dcrat | a6ee6130d83bbe55e9dacdff2005950d69fc2d3c54e28467b82c148e274d90da

max time kernel
470s
max time network
843s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoClicker-3.1.exe
Size

860KB
MD5

c208a15591828ac1b1c825f33fd55c8a
SHA1

bea4a247ece1a749d0994fc085fbd2d7c90a21e7
SHA256

a6ee6130d83bbe55e9dacdff2005950d69fc2d3c54e28467b82c148e274d90da
SHA512

b78d8055fc64bac1cdd366cdb339df2e081228bd998fdb5450a6832b0720c1b321568aabd7535ce62c16067ad20c86e51712c3e78bc40945adc05c63565fd889
SSDEEP

12288:2aWzgMg7v3qnCipErQohh0F4xCJ8lnydQEzFGZ3dRP6yWD:RaHMv6C1rjpnydQEOPdWD

Score

10^/10

dcrat xmrig xorddos aspackv2 botnet defense_evasion discovery downloader execution infostealer miner persistence privilege_escalation ransomware rat spyware stealer upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2404	schtasks.exe	357
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	2404	schtasks.exe	357
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	2404	schtasks.exe	357
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5884	2404	schtasks.exe	357

Xmrig family
xmrig
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024509-1914.dat	family_xorddos

Xorddos family
xorddos
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/6648-18737-0x0000000000AF0000-0x0000000000C48000-memory.dmp	dcrat
behavioral1/files/0x0009000000024aa7-18813.dat	dcrat

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

XMRig Miner payload 36 IoCs

miner

resource	yara_rule
behavioral1/memory/3796-7939-0x00007FF6E9280000-0x00007FF6E95D1000-memory.dmp	xmrig
behavioral1/memory/3896-7938-0x00007FF797C10000-0x00007FF797F61000-memory.dmp	xmrig
behavioral1/memory/5440-7943-0x00007FF654990000-0x00007FF654CE1000-memory.dmp	xmrig
behavioral1/memory/1588-8031-0x00007FF7C7B60000-0x00007FF7C7EB1000-memory.dmp	xmrig
behavioral1/memory/2356-8052-0x00007FF747DB0000-0x00007FF748101000-memory.dmp	xmrig
behavioral1/memory/3648-8107-0x00007FF79D190000-0x00007FF79D4E1000-memory.dmp	xmrig
behavioral1/memory/3888-8110-0x00007FF6367B0000-0x00007FF636B01000-memory.dmp	xmrig
behavioral1/memory/5440-8102-0x00007FF654990000-0x00007FF654CE1000-memory.dmp	xmrig
behavioral1/memory/6020-8101-0x00007FF6A5800000-0x00007FF6A5B51000-memory.dmp	xmrig
behavioral1/memory/3660-8097-0x00007FF6CDAA0000-0x00007FF6CDDF1000-memory.dmp	xmrig
behavioral1/memory/4104-8093-0x00007FF7DE540000-0x00007FF7DE891000-memory.dmp	xmrig
behavioral1/memory/5488-8089-0x00007FF6B3650000-0x00007FF6B39A1000-memory.dmp	xmrig
behavioral1/memory/2412-8081-0x00007FF7F0B60000-0x00007FF7F0EB1000-memory.dmp	xmrig
behavioral1/memory/2912-8069-0x00007FF77D270000-0x00007FF77D5C1000-memory.dmp	xmrig
behavioral1/memory/3504-8067-0x00007FF7085C0000-0x00007FF708911000-memory.dmp	xmrig
behavioral1/memory/1732-8065-0x00007FF6F9220000-0x00007FF6F9571000-memory.dmp	xmrig
behavioral1/memory/4636-8063-0x00007FF75A8B0000-0x00007FF75AC01000-memory.dmp	xmrig
behavioral1/memory/1524-8064-0x00007FF7491A0000-0x00007FF7494F1000-memory.dmp	xmrig
behavioral1/memory/3532-8062-0x00007FF6D4300000-0x00007FF6D4651000-memory.dmp	xmrig
behavioral1/memory/5584-8106-0x00007FF781360000-0x00007FF7816B1000-memory.dmp	xmrig
behavioral1/memory/624-8091-0x00007FF728F40000-0x00007FF729291000-memory.dmp	xmrig
behavioral1/memory/1576-8077-0x00007FF7D7670000-0x00007FF7D79C1000-memory.dmp	xmrig
behavioral1/memory/1052-8075-0x00007FF64C3B0000-0x00007FF64C701000-memory.dmp	xmrig
behavioral1/memory/2164-8066-0x00007FF6380B0000-0x00007FF638401000-memory.dmp	xmrig
behavioral1/memory/3020-8059-0x00007FF6C08E0000-0x00007FF6C0C31000-memory.dmp	xmrig
behavioral1/memory/4304-8056-0x00007FF630BB0000-0x00007FF630F01000-memory.dmp	xmrig
behavioral1/memory/5368-8035-0x00007FF618290000-0x00007FF6185E1000-memory.dmp	xmrig
behavioral1/memory/2352-8032-0x00007FF7017E0000-0x00007FF701B31000-memory.dmp	xmrig
behavioral1/memory/2420-8029-0x00007FF662E10000-0x00007FF663161000-memory.dmp	xmrig
behavioral1/memory/2012-8024-0x00007FF6981E0000-0x00007FF698531000-memory.dmp	xmrig
behavioral1/memory/856-8023-0x00007FF606630000-0x00007FF606981000-memory.dmp	xmrig
behavioral1/memory/2680-8008-0x00007FF7A4270000-0x00007FF7A45C1000-memory.dmp	xmrig
behavioral1/memory/4032-7996-0x00007FF7367E0000-0x00007FF736B31000-memory.dmp	xmrig
behavioral1/memory/5996-7968-0x00007FF723220000-0x00007FF723571000-memory.dmp	xmrig
behavioral1/memory/5560-7965-0x00007FF727BF0000-0x00007FF727F41000-memory.dmp	xmrig
behavioral1/memory/4908-7958-0x00007FF611500000-0x00007FF611851000-memory.dmp	xmrig

Downloads MZ/PE file 1 IoCs

flow	pid	Process
154	5136	chrome.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ersd.sys	Install.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ersd.sys	Install.exe
File created	C:\windows\SysWOW64\drivers\spo0lve.exe	piehdole.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	piehdole.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	piehdole.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6984	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000024560-2088.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dildo.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
4660	7z2409-x64.exe
4864	7zG.exe
2012	pocio.exe
2768	dam.exe
5696	dam.exe
6140	ahgawruvel.exe
860	patcher.exe
5988	patcher.exe
1792	patcher.exe
2880	patcher.exe
4688	patcher.exe
5124	patcher.exe
2024	patcher.exe
3156	patcher.exe
3648	duppa.exe
5584	NMWsvhU.exe
6020	FTHpbuR.exe
3896	YBbQmGH.exe
5440	FcoppmT.exe
3796	YEgHlyX.exe
3888	xiBdyrv.exe
4908	pcEMoGk.exe
3660	HDCzTMV.exe
5560	ygwerkr.exe
5996	EBssQxF.exe
4104	kfrkNTN.exe
624	MDMqHjd.exe
5488	HDSdjAH.exe
4032	VJBwbJK.exe
2412	vlyUNem.exe
2680	xoojoIG.exe
2356	Hmzlalz.exe
856	ATjrvGN.exe
2012	WRMKpVj.exe
1576	QCxDdhT.exe
2420	YixdVZX.exe
1588	zEoLwUU.exe
2352	RuBKbVo.exe
4304	LCxzzaY.exe
5368	rVhQfUx.exe
1052	BaxoyIP.exe
3020	IuWWvTA.exe
2912	QZwyBML.exe
3504	eqCoygN.exe
2164	CfmJvqF.exe
1732	idxBFgg.exe
1524	TllCsrY.exe
4636	aLHIkkl.exe
3532	dxGJkBw.exe
5556	TnGUQtJ.exe
5912	BLhiLFd.exe
5020	QvmvptN.exe
3428	mLLFGsD.exe
1240	UBKWFOW.exe
5040	wiktorwrubelfutanari.exe
1584	piehdole.exe
2120	pocio.exe
5348	diddi.exe
4996	diddler.exe
4604	~ErrorSafeScannerSetup.exe
4436	is-6EHM6.tmp
2592	piehdole.exe
5892	BLPatch.exe
2948	Install.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ersd.sys	Install.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ersd.sys\ = "Driver"	Install.exe

Loads dropped DLL 64 IoCs

pid	Process
4864	7zG.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
5348	diddi.exe
5348	diddi.exe
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
4436	is-6EHM6.tmp
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
4436	is-6EHM6.tmp
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
4992	SR.exe
4992	SR.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop\\topi/piehdole.exe"	piehdole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ErrorSafe = "C:\\Program Files (x86)\\ErrorSafe\\ers.exe /scan"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	ahgawruvel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop\\topi/piehdole.exe"	piehdole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	patcher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	ocny.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ocny.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
126	raw.githubusercontent.com
130	raw.githubusercontent.com
143	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
397	icanhazip.com

