x0000000100000000-0x0000000100123000-memory.dmp

Filesize
1.1MB

Download
memory/376-422-0x000000002E000000-0x000000002E154000-memory.dmp

Filesize
1.3MB

Download
memory/376-272-0x000000002E000000-0x000000002E154000-memory.dmp

Filesize
1.3MB

Download
memory/536-618-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/536-588-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/556-848-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/556-831-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/576-125-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/576-118-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/576-119-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/576-303-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/776-668-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/776-647-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/852-87-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/852-62-0x0000000010000000-0x0000000010146000-memory.dmp

Filesize
1.3MB

Download
memory/1112-708-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1112-689-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1116-403-0x0000000100000000-0x0000000100151000-memory.dmp

Filesize
1.3MB

Download
memory/1116-412-0x0000000000680000-0x00000000007D1000-memory.dmp

Filesize
1.3MB

Download
memory/1116-241-0x0000000100000000-0x0000000100151000-memory.dmp

Filesize
1.3MB

Download
memory/1116-263-0x0000000000680000-0x00000000007D1000-memory.dmp

Filesize
1.3MB

Download
memory/1268-424-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1268-540-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1296-141-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1296-133-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1296-325-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1308-165-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1308-351-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1564-368-0x0000000100000000-0x0000000100163000-memory.dmp

Filesize
1.4MB

Download
memory/1564-687-0x0000000100000000-0x0000000100163000-memory.dmp

Filesize
1.4MB

Download
memory/1580-543-0x0000000100000000-0x0000000100133000-memory.dmp

Filesize
1.2MB

Download
memory/1580-310-0x0000000100000000-0x0000000100133000-memory.dmp

Filesize
1.2MB

Download
memory/1624-533-0x0000000001000000-0x0000000001134000-memory.dmp

Filesize
1.2MB

Download
memory/1624-286-0x0000000001000000-0x0000000001134000-memory.dmp

Filesize
1.2MB

Download
memory/1632-152-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1632-328-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1656-90-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1656-96-0x0000000000A90000-0x0000000000AF0000-memory.dmp

Filesize
384KB

Download
memory/1656-89-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1656-271-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1692-646-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1692-352-0x0000000100000000-0x0000000100219000-memory.dmp

Filesize
2.1MB

Download
memory/1704-607-0x0000000100000000-0x00000001001B3000-memory.dmp

Filesize
1.7MB

Download
memory/1704-329-0x0000000100000000-0x00000001001B3000-memory.dmp

Filesize
1.7MB

Download
memory/1720-184-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1720-188-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1796-255-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1796-71-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1796-77-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/1796-72-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/1920-764-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1920-792-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2028-859-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2028-847-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2084-724-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2180-834-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2180-823-0x0000000003DD0000-0x0000000003E8A000-memory.dmp

Filesize
744KB

Download
memory/2180-822-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2300-544-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2300-799-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2300-789-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2300-582-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2324-879-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2344-869-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2392-11-0x0000000140000000-0x00000001401CE000-memory.dmp

Filesize
1.8MB

Download
memory/2392-132-0x0000000140000000-0x00000001401CE000-memory.dmp

Filesize
1.8MB

Download
memory/2392-17-0x0000000001CA0000-0x0000000001D00000-memory.dmp

Filesize
384KB

Download
memory/2392-23-0x0000000001CA0000-0x0000000001D00000-memory.dmp

Filesize
384KB

Download
memory/2496-710-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2496-406-0x0000000100000000-0x000000010020A000-memory.dmp

Filesize
2.0MB

Download
memory/2588-821-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2624-47-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/2624-52-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/2624-46-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2624-86-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/2704-754-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2712-749-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2712-770-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2744-29-0x0000000100000000-0x0000000100142000-memory.dmp

Filesize
1.3MB

Download
memory/2744-157-0x0000000100000000-0x0000000100142000-memory.dmp

Filesize
1.3MB

Download
memory/2744-30-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2744-36-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2748-43-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/2748-175-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/2864-614-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2864-648-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2928-16-0x000007FEF2FC3000-0x000007FEF2FC4000-memory.dmp

Filesize
4KB

Download
memory/2928-145-0x000007FEF2FC3000-0x000007FEF2FC4000-memory.dmp

Filesize
4KB

Download
memory/2928-40-0x0000000000FF0000-0x0000000001030000-memory.dmp

Filesize
256KB

Download
memory/2940-112-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2940-106-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/2940-129-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/2940-128-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/2940-285-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2940-114-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2992-661-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/2992-355-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/3008-870-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3008-881-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3008-698-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3008-662-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3012-0-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

Filesize
4KB

Download
memory/3012-3-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/3012-2-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/3012-7-0x0000000140000000-0x00000001401CE000-memory.dmp

Filesize
1.8MB

Download
memory/3012-15-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-586-0x0000000100000000-0x0000000100134000-memory.dmp

Filesize
1.2MB

Download
memory/3020-324-0x0000000100000000-0x0000000100134000-memory.dmp

Filesize
1.2MB

Download
memory/3028-211-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3028-367-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3056-546-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3056-535-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download