Drops autorun.inf file 1 TTPs 9 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Users\Admin\Desktop\topi\:\autorun.inf	ahgawruvel.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File created	C:\Windows\SysWOW64\is-HELBU.tmp	is-6EHM6.tmp
File created	C:\Windows\SysWOW64\is-OA0LM.tmp	is-6EHM6.tmp
File created	C:\Windows\SysWOW64\is-5T436.tmp	is-6EHM6.tmp
File created	C:\Windows\SysWOW64\is-VNK9U.tmp	is-6EHM6.tmp
File created	C:\Windows\SysWOW64\is-4E8RQ.tmp	is-6EHM6.tmp
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe
File opened for modification	C:\Windows\SysWOW64\:\autorun.inf	patcher.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\topi\\pigdesk.bmp"	piehdole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\topi\\pigdesk.bmp"	piehdole.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002458f-2182.dat	upx
behavioral1/memory/2012-2210-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/files/0x00070000000245a7-2213.dat	upx
behavioral1/memory/2012-3740-0x0000000000400000-0x00000000005BB000-memory.dmp	upx
behavioral1/memory/3648-7911-0x00007FF79D190000-0x00007FF79D4E1000-memory.dmp	upx
behavioral1/files/0x001a000000024614-7915.dat	upx
behavioral1/memory/5584-7927-0x00007FF781360000-0x00007FF7816B1000-memory.dmp	upx
behavioral1/memory/3796-7939-0x00007FF6E9280000-0x00007FF6E95D1000-memory.dmp	upx
behavioral1/memory/3896-7938-0x00007FF797C10000-0x00007FF797F61000-memory.dmp	upx
behavioral1/memory/6020-7931-0x00007FF6A5800000-0x00007FF6A5B51000-memory.dmp	upx
behavioral1/memory/5440-7943-0x00007FF654990000-0x00007FF654CE1000-memory.dmp	upx
behavioral1/memory/3888-7953-0x00007FF6367B0000-0x00007FF636B01000-memory.dmp	upx
behavioral1/memory/4104-7971-0x00007FF7DE540000-0x00007FF7DE891000-memory.dmp	upx
behavioral1/memory/1576-8025-0x00007FF7D7670000-0x00007FF7D79C1000-memory.dmp	upx
behavioral1/memory/1588-8031-0x00007FF7C7B60000-0x00007FF7C7EB1000-memory.dmp	upx
behavioral1/memory/1052-8036-0x00007FF64C3B0000-0x00007FF64C701000-memory.dmp	upx
behavioral1/memory/2912-8037-0x00007FF77D270000-0x00007FF77D5C1000-memory.dmp	upx
behavioral1/memory/2356-8052-0x00007FF747DB0000-0x00007FF748101000-memory.dmp	upx
behavioral1/memory/3648-8107-0x00007FF79D190000-0x00007FF79D4E1000-memory.dmp	upx
behavioral1/memory/3888-8110-0x00007FF6367B0000-0x00007FF636B01000-memory.dmp	upx
behavioral1/memory/5440-8102-0x00007FF654990000-0x00007FF654CE1000-memory.dmp	upx
behavioral1/memory/6020-8101-0x00007FF6A5800000-0x00007FF6A5B51000-memory.dmp	upx
behavioral1/memory/3660-8097-0x00007FF6CDAA0000-0x00007FF6CDDF1000-memory.dmp	upx
behavioral1/memory/4104-8093-0x00007FF7DE540000-0x00007FF7DE891000-memory.dmp	upx
behavioral1/memory/5488-8089-0x00007FF6B3650000-0x00007FF6B39A1000-memory.dmp	upx
behavioral1/memory/2412-8081-0x00007FF7F0B60000-0x00007FF7F0EB1000-memory.dmp	upx
behavioral1/memory/2912-8069-0x00007FF77D270000-0x00007FF77D5C1000-memory.dmp	upx
behavioral1/memory/3504-8067-0x00007FF7085C0000-0x00007FF708911000-memory.dmp	upx
behavioral1/memory/1732-8065-0x00007FF6F9220000-0x00007FF6F9571000-memory.dmp	upx
behavioral1/memory/4636-8063-0x00007FF75A8B0000-0x00007FF75AC01000-memory.dmp	upx
behavioral1/memory/1524-8064-0x00007FF7491A0000-0x00007FF7494F1000-memory.dmp	upx
behavioral1/memory/3532-8062-0x00007FF6D4300000-0x00007FF6D4651000-memory.dmp	upx
behavioral1/memory/5584-8106-0x00007FF781360000-0x00007FF7816B1000-memory.dmp	upx
behavioral1/memory/624-8091-0x00007FF728F40000-0x00007FF729291000-memory.dmp	upx
behavioral1/memory/1576-8077-0x00007FF7D7670000-0x00007FF7D79C1000-memory.dmp	upx
behavioral1/memory/1052-8075-0x00007FF64C3B0000-0x00007FF64C701000-memory.dmp	upx
behavioral1/memory/2164-8066-0x00007FF6380B0000-0x00007FF638401000-memory.dmp	upx
behavioral1/memory/3020-8059-0x00007FF6C08E0000-0x00007FF6C0C31000-memory.dmp	upx
behavioral1/memory/4304-8056-0x00007FF630BB0000-0x00007FF630F01000-memory.dmp	upx
behavioral1/memory/5368-8035-0x00007FF618290000-0x00007FF6185E1000-memory.dmp	upx
behavioral1/memory/2352-8032-0x00007FF7017E0000-0x00007FF701B31000-memory.dmp	upx
behavioral1/memory/2420-8029-0x00007FF662E10000-0x00007FF663161000-memory.dmp	upx
behavioral1/memory/2012-8024-0x00007FF6981E0000-0x00007FF698531000-memory.dmp	upx
behavioral1/memory/856-8023-0x00007FF606630000-0x00007FF606981000-memory.dmp	upx
behavioral1/memory/2680-8008-0x00007FF7A4270000-0x00007FF7A45C1000-memory.dmp	upx
behavioral1/memory/2412-8006-0x00007FF7F0B60000-0x00007FF7F0EB1000-memory.dmp	upx
behavioral1/memory/4032-7996-0x00007FF7367E0000-0x00007FF736B31000-memory.dmp	upx
behavioral1/memory/5488-7995-0x00007FF6B3650000-0x00007FF6B39A1000-memory.dmp	upx
behavioral1/memory/624-7994-0x00007FF728F40000-0x00007FF729291000-memory.dmp	upx
behavioral1/memory/5996-7968-0x00007FF723220000-0x00007FF723571000-memory.dmp	upx
behavioral1/memory/5560-7965-0x00007FF727BF0000-0x00007FF727F41000-memory.dmp	upx
behavioral1/memory/4908-7958-0x00007FF611500000-0x00007FF611851000-memory.dmp	upx
behavioral1/memory/3660-7959-0x00007FF6CDAA0000-0x00007FF6CDDF1000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	pocio.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.exe	patcher.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.exe	patcher.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\pl.pak.exe	piehdole.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.exe	piehdole.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\resources.pak.exe	patcher.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.exe$	patcher.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.exe	piehdole.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	piehdole.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.exe	piehdole.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	patcher.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	patcher.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.exe	pocio.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.exe	pocio.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_100_percent.pak.exe	pocio.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt.exe	ahgawruvel.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	ahgawruvel.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.exe	pocio.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\mr.pak.exe	patcher.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe$	patcher.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.exe	piehdole.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.exe	piehdole.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	patcher.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	pocio.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll	pocio.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.exe	pocio.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.exe$	patcher.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.exe	patcher.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\es.pak.exe	patcher.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\zh-CN.pak.exe	patcher.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	patcher.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.exe	pocio.exe
File created	C:\Program Files\7-Zip\descript.ion.exe	patcher.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.exe	patcher.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	ahgawruvel.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.exe	patcher.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.exe	patcher.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.exe$	patcher.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.exe$	patcher.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.exe	patcher.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	patcher.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ahgawruvel.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	piehdole.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	piehdole.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	patcher.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.exe	piehdole.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll	pocio.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe.exe	ahgawruvel.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.exe	ahgawruvel.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	patcher.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.exe	piehdole.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.exe	piehdole.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui	pocio.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\lv.pak.exe	patcher.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.exe$	patcher.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.exe	pocio.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt.exe	ahgawruvel.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.exe	patcher.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.exe	patcher.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	patcher.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.exe	piehdole.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	piehdole.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt.exe$	ahgawruvel.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.exe	patcher.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\NMWsvhU.exe	duppa.exe
File created	C:\Windows\System\mLLFGsD.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\uninst.exe	dildo.exe
File created	C:\Windows\System\FTHpbuR.exe	duppa.exe
File created	C:\Windows\System\YBbQmGH.exe	duppa.exe
File created	C:\Windows\System\kfrkNTN.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\ico\2.ico	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\ico\5.ico	dildo.exe
File created	C:\Windows\System\MDMqHjd.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\ico\4.ico	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\Help.ani	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\SizeAll.ani	dildo.exe
File created	C:\Windows\System\CfmJvqF.exe	duppa.exe
File created	C:\Windows\System\UBKWFOW.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\ico\1.ico	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\Arrow.ani	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\SizeNWSE.ani	dildo.exe
File created	C:\Windows\System\EBssQxF.exe	duppa.exe
File created	C:\Windows\System\vlyUNem.exe	duppa.exe
File created	C:\Windows\System\TnGUQtJ.exe	duppa.exe
File created	C:\Windows\System\QvmvptN.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ.msstyles	dildo.exe
File opened for modification	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ.url	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ.Theme	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\ico\3.ico	dildo.exe
File created	C:\Windows\System\xiBdyrv.exe	duppa.exe
File created	C:\Windows\System\HDSdjAH.exe	duppa.exe
File created	C:\Windows\System\VJBwbJK.exe	duppa.exe
File created	C:\Windows\System\zEoLwUU.exe	duppa.exe
File created	C:\Windows\System\eqCoygN.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\en-US\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ.msstyles.mui	dildo.exe
File created	C:\Windows\System\BLhiLFd.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\Arrow_Down.ani	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\IBeam.ani	dildo.exe
File created	C:\Windows\System\FcoppmT.exe	duppa.exe
File created	C:\Windows\System\YixdVZX.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\Shell\NormalColor\shellstyle.dll	dildo.exe
File created	C:\Windows\assembly\Desktop.ini	ocny.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ.theme	dildo.exe
File created	C:\Windows\System\HDCzTMV.exe	duppa.exe
File created	C:\Windows\System\Hmzlalz.exe	duppa.exe
File opened for modification	C:\Windows\assembly	ocny.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\AppStarting.ani	dildo.exe
File created	C:\Windows\System\IuWWvTA.exe	duppa.exe
File created	C:\Windows\System\ygwerkr.exe	duppa.exe
File created	C:\Windows\System\TllCsrY.exe	duppa.exe
File created	C:\Windows\System\aLHIkkl.exe	duppa.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ocny.exe
File created	C:\Windows\System\RuBKbVo.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\NWPen.ani	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\UpArrow.ani	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\Shell\NormalColor\en-US\shellstyle.dll.mui	dildo.exe
File created	C:\Windows\System\ATjrvGN.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\Wait.ani	dildo.exe
File created	C:\Windows\System\WRMKpVj.exe	duppa.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\No.ani	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\SizeNESW.ani	dildo.exe
File created	C:\Windows\system\Ö÷ÌâÖ®¼Ò.ico	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\Crosshair.ani	dildo.exe
File created	C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\cursor\Hand.ani	dildo.exe
File created	C:\Windows\System\pcEMoGk.exe	duppa.exe
File created	C:\Windows\System\QCxDdhT.exe	duppa.exe
File created	C:\Windows\System\LCxzzaY.exe	duppa.exe
File created	C:\Windows\System\BaxoyIP.exe	duppa.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4640	sc.exe
6268	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
7084	6512	WerFault.exe	325
28560	24720	WerFault.exe	449
7400	28760	WerFault.exe	469
4788	28764	WerFault.exe	470

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diddler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLPatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dildo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahgawruvel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zztt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker-3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piehdole.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piehdole.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiktorwrubelfutanari.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-6EHM6.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dildo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocny.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~ErrorSafeScannerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ERS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2409-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diddi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000024ac2-19127.dat	nsis_installer_1
behavioral1/files/0x0008000000024ac2-19127.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
4624	taskkill.exe
456	taskkill.exe
1936	taskkill.exe
5764	taskkill.exe
6420	taskkill.exe
6236	taskkill.exe

Modifies Control Panel 60 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\InactiveTitle = "191 205 219"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\ButtonFace = "240 240 240"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\ButtonHilight = "255 255 255"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\Menu = "240 240 240"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\Window = "255 255 255"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\ButtonLight = "227 227 227"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\InfoText = "0 0 0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Appearance\Current	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\SizeNS.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Desktop\WallpaperStyle = "2"	piehdole.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\GrayText = "109 109 109"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\GradientActiveTitle = "185 209 234"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\AppStarting.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\IBeam = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\IBeam.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\ActiveTitle = "153 180 209"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\ButtonShadow = "160 160 160"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\TitleText = "0 0 0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\InfoWindow = "255 255 225"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\Hand = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\Hand.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\Background = "0 0 0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Appearance\NewCurrent	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\SizeAll.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\InactiveBorder = "244 247 252"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\Hilight = "51 153 255"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\ButtonText = "0 0 0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Appearance	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\Wait = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\Wait.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\No = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\No.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\WindowText = "0 0 0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\ButtonAlternateFace = "0 0 0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\MenuText = "0 0 0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\InactiveTitleText = "67 78 84"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Desktop\WallpaperStyle = "2"	piehdole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\MenuHilight = "51 153 255"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\MenuBar = "240 240 240"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Accessibility\HighContrast	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\WindowFrame = "100 100 100"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\ActiveBorder = "180 180 180"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\HilightText = "255 255 255"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\ButtonDkShadow = "105 105 105"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\GradientInactiveTitle = "215 228 242"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\Help = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\Help.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\SizeNWSE.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Desktop\TileWallpaper = "2"	piehdole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\AppWorkspace = "171 171 171"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Accessibility\HighContrast\Flags = "126"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\UpArrow.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Desktop\TileWallpaper = "2"	piehdole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\Scrollbar = "200 200 200"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Colors\HotTrackingColor = "0 102 204"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\Crosshair = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\Crosshair.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\SizeNESW.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\Arrow.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\NWPen.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\Resources\\Themes\\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ\\cursor\\SizeWE.ani"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\KpPopupDlg.exe = "7000"	diddi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{831D3D49-12D6-11F0-AF5D-72529A3F0444} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	diddi.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884105156815898"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DB73EB-4C90-4418-B6AD-10DB22016908}\ProgID\ = "ESdf_fixer.ESFixer.1"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F1F0E23-D988-43C9-9887-1CF6B6697259}\ProxyStubClsid32	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EDF78E1B-31A2-4c6e-AD40-0AFCD0D55263}\Programmable	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{21C724D0-B91A-4F35-99E7-55D325F00B20}	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CA36000-3320-49D1-BAD1-4C5169D4084A}\TypeLib\ = "{16DEEE6B-AEFC-4BA6-9F32-57BBE6783A7C}"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{692CA430-32C8-470D-BA1F-7E15E21E7043}\1.0\0	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F97E5B38-4887-444A-86F5-91C18331500B}\ = "IFlFixer"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ECC09E1-634B-42AC-8BE7-E6EDBB53C90E}\1.0\0	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05324ED1-05C0-4e3a-A34F-98BFC64426F5}\VersionIndependentProgID\ = "ESFixCore.ESMMFixCore"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59399E33-FB54-48AB-8AE4-AE108B36DAB4}\ = "PSFactoryBuffer"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESMMFixCtrl.ESCoFixEngine\CLSID	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EDF78E1B-31A2-4c6e-AD40-0AFCD0D55263}\ = "CoFixEngine Class"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6813BFFD-BE81-4613-B4E6-AA7ED0DA8659}\NumMethods\ = "21"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C833A552-F5AF-4a7b-87B3-6EBDE0DB3B43}\VersionIndependentProgID\ = "ESCompCleanCore.ESCCQuickScan"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D435027-F646-4bf9-B2C5-0EF4940D5CA2}\TypeLib	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1562D24E-F5BF-4BB4-AF4C-BBB610B62638}\TypeLib\Version = "1.0"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F97E5B38-4887-444A-86F5-91C18331500B}\ProxyStubClsid32	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E7A1949-5C0C-45F3-A106-34FE038493EF}	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4AA76F27-81BC-4C3F-9F24-CB99349C8CC9}\ = "PSFactoryBuffer"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0E2E5AB-C02F-489B-BD7B-58C329F774F3}\ProxyStubClsid32	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0E2E5AB-C02F-489B-BD7B-58C329F774F3}\TypeLib\Version = "1.0"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B869788C-35DF-4104-BACB-8FDB83AFFFFD}	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7CCBD19-2EEA-4B6A-B9BE-E8A68613809C}\ProxyStubClsid32	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D435027-F646-4bf9-B2C5-0EF4940D5CA2}	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59399E33-FB54-48AB-8AE4-AE108B36DAB4}\ProxyStubClsid32\ = "{59399E33-FB54-48AB-8AE4-AE108B36DAB4}"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1562D24E-F5BF-4BB4-AF4C-BBB610B62638}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESAppCleaner.1\CLSID\ = "{2B334C22-40CA-438f-913A-61A8105C4CCD}"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12813770-461E-4A9F-8C5B-C227A8E9FBE8}\TypeLib\ = "{F874A0AE-66E8-426B-A3F5-6BA6958DCDBA}"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E7A1949-5C0C-45F3-A106-34FE038493EF}\ProxyStubClsid32	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESdf_fixer.ESFixer\CLSID	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D090E12D-B79C-4B82-A76C-0E3BBE73C9EF}\ProxyStubClsid32	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59399E33-FB54-48AB-8AE4-AE108B36DAB4}\TypeLib	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59399E33-FB54-48AB-8AE4-AE108B36DAB4}\TypeLib\Version = "1.0"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59399E33-FB54-48AB-8AE4-AE108B36DAB4}\ProxyStubClsid32	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ESFFWraper.ESFFEnginWraper.1\CLSID\ = "{18A41B20-E519-47a1-B545-FFC200730E9B}"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A1647E8-3EC2-49FE-B632-E12D765FA0CC}\TypeLib\Version = "1.0"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESAppCleaner	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESFixCore.ESMMFixCore	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAE9202-0019-4D30-A5D2-AAF02D4DDC37}\TypeLib	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DAE9202-0019-4D30-A5D2-AAF02D4DDC37}\NumMethods\ = "21"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18A41B20-E519-47a1-B545-FFC200730E9B}\AppID = "{A46851A1-DCA3-4e0b-8A30-44E167DE6C4F}"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D146B7F-FA35-465D-B716-BCBC1F9A92D3}\ProxyStubClsid32	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B334C22-40CA-438f-913A-61A8105C4CCD}	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{184B0A26-4C9C-4757-ABF5-4B6AF71F9A45}\ProgID\ = "ESCompCleanCore.ESFileCleaner.1"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESCCQuickScan\ = "CCQuickScan Class"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D435027-F646-4bf9-B2C5-0EF4940D5CA2}\TypeLib\ = "{8ECC09E1-634B-42AC-8BE7-E6EDBB53C90E}"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05324ED1-05C0-4e3a-A34F-98BFC64426F5}\InprocServer32\ = "C:\\Program Files (x86)\\ErrorSafe\\FixCore.dll"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD9421BB-9F96-4272-802F-49BEC746056E}\1.0\FLAGS	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EDF78E1B-31A2-4c6e-AD40-0AFCD0D55263}\MiscStatus\ = "0"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18A41B20-E519-47a1-B545-FFC200730E9B}\InprocServer32\ThreadingModel = "Apartment"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESCompCleanCore.ESFileCleaner\CurVer	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E7A1949-5C0C-45F3-A106-34FE038493EF}\TypeLib\Version = "1.0"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0110779-5F79-4685-9C96-9D99EFD30CA2}	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8ECC09E1-634B-42AC-8BE7-E6EDBB53C90E}	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ESdf_fixer.ESFixer.1\ = "CFixer Object"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1562D24E-F5BF-4BB4-AF4C-BBB610B62638}\TypeLib	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DAE9202-0019-4D30-A5D2-AAF02D4DDC37}\ = "IFixEngine"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6813BFFD-BE81-4613-B4E6-AA7ED0DA8659}	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ESFFWraper.ESFFEnginWraper.1\ = "FFEnginWraper Class"	is-6EHM6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A1647E8-3EC2-49FE-B632-E12D765FA0CC}\ = "_IFFEnginWraperEvents"	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CA36000-3320-49D1-BAD1-4C5169D4084A}\TypeLib	is-6EHM6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43DB73EB-4C90-4418-B6AD-10DB22016908}\ProgID	is-6EHM6.tmp

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\topi\:\autorun.inf	ahgawruvel.exe
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3648	schtasks.exe
5884	schtasks.exe
2560	schtasks.exe
4356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
1584	piehdole.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
5348	diddi.exe
2592	piehdole.exe
2592	piehdole.exe
2592	piehdole.exe
2592	piehdole.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1376	AutoClicker-3.1.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe
Token: SeShutdownPrivilege	2056	chrome.exe
Token: SeCreatePagefilePrivilege	2056	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
4864	7zG.exe
4992	IEXPLORE.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
4580	OpenWith.exe
6140	ahgawruvel.exe
860	patcher.exe
5988	patcher.exe
1792	patcher.exe
2880	patcher.exe
4688	patcher.exe
5124	patcher.exe
2024	patcher.exe
3156	patcher.exe
5040	wiktorwrubelfutanari.exe
5040	wiktorwrubelfutanari.exe
5040	wiktorwrubelfutanari.exe
1584	piehdole.exe
1584	piehdole.exe
5348	diddi.exe
2592	piehdole.exe
2592	piehdole.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
3488	ERS.exe
5812	dildo.exe
2904	dildo.exe
5812	dildo.exe
5812	dildo.exe
5436	ztt.exe
1500	IEXPLORE.EXE
4992	IEXPLORE.EXE
4992	IEXPLORE.EXE
4992	IEXPLORE.EXE
5248	IEXPLORE.EXE
7132	zztt.exe
5248	IEXPLORE.EXE
5248	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1144	2056	chrome.exe	103
PID 2056 wrote to memory of 1144	2056	chrome.exe	103
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 5136	2056	chrome.exe	105
PID 2056 wrote to memory of 5136	2056	chrome.exe	105
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 1700	2056	chrome.exe	106
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107
PID 2056 wrote to memory of 4132	2056	chrome.exe	107

C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.1.exe
"C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd856bdcf8,0x7ffd856bdd04,0x7ffd856bdd10
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1628,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2160,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2424,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4284,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4340 /prefetch:2
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4716,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5364,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5608,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5636,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:5488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5796,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5632,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5940,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:5956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5812,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4908,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4876,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5428,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5964,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3684,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3288,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3940 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5932,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3224 /prefetch:8
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3668,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6388,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6408,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6044 /prefetch:2
  2⤵
  PID:3040
- C:\Users\Admin\Downloads\7z2409-x64.exe
  "C:\Users\Admin\Downloads\7z2409-x64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3732,i,4810883753267894106,5232386408514799167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:3672

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:920

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\topi\" -an -ai#7zMap5857:82:7zEvent4741
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4864

C:\Users\Admin\Desktop\topi\pocio.exe
"C:\Users\Admin\Desktop\topi\pocio.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Users\Admin\Desktop\topi\dam.exe
"C:\Users\Admin\Desktop\topi\dam.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768

C:\Users\Admin\Desktop\topi\dam.exe
"C:\Users\Admin\Desktop\topi\dam.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5696

C:\Users\Admin\Desktop\topi\ahgawruvel.exe
"C:\Users\Admin\Desktop\topi\ahgawruvel.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:5940
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:1860
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:2204
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:4380
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:4308
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:4804
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:4896
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:4124
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:1944

C:\Users\Admin\Desktop\topi\duppa.exe
"C:\Users\Admin\Desktop\topi\duppa.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3648
- C:\Windows\System\FTHpbuR.exe
  C:\Windows\System\FTHpbuR.exe
  2⤵
  - Executes dropped EXE
  PID:6020
- C:\Windows\System\FcoppmT.exe
  C:\Windows\System\FcoppmT.exe
  2⤵
  - Executes dropped EXE
  PID:5440
- C:\Windows\System\NMWsvhU.exe
  C:\Windows\System\NMWsvhU.exe
  2⤵
  - Executes dropped EXE
  PID:5584
- C:\Windows\System\YBbQmGH.exe
  C:\Windows\System\YBbQmGH.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\YEgHlyX.exe
  C:\Windows\System\YEgHlyX.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System\xiBdyrv.exe
  C:\Windows\System\xiBdyrv.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\pcEMoGk.exe
  C:\Windows\System\pcEMoGk.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\HDCzTMV.exe
  C:\Windows\System\HDCzTMV.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\ygwerkr.exe
  C:\Windows\System\ygwerkr.exe
  2⤵
  - Executes dropped EXE
  PID:5560
- C:\Windows\System\EBssQxF.exe
  C:\Windows\System\EBssQxF.exe
  2⤵
  - Executes dropped EXE
  PID:5996
- C:\Windows\System\MDMqHjd.exe
  C:\Windows\System\MDMqHjd.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\kfrkNTN.exe
  C:\Windows\System\kfrkNTN.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\HDSdjAH.exe
  C:\Windows\System\HDSdjAH.exe
  2⤵
  - Executes dropped EXE
  PID:5488
- C:\Windows\System\VJBwbJK.exe
  C:\Windows\System\VJBwbJK.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\QCxDdhT.exe
  C:\Windows\System\QCxDdhT.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\vlyUNem.exe
  C:\Windows\System\vlyUNem.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\RuBKbVo.exe
  C:\Windows\System\RuBKbVo.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\xoojoIG.exe
  C:\Windows\System\xoojoIG.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\Hmzlalz.exe
  C:\Windows\System\Hmzlalz.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\ATjrvGN.exe
  C:\Windows\System\ATjrvGN.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\WRMKpVj.exe
  C:\Windows\System\WRMKpVj.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\LCxzzaY.exe
  C:\Windows\System\LCxzzaY.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\rVhQfUx.exe
  C:\Windows\System\rVhQfUx.exe
  2⤵
  - Executes dropped EXE
  PID:5368
- C:\Windows\System\YixdVZX.exe
  C:\Windows\System\YixdVZX.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\zEoLwUU.exe
  C:\Windows\System\zEoLwUU.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\BaxoyIP.exe
  C:\Windows\System\BaxoyIP.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\IuWWvTA.exe
  C:\Windows\System\IuWWvTA.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\QZwyBML.exe
  C:\Windows\System\QZwyBML.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\eqCoygN.exe
  C:\Windows\System\eqCoygN.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\CfmJvqF.exe
  C:\Windows\System\CfmJvqF.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\idxBFgg.exe
  C:\Windows\System\idxBFgg.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\TllCsrY.exe
  C:\Windows\System\TllCsrY.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\aLHIkkl.exe
  C:\Windows\System\aLHIkkl.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\dxGJkBw.exe
  C:\Windows\System\dxGJkBw.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\TnGUQtJ.exe
  C:\Windows\System\TnGUQtJ.exe
  2⤵
  - Executes dropped EXE
  PID:5556
- C:\Windows\System\BLhiLFd.exe
  C:\Windows\System\BLhiLFd.exe
  2⤵
  - Executes dropped EXE
  PID:5912
- C:\Windows\System\QvmvptN.exe
  C:\Windows\System\QvmvptN.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\mLLFGsD.exe
  C:\Windows\System\mLLFGsD.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\UBKWFOW.exe
  C:\Windows\System\UBKWFOW.exe
  2⤵
  - Executes dropped EXE
  PID:1240

C:\Users\Admin\Desktop\topi\wiktorwrubelfutanari.exe
"C:\Users\Admin\Desktop\topi\wiktorwrubelfutanari.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5040

C:\Users\Admin\Desktop\topi\piehdole.exe
"C:\Users\Admin\Desktop\topi\piehdole.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\topi/piehdole.exe
1⤵
PID:5436
- C:\Users\Admin\Desktop\topi\piehdole.exe
  C:\Users\Admin\Desktop\topi/piehdole.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2592

C:\Users\Admin\Desktop\topi\pocio.exe
"C:\Users\Admin\Desktop\topi\pocio.exe"
1⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\Desktop\topi\diddi.exe
"C:\Users\Admin\Desktop\topi\diddi.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5348

C:\Users\Admin\Desktop\topi\diddler.exe
"C:\Users\Admin\Desktop\topi\diddler.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4996
- C:\Users\Admin\AppData\Local\Temp\~ErrorSafeScannerSetup.exe
  C:\Users\Admin\AppData\Local\Temp\~ErrorSafeScannerSetup.exe /verysilent /norestart /RESTARTEXITCODE=171
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\is-G42N6.tmp\is-6EHM6.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-G42N6.tmp\is-6EHM6.tmp" /SL4 $1041E "C:\Users\Admin\AppData\Local\Temp\~ErrorSafeScannerSetup.exe" 1649491 52224 /verysilent /norestart /RESTARTEXITCODE=171
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4436
  - - C:\Program Files (x86)\ErrorSafe\BLPatch.exe
      "C:\Program Files (x86)\ErrorSafe\BLPatch.exe" 1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5892
  - - C:\Program Files (x86)\ErrorSafe\Install.exe
      "C:\Program Files (x86)\ErrorSafe\Install.exe" /i /s
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Impair Defenses: Safe Mode Boot
      System Location Discovery: System Language Discovery
      PID:2948
  - - C:\Program Files (x86)\ErrorSafe\SR.exe
      "C:\Program Files (x86)\ErrorSafe\SR.exe" stats.php?site_id=install&aid={aid}_uers_install_{pcid}_46.0&lid={lid}&affid={affid} -NoCookies
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4992
  - - C:\Program Files (x86)\ErrorSafe\ERS.exe
      "C:\Program Files (x86)\ErrorSafe\ERS.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\ErrorSafe\ers.exe /scan
1⤵
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\topi/piehdole.exe
1⤵
PID:3232

C:\Users\Admin\Desktop\topi\dildo.exe
"C:\Users\Admin\Desktop\topi\dildo.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5812
- C:\Users\Admin\AppData\Roaming\ztt.exe
  C:\Users\Admin\AppData\Roaming\ztt.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5436
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\themecpl.dll,OpenThemeAction C:\Windows\Resources\Themes\åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ.Theme
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:4548
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" "www.51ztzj.com/installed_win7.html?=åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1500
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "www.51ztzj.com/installed_win7.html?=åúÐ¡ÃÀµçÄÔÖ÷ÌâÏÂÔØ"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4992
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4992 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5248
- C:\Users\Admin\AppData\Roaming\zztt.exe
  C:\Users\Admin\AppData\Roaming\zztt.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7132

C:\Users\Admin\Desktop\topi\ocny.exe
"C:\Users\Admin\Desktop\topi\ocny.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4128
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3856
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5960

C:\Users\Admin\Desktop\topi\dildo.exe
"C:\Users\Admin\Desktop\topi\dildo.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2904
- C:\Users\Admin\AppData\Roaming\zztt.exe
  C:\Users\Admin\AppData\Roaming\zztt.exe
  2⤵
  PID:5112

C:\Windows\System32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:5324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4304

C:\Program Files (x86)\ErrorSafe\ERS.exe
"C:\Program Files (x86)\ErrorSafe\ERS.exe"
1⤵
PID:4692

C:\Users\Admin\AppData\Roaming\douxiegames\51ztzj.exe
"C:\Users\Admin\AppData\Roaming\douxiegames\51ztzj.exe"
1⤵
PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.51ztzj.com/?dsk
  2⤵
  PID:3476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.51ztzj.com/?dsk
    3⤵
    PID:6240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.hao123.com/?tn=82013038_67_hao_pg
1⤵
PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.hao123.com/?tn=82013038_67_hao_pg
  2⤵
  PID:552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffd843ff208,0x7ffd843ff214,0x7ffd843ff220
    3⤵
    PID:6308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2056,i,11569885915788014152,2515088604640326940,262144 --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:3
    3⤵
    PID:6488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,11569885915788014152,2515088604640326940,262144 --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:2
    3⤵
    PID:6500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2464,i,11569885915788014152,2515088604640326940,262144 --variations-seed-version --mojo-platform-channel-handle=2916 /prefetch:8
    3⤵
    PID:6560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,11569885915788014152,2515088604640326940,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:6800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3540,i,11569885915788014152,2515088604640326940,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
    3⤵
    PID:6808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4300,i,11569885915788014152,2515088604640326940,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:1
    3⤵
    PID:6992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
    3⤵
    PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f4,0x7ffd843ff208,0x7ffd843ff214,0x7ffd843ff220
      4⤵
      PID:2916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1860,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=2480 /prefetch:3
      4⤵
      PID:6316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2440,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=2436 /prefetch:2
      4⤵
      PID:3512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2212,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=2912 /prefetch:8
      4⤵
      PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4116,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
      4⤵
      PID:6380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4100,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
      4⤵
      PID:5216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4100,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
      4⤵
      PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4624,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:8
      4⤵
      PID:6844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4844,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=4660 /prefetch:8
      4⤵
      PID:6532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4852,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:8
      4⤵
      PID:4936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4860,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=4916 /prefetch:8
      4⤵
      PID:1240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4656,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=4816 /prefetch:8
      4⤵
      PID:5104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2316,i,10280107854258375979,18401988460368029172,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:8
      4⤵
      PID:6716

C:\Program Files (x86)\hmrl\hmrl.exe
"C:\Program Files (x86)\hmrl\hmrl.exe"
1⤵
PID:6776
- C:\Program Files (x86)\hmrl\HmClockDate64.exe
  "C:\Program Files (x86)\hmrl\HmClockDate64.exe"
  2⤵
  PID:592

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6900

C:\Users\Admin\Desktop\topi\geege.exe
"C:\Users\Admin\Desktop\topi\geege.exe"
1⤵
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:3368
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  PID:5452

C:\Users\Admin\Desktop\topi\geege.exe
"C:\Users\Admin\Desktop\topi\geege.exe"
1⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:6208
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  PID:7132

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:640

C:\Users\Admin\Desktop\topi\stio.exe
"C:\Users\Admin\Desktop\topi\stio.exe"
1⤵
PID:6512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6512 -s 540
  2⤵
  - Program crash
  PID:7084

C:\Users\Admin\Desktop\topi\stio.exe
"C:\Users\Admin\Desktop\topi\stio.exe"
1⤵
PID:7088

C:\Users\Admin\Desktop\topi\stio.exe
"C:\Users\Admin\Desktop\topi\stio.exe"
1⤵
PID:6656

C:\Users\Admin\Desktop\topi\pet.exe
"C:\Users\Admin\Desktop\topi\pet.exe"
1⤵
PID:6840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im hdmanager.exe
  2⤵
  PID:3868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im hdmanager.exe
    3⤵
    - Kills process with taskkill
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im mmc.exe
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im mmc.exe
    3⤵
    - Kills process with taskkill
    PID:5764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop WELM
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\sc.exe
    sc stop WELM
    3⤵
    - Launches sc.exe
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete WELM
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\sc.exe
    sc delete WELM
    3⤵
    - Launches sc.exe
    PID:6268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh ipsec static add policy name=netbc
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add policy name=netbc
    3⤵
    PID:6424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh ipsec static add filterlist name=block
  2⤵
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh ipsec static add filteraction name=block action=block
  2⤵
  PID:5776
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filteraction name=block action=block
    3⤵
    PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
    3⤵
    PID:6400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
  2⤵
  PID:4128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh ipsec static set policy name=netbc assign=y
  2⤵
  PID:6176
- - C:\Windows\SysWOW64\netsh.exe
    netsh ipsec static set policy name=netbc assign=y
    3⤵
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im msiexev.exe
  2⤵
  PID:6616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Chrome"
  2⤵
  PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Windriver"
  2⤵
  PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Chrome" dir=in program="%PROGRAMFILES%\Google\Chrome\Application\chrome.txt" action=allow
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Chrome" dir=in program="C:\Program Files (x86)\Google\Chrome\Application\chrome.txt" action=allow
    3⤵
    - Modifies Windows Firewall
    PID:6984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Windriver" dir=in program="%PROGRAMFILES%\Hardware Driver Management\windriver.exe" action=allow
  2⤵
  PID:5020

C:\Users\Admin\Desktop\topi\pecio.exe
"C:\Users\Admin\Desktop\topi\pecio.exe"
1⤵
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:1516
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  PID:6888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:4132
- C:\905c0769f9a06c95a24ddf945\patcher.exe
  C:\905c0769f9a06c95a24ddf945\patcher.exe
  2⤵
  PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6512 -ip 6512
1⤵
PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
1⤵
PID:400

C:\Users\Admin\Desktop\topi\zkol.exe
"C:\Users\Admin\Desktop\topi\zkol.exe"
1⤵
PID:6648
- C:\Windows\System32\IPHLPAPI\SppExtComObj.exe
  "C:\Windows\System32\IPHLPAPI\SppExtComObj.exe"
  2⤵
  PID:4952

C:\Users\Admin\Desktop\topi\zkol.exe
"C:\Users\Admin\Desktop\topi\zkol.exe"
1⤵
PID:6492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\IPHLPAPI\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\IPHLPAPI\SppExtComObj.exe"
1⤵
PID:1984
- C:\Windows\System32\IPHLPAPI\SppExtComObj.exe
  C:\Windows\System32\IPHLPAPI\SppExtComObj.exe
  2⤵
  PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\IPHLPAPI\SppExtComObj.exe"
1⤵
PID:7128
- C:\Windows\System32\IPHLPAPI\SppExtComObj.exe
  C:\Windows\System32\IPHLPAPI\SppExtComObj.exe
  2⤵
  PID:5156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\900323d723f1dd1206\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\900323d723f1dd1206\winlogon.exe"
1⤵
PID:5152
- C:\900323d723f1dd1206\winlogon.exe
  C:\900323d723f1dd1206\winlogon.exe
  2⤵
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\900323d723f1dd1206\winlogon.exe"
1⤵
PID:2376
- C:\900323d723f1dd1206\winlogon.exe
  C:\900323d723f1dd1206\winlogon.exe
  2⤵
  PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\PerfLogs\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\PerfLogs\msedge.exe"
1⤵
PID:5752
- C:\PerfLogs\msedge.exe
  C:\PerfLogs\msedge.exe
  2⤵
  PID:6460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\PerfLogs\msedge.exe"
1⤵
PID:3992
- C:\PerfLogs\msedge.exe
  C:\PerfLogs\msedge.exe
  2⤵
  PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ERS" /sc ONLOGON /tr "'C:\Program Files (x86)\ErrorSafe\support\ERS.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\ErrorSafe\support\ERS.exe"
1⤵
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\ErrorSafe\support\ERS.exe"
1⤵
PID:6476

C:\Users\Admin\Desktop\topi\aro.exe
"C:\Users\Admin\Desktop\topi\aro.exe"
1⤵
PID:4728

C:\Users\Admin\Desktop\topi\aro.exe
"C:\Users\Admin\Desktop\topi\aro.exe"
1⤵
PID:4396

C:\Users\Admin\Desktop\topi\aro.exe
"C:\Users\Admin\Desktop\topi\aro.exe"
1⤵
PID:1624
- C:\Program Files (x86)\ProtectShield\ProtectShield.exe
  "C:\Program Files (x86)\ProtectShield\ProtectShield.exe"
  2⤵
  PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\ProtectShield\ProtectShield.exe -min
1⤵
PID:6224

C:\Windows\Fonts\wuauser.exe
C:\Windows\Fonts\wuauser.exe --server
1⤵
PID:5472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im hdmanager.exe
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im hdmanager.exe
    3⤵
    - Kills process with taskkill
    PID:6420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im hdmanager.exe
  2⤵
  PID:6868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im hdmanager.exe
    3⤵
    - Kills process with taskkill
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im hdmanager.exe
  2⤵
  PID:5284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im hdmanager.exe
    3⤵
    - Kills process with taskkill
    PID:456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im hdmanager.exe
  2⤵
  PID:5356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im hdmanager.exe
    3⤵
    - Kills process with taskkill
    PID:6236

C:\Users\Admin\Desktop\topi\idl.exe
"C:\Users\Admin\Desktop\topi\idl.exe"
1⤵
PID:6532

C:\Users\Admin\Desktop\topi\idl.exe
"C:\Users\Admin\Desktop\topi\idl.exe"
1⤵
PID:4816

C:\Users\Admin\Desktop\topi\idl.exe
"C:\Users\Admin\Desktop\topi\idl.exe"
1⤵
PID:35708

C:\Users\Admin\Desktop\topi\goo.exe
"C:\Users\Admin\Desktop\topi\goo.exe"
1⤵
PID:19688

C:\Users\Admin\Desktop\topi\goo.exe
"C:\Users\Admin\Desktop\topi\goo.exe"
1⤵
PID:19708

C:\Users\Admin\Desktop\topi\goo.exe
"C:\Users\Admin\Desktop\topi\goo.exe"
1⤵
PID:19748

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:23104

C:\Users\Admin\Desktop\topi\dagaaga.exe
"C:\Users\Admin\Desktop\topi\dagaaga.exe"
1⤵
PID:2772

C:\Users\Admin\Desktop\topi\dagaaga.exe
"C:\Users\Admin\Desktop\topi\dagaaga.exe"
1⤵
PID:24920

C:\Users\Admin\Desktop\topi\dagaaga.exe
"C:\Users\Admin\Desktop\topi\dagaaga.exe"
1⤵
PID:24720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 24720 -s 440
  2⤵
  - Program crash
  PID:28560

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:28172

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\f9942712feee428e8d92ed2e999a7d93 /t 5652 /p 2284
1⤵
PID:28412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 24720 -ip 24720
1⤵
PID:28440

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:28748

C:\Windows\System32\IPHLPAPI\SppExtComObj.exe
"C:\Windows\System32\IPHLPAPI\SppExtComObj.exe"
1⤵
PID:28744

C:\900323d723f1dd1206\winlogon.exe
"C:\900323d723f1dd1206\winlogon.exe"
1⤵
PID:28760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 28760 -s 484
  2⤵
  - Program crash
  PID:7400

C:\PerfLogs\msedge.exe
"C:\PerfLogs\msedge.exe"
1⤵
PID:28764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 28764 -s 464
  2⤵
  - Program crash
  PID:4788

C:\Program Files (x86)\ErrorSafe\support\ERS.exe
"C:\Program Files (x86)\ErrorSafe\support\ERS.exe"
1⤵
PID:28768

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:29944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:29736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:32164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 28760 -ip 28760
1⤵
PID:7328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 28760 -ip 28760
1⤵
PID:7372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 28764 -ip 28764
1⤵
PID:15688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:16904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:17372

C:\Windows\System32\IPHLPAPI\SppExtComObj.exe
"C:\Windows\System32\IPHLPAPI\SppExtComObj.exe"
1⤵
PID:17380

C:\900323d723f1dd1206\winlogon.exe
"C:\900323d723f1dd1206\winlogon.exe"
1⤵
PID:17388

C:\PerfLogs\msedge.exe
"C:\PerfLogs\msedge.exe"
1⤵
PID:17396

C:\Program Files (x86)\ErrorSafe\support\ERS.exe
"C:\Program Files (x86)\ErrorSafe\support\ERS.exe"
1⤵
PID:17404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

files/0x000900000002474a-18547.dat

Filesize
15B

MD5
c9ad8ec89301c9d42a8a584e59e3cacf

SHA1
c586f0b62beb18422294e87e7020e93a36e6e8ca

SHA256
437908a8b01e9cf8723951cb6522335e5f9be3558f2199f05e9f95e0d7f4aab2

SHA512
9eaf9403d38ce5aaac9b6b96763f1fb2882ad74e0d681fc1e5746a4e28ca7f06355f434a06ec9a502595d839eac8d204282e75b4dbc2971845178542594b4685

Download Submit
C:\PerfLogs\msedge.exe

Filesize
1.3MB

MD5
9e128e583df82508239fa4364c79cc70

SHA1
cfb65cbcec71eb8b5f6819948b5dad2066f0fa25

SHA256
e1dbadb6b7b77fdf26ea5f1f57e88daa1e22265c186a5c315ec74f5d670fc612

SHA512
5ec233be770e0dccfc41dbf3624955576f7442e042d44da74a79aa9719d69f536c1d7ce04d3971da93d4f9d8083f176fea9a83fc3b5e17b2d4edd99ff02e4ef4

Download Submit
C:\Program Files (x86)\ErrorSafe\ERS.exe

Filesize
1.4MB

MD5
b4dd8463f56f5b011f22ab3a81c33c10

SHA1
54c0cea880a4f3d128f0e5b70abe5f0eb00e4da7

SHA256
88a45117db43397d7bcd90eea23dfee53e25f0cd2f01c308ea7974ade37faa77

SHA512
824ce5e067068790f78b34c9ea59632b30eb7cd9c3999d61ba0714d0f55ab24fcce959dc7b8e03efb1ad9f2ef2f83f32762a59a558b70f786107680e5f93f438

Download Submit
C:\Program Files (x86)\ErrorSafe\ESSPCheck.dll

Filesize
33KB

MD5
e5f5ce819d2e9cac506a14362d257119

SHA1
d1f86e22d31a7691331e2e99aae4b7a9f6c33e34

SHA256
e73284b7c73ac4d6917cbc8b3a747c3525310f407ef7a4fbeb7244ade7ddf121

SHA512
726f474a10f8bea5aaa080a959d81cb1ad551aa106c1fe92d1fb2f754c7fbc732ce2845616f02d884df75dfdf2a3ee17e53f175c4195c1a8634ebd7f6f825d35

Download Submit
C:\Program Files (x86)\ErrorSafe\FFWraper.dll

Filesize
100KB

MD5
22e0bc260df2698e36936f28063eb6cd

SHA1
af5f6c8fbacc9b84e0190e5bcf21f3abae0feda5

SHA256
d3f1aba9803ce5bd1c36254a74135ac732681cd5654d380485e66ea15536a032

SHA512
ea63c0675676ea27dae59151747ddd5ce46ffd2787b5a05818c6174c92e466a3202262e48f3d13864cd2b6f93ae8659d995090551137a5b7c85aa283740c7bd7

Download Submit
C:\Program Files (x86)\ErrorSafe\FixCore.dll

Filesize
54KB

MD5
dcf04e78ce519fdcfa0e16cd84223135

SHA1
2c3d6cc8344079ba338c96cdaf1cf2a8269f3ea7

SHA256
0f74ce376d5df20857b61fcb30df187bde8ffbe8b9863b952ba1c61e54bfd920

SHA512
5143ad0a6198206a0b04c0f571b14d874d54dd2978c115616e14646d4e429c57077062457f661556bb8bccebe3f3080b0fd26d6fe88e8141aaed53431f311de6

Download Submit
C:\Program Files (x86)\ErrorSafe\FlFxr5.dll

Filesize
517KB

MD5
9bb80291a5929d98fdf7df22eb6ee2af

SHA1
ab8cab402c7900b2414fca3807d82dd1bcf9f4e2

SHA256
c7a5f9cc5f9f513c4f15121c19af2ab51313b4e4ce7af333f63bbe13add72893

SHA512
8f561534119c8ace7c183e30566db020a627b062e79d1c182e2276de8b2d5e4f7909fa2b20703619c933c65735b8ecdb6e76ba7b75a906a30e4b6abd45cc8491

Download Submit
C:\Program Files (x86)\ErrorSafe\MMFix.dll

Filesize
112KB

MD5
85ffdb909a6d1529967709d7dfde14a6

SHA1
07f93d1e72714bfe7b77ba188f9e54000435ff6a

SHA256
51a7027aa8b970f3c46da86a388e2d2a474eaf47380ee41c6a35d13e4491c84d

SHA512
2e4e518a101a36623b2d553b8d54ebaafc16669e3adb4ea44004472e4bf9fb1c1736e52599bf79436468d8f56c13f76ddb796c3e70763a82e65551b05479981b

Download Submit
C:\Program Files (x86)\ErrorSafe\df_fixer.dll

Filesize
88KB

MD5
56417a12253753c11875c128ecc364c8

SHA1
18b4cdd942c2e9f294d319e26554f9efbabdc8bc

SHA256
38d5372cc8b0c0f224733be740bbe67c4982441a9f5f20f7c6caaec17c182039

SHA512
86dc24961f1e9516cabe741b893e01d90e6e5d3886ea5712779885809bc08bff8e012a89f2347a8dba5d58f9d3013b552fe0c0e4547881e503691995eef9e758

Download Submit
C:\Program Files (x86)\ErrorSafe\df_proxy.dll

Filesize
40KB

MD5
eb5d24f62bf0dc7e227fa96b72b18517

SHA1
9b374750bf057f252b6688bd45fd32bb4ed42010

SHA256
4b5fb320fd2b2aa3aab6876d9df87aeea4354db146fd14e67fd1aaec6bcb5d61

SHA512
c5ad0f905deecb14c3c329050df473d10d51a6cc93340e0c5afe9e561b8fa80048e1c5f2a71395e66afc4b29f23e2c05a38e9af6be195f650b18ad7af994213b

Download Submit
C:\Program Files (x86)\ErrorSafe\ecc.dll

Filesize
292KB

MD5
f25fc8e1e0af1e8c64578c072d4ecdc3

SHA1
d824b35c0b04f6e86dcb20dbc714f8a5fb5ffa54

SHA256
ab0c9d4c0e15214c2ad76e1db1e1a69f0b61e6412b793884f2361578048b2942

SHA512
8ad9b559526738c139d9655a185a82a841e8f0f3517eca2863ddc102341f47352de866d0a7d39e76e49b709a70acbf03992fd12a3c69e8af89c7ff9866529abc

Download Submit
C:\Program Files (x86)\ProtectShield\ProtectShield.exe

Filesize
751KB

MD5
c4cff103d7f12b02b9646ad790e38857

SHA1
a9523b9eba7944e6d8646fc171d331144edf43ee

SHA256
337ed0906df8a97ca698da0c44499150908139e72223a647bf75204393519d1e

SHA512
018d4aee418a4177619f44e45623529e50305eb70ef7fad7459bc4ec75201054d4cbd5f3f7e69537d15b50ddc667cf622537204dccd492bf3d034f76f7e07a70

Download Submit
C:\Program Files (x86)\ProtectShield\uninstall.exe

Filesize
508KB

MD5
28ca310c03d006dfb261df8778f315e3

SHA1
1f317a14f7a828086aa28e512db76beb3fafb466

SHA256
f5ee57d25dd3417bfe4b493826b9edc9aa54d7b9372072598c9b7d11d9e270b9

SHA512
959a1696554665ccdfa00d5574f7ca3ac0dfb9dee1fb77649f81fd565859b891751c757783c3f434368a351132be6ac3c6432f789baeb82ca62689159ece7918

Download Submit
C:\Program Files (x86)\hmrl\hmrl.exe

Filesize
1.3MB

MD5
fca3276bf8f0f72cb46f7cfc392e9e5e

SHA1
deee7012a9074afb67e8a745345d81c923e7da02

SHA256
1d07769a41ed7a22e9540edea7a6562a3f787decd815b3d287d37700fa362a10

SHA512
4de8376e36cde616c7751cba394444cda977c8720276d50886eded435da350f656e01dae0af27805a75416231e34afa7e067c2ee0bd9f58ff7d7f351a7f1c783

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
1.8MB

MD5
4c55ab4377d59ec7842868eab9480558

SHA1
db4772e7e5afbb38d65527c69cac5de29f677ff8

SHA256
a8ed3ab60eb9a1eafd5104dabe1072f58d9039fb5ca30ebfee3a57eec783acbc

SHA512
e30db2327b829b987fc830906327e2b034142ec07c9faab745facdbb36d6063844175f1cdaa68aa51bc54344b4425d0e38206ec4057f395aa03c64b7e6156295

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
c4aabd70dc28c9516809b775a30fdd3f

SHA1
43804fa264bf00ece1ee23468c309bc1be7c66de

SHA256
882063948d675ee41b5ae68db3e84879350ec81cf88d15b9babf2fa08e332863

SHA512
5a88ec6714c4f78b061aed2f2f9c23e7b69596c1185fcb4b21b4c20c84b262667225cc3f380d6e31a47f54a16dc06e4d6ad82cfca7f499450287164c187cec51

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
696KB

MD5
d882650163a8f79c52e48aa9035bacbb

SHA1
9518c39c71af3cc77d7bbb1381160497778c3429

SHA256
07a6236cd92901b459cd015b05f1eeaf9d36e7b11482fcfd2e81cd9ba4767bff

SHA512
8f4604d086bf79dc8f4ad26db2a3af6f724cc683fae2210b1e9e2adf074aad5b11f583af3c30088e5c186e8890f8ddcf32477130d1435c6837457cf6ddaa7ca1

Download Submit
C:\Program Files\7-Zip\Lang\el.txt.exe

Filesize
10B

MD5
b314d269c67cb2ea968879a86adf7b34

SHA1
117bf44662a0948c357d48c3be9575ffa6afbaa6

SHA256
11e4909220869d156df6dc525ec50b3596a917ff5d11a884bf23b96da6a26635

SHA512
26b4b366112d28e3fae79a19262f4f7fe148c687651ce05bb82f8d783d58312947e0f23bc046374810d728b3d6cef80653cc5dc8da65c3370447af4fbf8b305e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll

Filesize
30B

MD5
fca7ee6e9abd945663190f9e0f340fd3

SHA1
3ccab49b3873a3fe846f49050ce05a5109a6aeb7

SHA256
f19ad4046c61f8dacc5db181b32fbad609f3ddaa0074148bd9e6b148b2a25c8b

SHA512
52e9a16afdcf4d1169910ec29b3a2ad9d9a980769c0bddfb49f853b47712259b6347a753569adc113b6785c84636598ad5f75cd88de8ac8e7911438a8da80859

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.exe

Filesize
25B

MD5
326b5d724288ba0d203331f83abeec64

SHA1
7875ae89ac44212b9cb3cfdc78952799a46fe166

SHA256
738f38bea991ff2a90506c7482eac92f3f6196eb7d6ac63d5d42fff4577a40ef

SHA512
4c94a53d08ee3fbaeef0d25532e6095e54b17ba09dfefe39d1ca7226fa63109c4119c6d50f266df50975d19945d7b3300a901e959a2858b5fd3767cf2f9f8463

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.exe

Filesize
1.2MB

MD5
de8107f77aadf1c6b6c25f3d34076476

SHA1
05dc57464850166e44c00b70ae2151df82f46f46

SHA256
94743c0657488433484917fa7e273e6678aa2be469246ea7e8b912c4021c100e

SHA512
f2513875137d838bcef20f8b2479eb7091cf2b7df7413c67e1e31268dac7c602b2e52fed68907327ba51ba180fdfde71172c411b1f43936a09988bfd8421513b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.exe

Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.exe

Filesize
20B

MD5
3e733953af35f3dd6b2266f6bc19ed8a

SHA1
e43f64e05c3e176e5fe863cd1ac613d7907a8b3d

SHA256
f40c24b942d0be990e644f6cf7d942a76e3d2e6fc027ff770c1f9ee454b05631

SHA512
1e606a48b1fcc30b2af81bb926e730baf28051ee6358ebd0b4131cf0ce5ce01ee37ad88f482d1fed658fabc8bdd7ea1d8dbaf0245328faf13a42fb9815c72d40

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4884_510133992\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
69f8b99236ca3044a589e42a2e530c49

SHA1
617dede7c1115c99fe1d26489c39219901efffe9

SHA256
7731a13f10d970dbf8f7dcd1b84365a40002755560ee9675bb7486ce5e49305c

SHA512
79dbf626d15c87fbf2bfa6ccef5050ffa1c1282bb81ca24eae6d5f03309e503f1a5cf217a2683722853b18089e1204aec7025bfb03f6b3decab1a68b2896a607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bd5ae9ce65f77a81324ecd48c50bf70a

SHA1
ed92147f77534ffec6ab8976d687e25e64fff1f2

SHA256
eb64717a455c3cf9dfe1cfd73e38dba7ed5e85b2d5e598c577877216c5a6538a

SHA512
014d0c49ff4873fd3f3f2fbfe7559f7d4256f5131cb446bcb6f53f5cb7869314aa14c6830176b58f5628a6ecc9d9abb8fa4d6bd84cd1490c61d488cf92d473c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
41b24d810754767db926e4ebf5a7a769

SHA1
254de2ec435b06e77341743cbe92460c63454bb8

SHA256
1fdfeac25305ecec82929933f3e61461be4214095db459f2c0a6fe546aa71296

SHA512
b45c03cebe574ddbd36da5863be8a69c737bd7817f1e09bae381201b0e5d95503499f166e8874e2981247f79348e2dd1c2d400dfec42780e85ec606f93d33e2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\32bea2e7-889b-4149-a116-a297427f6924.tmp

Filesize
5KB

MD5
fec5c819aac19c70d869aad6204f79ab

SHA1
ade60d685f301c068acf61e908aa2d7ea28df285

SHA256
d354a9a7aea13b3d26c7623600397f56a0f0057a7a7c3fd646cf05c05d28ae02

SHA512
42acfd4ec6b27fd8ca15e8231ab48d955363e0b580f1b16ae44bc10bb7fa3c2e8119090acae4ed0af0b4513714f481e121c80a1d111cee76f7b53e5fc2783b0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
64bab53cdab6913e520b8d8d7588e0d5

SHA1
17cc40984b732a1aaa4180fb567e09ddb00db053

SHA256
f38f8c5f594cc9be804e3a755e206461696c43c52c53d58944303ce3f52a4308

SHA512
7087ae052d140aec58eb24993631b80d2a7a22a444a36954607bea04c01c991adc41866edcd8d555251af21d82aa6bd2ff67bf49216b009578318d3d37050c13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
19efaa9f0838226810da01aa8eeb3411

SHA1
8fa0fbf089f7c19e5e3a3bec1c3163e50fa0a608

SHA256
8ce645f18da3ccd28b2926d67ebc95a7cf660c26b15c43878d71d109afc07e3a

SHA512
d391742278a654e1b3791110defc696973d24560f0aa88288164c5c4e1e97302dac0ae8bfb7f914948dc08cedba9ea23987d4f45b5149cf2279fe78c8bfab5a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f7207ab36d81813852d32e4c98177bc6

SHA1
f59e35a910129134990811ee521324450899621d

SHA256
688bbbde676aaae92d870c5444c2246daa1102f9dbc19a078aee24aae0a6b589

SHA512
c221f1c96a901475ae917048d3d23e77233c4c4236463560d5baaccda39ba366de69bad8baa795eb5ca9dd0ce6fade4b7df1a31ab2c3c4b0c67048352f5f6667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
7ec0c9d6504fe2c9909011858229fe41

SHA1
0c4f9797ac3a88688ec88fd7180c12508a88e270

SHA256
b17bbcee086877036a9a2cb60378784b429fe5e0c94334b1d0f5ace825504a88

SHA512
14306ffb6b507aec4690c388dd425ced20f9de722be29cb25978e1212836e50a95056b8c989d7a7e434402f477ce4c267a97e68501aa0b9822f0678c7af58ad3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8619c87c319a4e912449f41e5986b5ba

SHA1
063c304f97a49f35a0e082ee74c4acd553631031

SHA256
c03b77721aea9ba18df87b90b9471ea1f97870e37d0fb9f6dcaadd07dd8b8501

SHA512
5482594458d45c4426cd799335b6421ce408c65e7d74ee701cb7f9c3aded38d43d5e2466c79ff0440be25f3341191676fba2d8b2d37b800e70fad12a2073323f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
cb847f03dbf1aa9ba26ce56c4453e58d

SHA1
22a996dbd8ae8820fe70e0a71279ce9c3ced2036

SHA256
1f4c60bf496481d6a30426ef5aec827e672a8fd2b6abc9bf25ef07a0e2fd93b4

SHA512
cd756f8ba6b1d9f6a7fabfd241288880deb64262695977aaa03fc1a190eafab3589f8b418b7d4bf0715e12d0e28a0243cabd6bc40d6823f94f49f7f933b04e89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6303f60aa3184ce8aa581dce9a088cd6

SHA1
398e497fb1268a696473e18eb55749ad0d311f1d

SHA256
7d730605e5ff6a7e2efd8eac218723206a865820528d46a499e0e379c69115fe

SHA512
72855b19868b3aa0595594f7d9935ea3f3a0bec961c8771125eaf35e99ef70a416d1b6f144308bf95ae1ed1a5c2091ed87426db3203ba5f90a975a0ba65ccf97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
236fbfaa1a571b53161edc3e19489707

SHA1
2216af997e858cd833be95c3076c41c95c0a54dd

SHA256
245d6ddbbfb4a834fb7837d40bb99ff5f2dbc254fa224258a6788e6f6da45028

SHA512
8c5b41ae7a80c66cb1ad4d715afb11063201af3775ee6fd6b5f0af7d02dd187384506b8b60b32fb2da3a80e032d51c2f54f7aa7c267d07e2b4c9c0b4d1176a55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9cb8e0f6b3779c134fe1ebdcd32f77b2

SHA1
988d71c9e5089f54259abad0bdc8cee95ef85956

SHA256
c9547be5d1b261e509ebee19556a27592b95b541731666bc4f6c756dbfc265b3

SHA512
ee5e8444159880aa9faedb01f79bd2ffce04a689dd50b87f7e935bb5d5f679d431c779afe588096165883f03c20c5e59dc867fc9507f42388c685f80e9fed27c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5836ab.TMP

Filesize
48B

MD5
092f3a7116e853120ae9b8a1db3c5051

SHA1
6d6a929f6a4784417c88fe13e68ce21b56207ad0

SHA256
52878af6ba9b872719e60a03376f0fb933b74af7b0bb9554b33b915737948eea

SHA512
606201143eed4b4450e7488d4a2b800a6db328ac612d00adb50a4acf69c9dd126b93ade0a40551c7fb606f017310710b93102e5418dd080ffd08ad28742e3f81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\7476634a-ab73-4500-822d-9d5774e8761c\0

Filesize
26.9MB

MD5
287005ffff05eaa464984a9871e5fed2

SHA1
2a0f52a1beb4be20f047fe70cf2b9fc49d77f67e

SHA256
e78e3e3448103f3fd23f1d00118f27e53bcc7e33253a5d87f0fcd72be6a85554

SHA512
275fc0a0801155a44c22a882835853ba2045cd9488c13b05b34195a57d63ae306ffd37f8a6373781f604731c8790cea7e8eaacafc782a85e61c52fb89a833b84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
151e8ce75da755fe3c8b4832e5a39bb7

SHA1
ccaf3e30a96e0567408266a4c98e8b8ec3207949

SHA256
1d1c1f9880723c8ea3bf347c673e9796ff5ce0be13c1e56fdd7b0ee1298487ac

SHA512
aa825881753242fe24dad79d26d4b066deeb5eed70c0fd496100fd97a10527e43e8cdfe72db633684ee6d9a34cbb2294146a01929e06bbd105f494f406ecf3f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
d9b4dc900f56095acf5ecdf726aef4f0

SHA1
16ba6da27efdc8816a162ae74a2eafef744ec240

SHA256
2b072aa91fccd2e47581fe23e56ba585f54f2dc0b68c2214d6f7b8b250276a48

SHA512
7f91ea418f8d7f43e412f37d8863d31705e2838a2238193c45696efd8ef6a6a1f5bb9eeae0c9960af2442d78bad493047bc57685d0e3e15fdad8c4b8dd4b0f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
192KB

MD5
27165af3f3f29a510e8b527687244939

SHA1
4f0f02f619a73fd3be7670d101d1ba257cd77f8e

SHA256
7101561989dd02dcf3be153d616b4a11ddf8dd1a4bd0723c4d05231119d8a6a4

SHA512
d498867599e7c0ae1aefd66d4b0ed1d5dfb7110db9438113e292405fd79cea09b3614f15fcee03b9b80db20608fedcb4939c0ff4d63e60e2e6e7e73d83489d20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
d8f9745e91a16acd5a3276dedde6fbde

SHA1
54314732ce02f53429acb8cdedfe179174682cdb

SHA256
03a2d09c2635960d8bca33cd5bf4882c1b5a11586ca465657d9580a080747cbe

SHA512
5fc527c614ea5e2b819b3599b90c403b761d260040b05a97ff28ec742c4200937bbd391442a5648d56ecc5ea7551d27afb19181e493732719cb0a867c38d0688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
690f9d619434781cadb75580a074a84d

SHA1
9c952a5597941ab800cae7262842ab6ac0b82ab1

SHA256
fc2e4954dbe6b72d5b09e1dc6360ea699437a2551355c2950da0b3d3a4779fc1

SHA512
d6b1da8e7febf926e8b6c316164efbbac22c7c3d9e4933a19fffba3d1667e1993cdeb5064aa53816c0c53f9d2c53e204772de987eb18adbb094a0fb84ae61fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
2b267b86917d641943338576c73efa91

SHA1
ef6a7a62e147ede4a283a2eae56c1678fc5feb2d

SHA256
0faa19b245c85071e2d91bc5265003cbbd2318598975f3e97a8912c57120009c

SHA512
27f3a86a3163eb7d9a82e057dedbc181d8fde257b71de95b5417e4629508a940e34a52b05a5ac18e177a87e5e7d657dcedd18e694a013ed91d2e29eba24ffc73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\06a5087e-24f8-4102-a7a0-6c6c09a986c3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
586B

MD5
ea40222f727359426f5b4a6a353e26ec

SHA1
3431e7852f6ce43215cb22082635ce7f4a1f06cc

SHA256
366d81141bba658e714caa5bc48a60efbec29f14f078b47640472bd1839f8be9

SHA512
91820997ddf2bfa7f9807646507f10bc338294f44ab254982524c27860d69ec20503266e3921b3be6006d6f7e6c0168f30a2c514e224cf9ca5d04955ac29d03f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9ea2edeab2891faf5ccaeee40a4c9f25

SHA1
a8439767b5c0f573161fec0ffcd76f9ce0cfe696

SHA256
3f061012b721de7f2cff67302a587479407c05de9b31baf308c424352e822180

SHA512
61efabd66295cb698745db5344b512edb7c5a6fba7aa48d04b3afe748916f7c24fb393e5c5ebe8722400eb1e08f2f1a6e2cdbf359130ae398494f83d1e18bccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
636B

MD5
58bac7998aa5674806c7b980791afa61

SHA1
2e7f952a49f21db2a1776162d1cd5cf8b07a4b85

SHA256
3cd86a3a6110a1b67e9fe279d1128ca4a2af63947a34679cca88a912b715d6ad

SHA512
b74659e4ba9e0fdbda9e250b64f09b672cf8be82d55bac5f81fb488891a1f1a58491c41f9f1f5ffe77767c2db5757f724bf2086ef05c623dd62f9d4044e7f0b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
468eb96de13b3ecc2ba17b0e9324fdfc

SHA1
e5f590c279608e4fc3ca3ba3dabc05c9bcdfc2dc

SHA256
773533c9883aaf6ac97e3faf0418feb82363416b3678eb068afa27865e045cdb

SHA512
843b9ce94a8ba5da650c02886c7f1b521cb46975256b3f9a8cc5b2dec74cdf19edad9ce257a490f084a6a7dc212c5979c2ba4e937d19849267905d04bf727995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
8d1baef5f407d604f99a2dbfde06e0ec

SHA1
510521fa25ba77a43f9fb702987c460bf0314974

SHA256
11d411b0423f4c817b1814d38e8e2dc2be17591282dc06fc72676842cde3f7af

SHA512
691165047e702c137a8ee7017cf35f14310a02355921336ec1c23beced9744979e10d6d96626029c8b3e26a53e8e01d9e5464bbd9d6b7fe1fd3fc3db26e429a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
6d602bfec07a9c13f8b292189916da93

SHA1
7fbae0fd36719b0b02c3af9bd76d0e8984c1740f

SHA256
efaba76756bcb27e55ffcaed107cd86c374fdac382a8a5252c3637c4068b6806

SHA512
3f8bde51575f6e2205f525f01a47bb082ca755a06063ad4c5755ff9c288a19a0c4b1a3b3a51f94a1f35ce0a4334b6cc646123123d40844b1c6bffd39b128aaff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
39523684a1bb79b461f543faa33cc76d

SHA1
fa5eac62ac0d8bd13d331ea34b2f9e8b30046c6d

SHA256
b803a986e7eaa9ad2717ca6efed3d9d444a5d0b52b425f02f82b0563b7c1f313

SHA512
110654c70948e6bb5e52249ced5f7c1c7babf34a20881353382abc04a29240f2312ba2ca797b0718a6c87ccb3532db52bef928717f53c6294c015d1b72bf13fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
dd1e946db24cf5f88e9bd2a58752f370

SHA1
0531352485c9f9aa37f88acb32c5c62caf93dd25

SHA256
fc0a05701ab9aa497dc1d0ff714c6dd4efb1324644e5de39b5475f43313040e8

SHA512
8f09a9554f9a7c64b4ee42a7e431348511489262699a73fc275f9228dddd343deac1f2213fe1df764ab0681a31c707846897d41e8de0003b77926085271b315d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\b209a5c3-4a45-4082-a71d-b621b1ca56d0.tmp

Filesize
23KB

MD5
30500aeb8059ecf6cbc6c57312123741

SHA1
ffb6efdbfa3700def7738fb672f507d73bbfb19e

SHA256
ede997db6e65073749cc7560b0522fa70157e9a79df332a6060c616bbc01ca6a

SHA512
d1e6596ad3977590ab9372be48f343017c6cca75c6d9fb2b859a36dc0f5ad4effa3cd95d28f695490074873e52db0ff71efdf13cb55db2c4df452c3eac10433f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a4b586aa9e2d057c460d2e8c7aa65ade

SHA1
f7a9b35eb8c81c6c696a6e1e09600e6c36b2b6e9

SHA256
0b37c0ef10c3d729bc49b146e132edc83011678fa3e44c6a54e91e7368cca145

SHA512
bfd9ff32eb592e1165e22ed8794903b952842dc96bd38143751a1050d1faf8058628d7455bdba04c29bd6868396c8ed995ea5543f449ae10ac7e54b2c0f95471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
9bb9e288b867b05f5ef6ae42872ed118

SHA1
08151926d50d62ec4a1da87ff3c69279d03c6946

SHA256
8a4afdef7e1a7c63d4f7fcf8d9264d1ebcb0dd087e2130e82c50448b40c24597

SHA512
d43f4ecff8f8bf9d7593bd6ae407a363ec9d1593e0e91ea83b1cca27eb7ee126fc561323d3634573282629410d0f41244bff93b60a5a7f846a6c0fc3ffcac865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
d78868bb07c4bde84059b1283d0cab5f

SHA1
1397729666671a2a84b4e23785e657f7217bc594

SHA256
56437db307dee008fd37a1c7a6731ae21b51c6e54a1bba2718817c8d66aaa5fb

SHA512
8502a05d62f069e8a8b10e10084b072adb1c233f24880ef565a6853e9ade7b63c2c72b90873aaab6022cde44eef9639f28bfa18a257c5413812542499eb8fb45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
2ebea62ed2b5eda81f139c9fcf8af5c7

SHA1
14046ac6f2dd2d222228f5b9688f3c9590d7ae82

SHA256
657c4998590c2f2635920420f59b91c17a814ddc7f3d1a95e4c99c3d253687d5

SHA512
fa9e18a2c9628c4a44e39be9f68f2ecdccd4d41f112023d197b0a09a8c3ee65b65ef4b281fb3d08d869b7235cc071dde483610cb070ec3b92e634f47b3dabdbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7P8EHEOE\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
9af268603754879646df08755f4e4fda

SHA1
825cccc71cc9e493fdd55674a43f4163f370b054

SHA256
660624e492c9559226f35034133b2719c3479ec04e690f0f7f0cb6a4db008323

SHA512
1cbb7951b7523ca697fc9c09a7d4cd2b9a4f57f6d3dfa37bafff438fb63968b8de70f15c06976f3ecd04e8426adee7d96440f88709ca8a0cf7591404af47c8b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt

Filesize
670KB

MD5
9eb5f69e443e7d835e78519e5f3b3ef4

SHA1
5ba40cd4a127359dbd006eb3b0f800809c138659

SHA256
4aa1fa29fd0a2d15b9204426cfee2e348dcf65f5b444b53fc5425a0418a3fdcd

SHA512
b14fd14a1ac0aa59e0b648b64af0fa4848a4601124fe8b37d0c3f7e4066908237eb1c9d01a43aa45444db104c68380a60e1e1625d1f4eda5d501a3c33206cf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\51ztzj.html

Filesize
72B

MD5
946cd632820b6bf560669ecdf6c7424d

SHA1
827249dba4d6957626aa3b2a1fd792612c1a6e0a

SHA256
c548880c7c1cff3ae37f3c655ea575882e9433927d9bccb9f4c3e6dd3bea71ae

SHA512
d57f684901d129eeb88458c6eb937eda6aa9b6b6e09b12c43d3b1eed3ca88547c3ff71a56d8723f92eb4007e5a38023803c8f676607b816cb27149dd52ac6bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\51ztzj.html

Filesize
72B

MD5
8b51e468aae1a3da8f0f7d7be8b9cef7

SHA1
653ab6c65f319dfc0490fbbfdb669b2ca4882d0c

SHA256
decb84d2fe3f99b24f6109810a5bf9da590016c839f696c0e2163341fe90a43e

SHA512
66d654f5d71976bb0813bcee25aea9fa636e5b3f81c77861fb8a24474260bc650e83187fc72f246d39100ec816e3825218159590259e2d6bf86011609d087813

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4C21.tmp\CheckRunVirtual.dll

Filesize
32KB

MD5
a0cb8030c255059749db3bffa0c78956

SHA1
8d945131c91a4bd99f53758d75691349cd4127cb

SHA256
bcd19389fd4e58e552fc45c4222eae3aa70f0e7e1573b2afc8e7ad433f131398

SHA512
b9ad84d528b7b4f95c1ee1b315bc7d76ff3c093e99bbc6b806517742320cd3a592ceb4ab407e1e003b3476e4ee5bc608029c102244ede5fee7fded8ac21e15d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4C21.tmp\DialogEx.dll

Filesize
21KB

MD5
2015bb43ab225bebd66bf474df424155

SHA1
3179aae8019577c720bafca7d126574d837ece00

SHA256
0af63a42fb77e2e31eccaea6953c86a461fa1fa82b2471e3493ee66f3e864f3e

SHA512
66567cb93231cfec913463cfc47343844931251ba8e83df0bc67d2ee42fd6fb2eb8d468c9e1af6d2a087701f2e9eb22f0f41bc573f2a471110c422bd54c0815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4C21.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4C21.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4C21.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4C21.tmp\ToolTips.dll

Filesize
4KB

MD5
9a0da2692764bb842411a8b9687ebbb7

SHA1
5c3a459faa08a704bdf162476897ad4580ae39bd

SHA256
28aeaa48c929188a0d169887cc3f16370741467ae49e1db59763f030710a6bbb

SHA512
814d686617df4fe9f50a93dac9428babff3a14836aa27b4666976379ec3fafcab65fd82d8886998fa65e7b59dc192ca067cf8b4cdeb8ef551812912d80dab8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso909B.tmp\BrandingURL.dll

Filesize
3KB

MD5
9c3488b5e9655d1837c3963ecec33f70

SHA1
f0fa9b4c29e75c6e4419c4633d09f2797aee2ef3

SHA256
05ef4beb7fab9d04c1fb251874166fa2d73a34b4a7f2b145d37a2fd00c88979a

SHA512
6af9f88d65d2279a71620f2a656062b1737b3a9a1692ed4e5887bdee891ce08d21c5c0b25ab3acbe6da9fe255dcd7f8a517c2751e73dc56add216740c945e4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso909B.tmp\Delay.dll

Filesize
7KB

MD5
4602d9a9ed82d646522ead08a58536a9

SHA1
b070bad90e13e85c97bd4e530ca7958c22e36a5a

SHA256
b6691bf37f13e37bfc07d45990092fd9398f7eff8cb1bbad05e528def0307c4a

SHA512
5ebad4e83d411799a25b1e462ac3c7683dd0c973f131eed29131af7a240f92f55e6c60b78f96388bf7c4134941353794d79ef6c91476e8def7e5c803544afec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso909B.tmp\Splash_YourSplash.bmp

Filesize
341KB

MD5
93744ff88d932cbad4c3a0946c6bffc9

SHA1
7083d2524bb0d426088097a197c6acdc81a05463

SHA256
ad154dc2044336e527ed694c44796856d0a34e995fcfaf29d045f8b2f55b5d63

SHA512
bea2084d864f013dcc44b303464cabc06075d68b35e1e71aa5658f4c5208609daaedf2bbec5852fb72752ff4dbc5ed7dbcdd6bcf549063464dc43f3bc425b57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso909B.tmp\ioSpecial.ini

Filesize
661B

MD5
ac438a83776ab8f3361beae3689b1b01

SHA1
346350a2aa95405a4a8a150164d922b012534a5a

SHA256
c4b8dabdc1fa8a1605532ae4c7601c1537abcc57d38241620e5e75e80b140015

SHA512
fdec73db2b05b39cc91cd9cc32b678ab3d50d50d6347bc3115c3d51f3226facda2b174dccbd67c97e86702017927b3517d2125343670e9649d532b7909727762

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso909B.tmp\ioSpecial.ini

Filesize
945B

MD5
814d95a3572798c053db0b615355b804

SHA1
46e88bb80e6b30f6c5b25f64437e55ddf060987e

SHA256
9dc4be9b1eff75b3e9ca8e8b9e88b417406abbc59d00ace1217ce713b6332754

SHA512
4aaa4a3b5abf86bc15595620eed0e5b6439945f1f4cc4b60e479966da92b716c066467a179c5b751c87d8a226eda3bccf3e15e8c439356ed25d1e78fb3a69002

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso909B.tmp\modern-header.bmp

Filesize
25KB

MD5
3ac3036e6c39dcbefb1b2bd43c8dddf7

SHA1
00a54de19e647040f3c3ce9970b18792ad75e988

SHA256
c024be2e77e3146f39eac94173130101fdeb480b18e362e9a7e06a8ecb2c31b7

SHA512
878f3814c8ea56120493480a07438e1f3ad13f3f7949f923dddc949b8801006605fa9ad3281edcabfcdf8079ea535ec69e754c924314975a4b55640233309ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso909B.tmp\modern-wizard.bmp

Filesize
139KB

MD5
2ce68e26970d4ce914e77d9452416f61

SHA1
abdcd60c85d45df6dda792143dd154f7262f0be2

SHA256
b1356d224573881b1e3c6dc349fe6c6369bad4b4e3b580e0dbb1364a5a2f33bd

SHA512
c5211ac6ee9da7ff149e74667af02403ff055f2dac551677e48b1c678ebc80a1417ee4860edc28e19572929b85d2f1c8da1958eb67e1cfbe9ce59896d0ab6bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso909B.tmp\nsWeb.dll

Filesize
8KB

MD5
84bcf3c71e70d5a6e9dc07d70466bdc3

SHA1
31603a1afc2d767a3392d363ff61533beaa25359

SHA256
7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf

SHA512
61aefa3c22d2f66053f568a4cc3a5fc1cf9deb514213b550e5182edcecd88fadf0cb78e7a593e6d4b7261ed1238e7693f1d38170c84a68baf4943c3b9584d48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9752.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9752.tmp\Splash.dll

Filesize
4KB

MD5
ff8340b98dbd0c4f38d06627b97637a4

SHA1
aae736a26fbb1ed5e9fddd956115699a910b3435

SHA256
6dad450c8b77a4827899eb54347d6f0c3a225c56920b0565dbc6b63c33bc176f

SHA512
58eda9fdc3e69c651f96d2994c76afd9e09624de5622177996b3ca9cfb9fbadb4489996ac49d220de16963acc734853239b807c65c50f79d39f4b292925ec685

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr9752.tmp\ioSpecial.ini

Filesize
661B

MD5
bd50f8f94ebb802bca2581bea40c68e2

SHA1
28de4684ecd0d9d4b92ef1dfe6dda50f7d08bda5

SHA256
420c8156479820a114b9f6492f5d0724bf855d3b83867019925cf9b0fe3e5ad3

SHA512
4d163dc8fa3b340c6e78355e9d4fca0000de58f285330e113b1eab2e193b58a732dfecf0c9738c4bba69d5773c8780737c3232eb42abb15b38eb809d0f5e98cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3A5A.tmp\LangDLL.dll

Filesize
5KB

MD5
a401e590877ef6c928d2a97c66157094

SHA1
75e24799cf67e789fadcc8b7fddefc72fdc4cd61

SHA256
2a7f33ef64d666a42827c4dc377806ad97bc233819197adf9696aed5be5efac0

SHA512
6093415cd090e69cdcb52b5d381d0a8b3e9e5479dac96be641e0071f1add26403b27a453febd8ccfd16393dc1caa03404a369c768a580781aba3068415ee993f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3A5A.tmp\ioSpecial.ini

Filesize
740B

MD5
980c6c5a1aa5a7ce53880f4237833e67

SHA1
b17073a0046bbc319f9911c59fe9fc2f54abbc46

SHA256
00eed8834bf35ca54d14401f7a3c2d3cd66dc0862296da4a71407563c7e2d384

SHA512
2a214f452fb9a9ffb50ae7d5303162c1d4a5b0437fd5b40f47d279f5617c84f883838322940835bf0e01c8440a96105ef78334963131781e78652d6498638206

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3A5A.tmp\modern-header.bmp

Filesize
25KB

MD5
5f255724570a95d54e771e83d7834822

SHA1
7a13bfc8cab0a91cdb3f74bdec833707121713e8

SHA256
afb843e30af8db4a97b841db378762f215254288697860488ded11d4509170a8

SHA512
a9d1200d380a4190b568dbfdefd832c4429e4c509cb6df67ebb3167de6cb9a892a9741dcc3107d98a4e01ca810f40c621a32018a98474902fe6b1def9b1ca573

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3A5A.tmp\modern-wizard.bmp

Filesize
150KB

MD5
ac0207c6f710753350a2021fb5cf5238

SHA1
78194b5fe635a32e2129f9c5394eeb64a34e1613

SHA256
2685a7aa61446c5aed21d0130653c9f09749e9baf9d9e7e3f406806b35deeb80

SHA512
631ec18634231016ae0e20371dfa89dbd392f235f569c90f533aa252852651b9b754ae01bb1b7bddbfcadfa8c06df19fb60459d6347d087e997209de4d2c51a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3B44.tmp\ioSpecial.ini

Filesize
743B

MD5
14f7b23873b8833053ced520b8d63e4b

SHA1
d3bec5f2907b69ba35a5f32b521bfec0f9592d7c

SHA256
11ed35d12602eb86b78c09e8cd2915c1b0ce983ada2ae4548557b0416f35b19a

SHA512
db2d18c496271d8269a3f8f0a44cc63ad96f1a673705a311ee0d359e27859049055103a7181289b59fb5adc545731bf0b2325aa8529e63858e03358afe9aa519

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3B44.tmp\ioSpecial.ini

Filesize
843B

MD5
2cc59092fdc73cf0f19373aaebd8273c

SHA1
3d9bfcf29b90bc56875a3103dcbb90b46e4dedac

SHA256
92f1504d55d43cabad92bbad72f0652cf96f5998dc7986154b08e961e6551c39

SHA512
477bc7dd37f0a4aaf994bbd2eb63dff6226cd81549f73bfd4d92c0ba4c442e6acf95ec18d471d027fa185214208c258dc81e20e1b24eab7b6d052d34a1df26c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3B44.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2056_835822156\30a399db-5729-4b4f-91b8-048f762c8949.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Roaming\51ztzj.ini

Filesize
175B

MD5
a7e90654cb41ca9f0c37e163513f6351

SHA1
ab962d9d74a8625163dfc03459b8724eaa6b767d

SHA256
b58077b0da7c72f26c5e48cba89423a135704268ff4b000809f2c26f81029d31

SHA512
fd3ab04c939cbb72040e6fb980722f2d0e6a7871d85e4000970334fa70e85023f7ed008910cda66578bd46c64ab0897df7dd2e66f8814f94169c8a42d5afe5b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
106KB

MD5
c1439da106e2ee73557557c9de9b9953

SHA1
7bc557bb61ebc6568791aaf53d6857c46eb28aed

SHA256
32aa4d56901964e165cfecbec48cfa96baa8538905b5abb848c16d6e69a35559

SHA512
f32f456b0c5d440717d94ee1d1b371dc0d3c478b6fea6156fbf274c247c141d55b7106c6e4d96f5990717cd8bb0a52aa12f2550e9034e907f92096a46f6da33d

Download Submit
C:\Users\Admin\Desktop\BackupCheckpoint.pub

Filesize
400KB

MD5
502c25d7414bf366cac39d194356636a

SHA1
200429a1a2453f55863ee1ad241504eebc979239

SHA256
ddf7e39ed4418844d56baa8da6e6e11cab080153f50764818f29bff9d87e4f79

SHA512
d8595320633ea2141b078154edf8939c3bce1f9264267a0418f37c4438b204b9cbbf0b40c88c73b0b322b6da945851178850d33dc27acca7c3096e3988d1a39a

Download Submit
C:\Users\Admin\Desktop\BackupExport.xlsx

Filesize
11KB

MD5
d2e7834e0990018909ec9285237c9882

SHA1
6786c7bebb5ec582805bdd4cd2a00a872aaabd4e

SHA256
d104b43cf90e450ebea480c5e5728158199f66be70c4e7d94a494c65d0dc6f4c

SHA512
5d6c2bc2c80fd1b5360c8b28b15433fb71e7db4ff1f7a3bf4b68095cc5759dafa3298f4ecc5f2527086808145d33f335551f0f975222d8e8b7b4a0dc16b30cec

Download Submit
C:\Users\Admin\Desktop\CheckpointMount.wmf

Filesize
1.2MB

MD5
b1d885f06738d8d160677a1e5d957b22

SHA1
21a342b189edc89be0559ef41ecb7a55112a6e3d

SHA256
569468389caf69b81f7bb9d590d7a5a0c8b99d811e56817c2a940561873a74bb

SHA512
c6b490c65a27804f34f094bed5d91089d6beb3e15812954e4f72a74eb54c7564ac2c2cdc6ab62616494e570623d88ef1ccd5a30734667e3e3aabb9d07a1efc72

Download Submit
C:\Users\Admin\Desktop\CompleteInvoke.xlt

Filesize
826KB

MD5
292226ec5e32f29573b97abf7bf2cf21

SHA1
660afab9fb076247d7df89450a10ed43d10d7d7b

SHA256
0b0892721fddd9ed8723494075814c6a2269c01331ee64d476c8bb2ef8bd9a48

SHA512
5bfdd81019f6dc6aa420ec14d21eb31761f99490110bb9d2d1b42f7b87c4335e7236310dda3d4783193915b6fefa06b573e80f320dd426aadaffe68fa4925179

Download Submit
C:\Users\Admin\Desktop\CompressClose.mov

Filesize
853KB

MD5
c9c9b7fb9f37de459c2d598b902223c9

SHA1
6e98f328d06159f0bad05591b20494ef6054457d

SHA256
197c7e15c10a65e771befd9be3f797d1cb0dc75b99178bceda4f35d6ca43226a

SHA512
9c1608a9b06945e9807f685502b4c0e859ca7c3f1674c98e0c27a2a9bc7d2b0e1fe78d88e3a0775865b4a9b5085bfa92cc06fe5dddd7cbf27321f2585fff50c9

Download Submit
C:\Users\Admin\Desktop\ConfirmEdit.jpeg

Filesize
373KB

MD5
3910512108c298c45acaaf3bbf67ab79

SHA1
af04aa276e100948f6053be7b10a44572c7d32cb

SHA256
c007e0439c256110c9deb14e2bf299ff375fcd453b6aee3c9c4e57776124a179

SHA512
f0c8cda7227516efcc2d2211a9e5a703fea0b5e6c16080d52b25d1cff996e39a9aa9e9b7e6dc511af441beff0c5e8ae9a3f65a52a5aaae2548e9f058abe2b0b0

Download Submit
C:\Users\Admin\Desktop\ConnectRepair.au3

Filesize
586KB

MD5
435423e52d2896f271fba4e737164b9d

SHA1
3c5b074d9a1aa9c74121200444be50b28c02733d

SHA256
de595d780ffb7e9b803bf2ceb2f0efb77a4c5fb2604608a49328c7faec651c95

SHA512
e06684476ee3f7d6c7a6db3cdc2e92107119b68e67c375dd8c387d716f05736f5f994218327128b581af64a194a5214549830d5fea61d3e2e58d5b26376ae216

Download Submit
C:\Users\Admin\Desktop\DebugUse.jpg

Filesize
480KB

MD5
9537380d35c8b4fafcdae5ab34ce2e81

SHA1
f338f2b223839158145d5c3ffcce4b5a004d355c

SHA256
6d3d7650f96c65d77f049293ca56d96a53b4fe76d8421d2c11388118cb17d2ba

SHA512
b1b9f8af637a5f0e1baf27137bef64c6bfe636dee3eb40a6a622c06cf1016ac63d2f4cd4ad49bae98bca53a55ffa39d01f7bb134c3a516758044785881e74201

Download Submit
C:\Users\Admin\Desktop\EditConfirm.tif

Filesize
320KB

MD5
7b28e43f2b2e7f0e48d9f8e8881a156f

SHA1
22a96b1d36a2718cd4473e5c0e0b7d82a64e298f

SHA256
f660b8ee70cd03ccc04e4ca6280b9a8b9939bc023dc7932ae1814f53805d469c

SHA512
38a3a277326f736f2943ac35237827180db6b4d518852f6da990acddcd8550160f257510d238819f11db29859998ad02dd8ece185a53a9cf5234a127171bb2f1

Download Submit
C:\Users\Admin\Desktop\EnableMove.ADTS

Filesize
426KB

MD5
dbf0d615696ba9a1dddb15badc24e0a9

SHA1
737504b875741b7d2077c800f915b79b480d471f

SHA256
8009bddc3205d4818369f9dce6528aeee84cbca3e7043d9fd66d73eaf351011e

SHA512
03c251810e7d3d076a5c46de0695c36c08bc771f492b629f90415f70305fdcbfbef8222a9ef57f3b83a87434832758741ca6d26ecc36d262255614fd1d20825d

Download Submit
C:\Users\Admin\Desktop\ExpandRequest.xlsx

Filesize
11KB

MD5
8ec957bc1f6356b9d5c380b433693ad7

SHA1
4cc4a500c85a8a240767099057791e81dfff43e5

SHA256
ebf471d85033f0067a1b1538712cedadc33ac6e8ce7ef9ce964440b0008bd4ef

SHA512
5249eda24b2de7711bc2223e010694e2ce2da5680e558329d689406812b869606879c2b58e1e959bb06e79c898d1aa9c3c4dc51b4f333760aca6abf0100e76eb

Download Submit
C:\Users\Admin\Desktop\GrantUninstall.avi

Filesize
746KB

MD5
006fb2fd41f7dc9ad53ff17d02f5e2a0

SHA1
87a467ad6c4c648130918f7a5d789e7a1471e225

SHA256
66d402dfad95b340a96231987ada86bed84444b2a61c6fdbe30854d4e1693349

SHA512
94a8096c7d415c82a133b784cce667752c11601ffe6f517ec8e7b94c902e07ef4684c88cc16c8e2c28ecf24b0366bd2715b3a80710570851b71f179f2ce9493f

Download Submit
C:\Users\Admin\Desktop\ImportRegister.m4a

Filesize
506KB

MD5
fc555108c51fcc8c96f94401bf5b6584

SHA1
9f95e2e2b36780ddff2ccef2dfb186728358fdde

SHA256
421af782e4b4d1c0f985979b1d83a7fd0c7975b2278c1960879e8e0d8e914b82

SHA512
0b6166cd6c60db144e87d5686acfc8c57c982f34bd540bc8f27151f8d69752bf4d6571079671717f23a6058db027ea00d3c113d20fe3301da74a5cfbcc9a10a8

Download Submit
C:\Users\Admin\Desktop\InitializeReset.vstx

Filesize
720KB

MD5
78309f7ffd8f87149c5c23b3f1e056e0

SHA1
edaff51fcf2fbfa463c7b209f07948a9bd9b070d

SHA256
2d4d8351e8ec0c8fd26f69ec97178734fdbe08860a42346e7efd8826997a1a09

SHA512
6e2f7fa5d1be461bcbc6afc59e5fda6188994e77152ffc897d26de734d69fb85c41c4493118e5384e63a229cbb75cfa57f5a0760f80be6bec0d7449f30c3bab2

Download Submit
C:\Users\Admin\Desktop\InstallHide.docx

Filesize
13KB

MD5
5167e088cecfbb7d83e95bca036702bc

SHA1
f1774f0fb89443f99c065a4ca48325f485f9916b

SHA256
c22761abba51904c76aebbb42ddebb8c999298a9ba239f1048aeb9fa9467e65f

SHA512
0a0f0b5326be22e994e0aaa0f0e061f1e44d2e83b57dc3a9c041df4fb31c10a9dfa528da31ddf1df9411ed96fb8577157bb33653e34e1d12a33d93738d3038d6

Download Submit
C:\Users\Admin\Desktop\LimitUninstall.sql

Filesize
533KB

MD5
0f8bdea9d891adea203cfaba7f6256e7

SHA1
1250405ae4b0aec8f957f59172d78b361ed8042b

SHA256
d3511c2a243a735ae8552ef025e3c2b9277ff114696d56e1add1051cc6cfe28f

SHA512
4478fbc206612a63fdd1f8faba5e1af96227fc85653ee8ee4015ac7212d4fb01f9f7a97985c32a4b3e548858d8201af0584717f24bc7189b08b1e250b3e19e6e

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
21e08c05415c6fe6d4832be1394462a5

SHA1
8c5a0437439e0b1e5cf2b8a8a6e6082a24f9bd48

SHA256
810f566f359e70e060df65eacd0b7e5d425f352c07d00dae5cfe4f9c05f98503

SHA512
0e11bb3b72910df8440150a860245a90c868c7cd5b5fa7d90c7f24822c54790723c8c608a8a3188e2b29a3c811004675fd415530e58f43c55842f85bb5213c32

Download Submit
C:\Users\Admin\Desktop\MountDismount.html

Filesize
800KB

MD5
f2443dd3ae896362d995f88338e7ff63

SHA1
62df7b41a19f691b007abfe534c42165f9871aa4

SHA256
3ada38f574dd259152aad4350e82181dc978e9783ee47a39d7b6cc9a1fa6a198

SHA512
d689b916d6d75d21873a0c8bf02dc375d9fea68f015c6de68e30a30b9602781f58bd757ae7dcb72c2d9fe02299bb7dcddd3d026e55079b21d22eb03c950700df

Download Submit
C:\Users\Admin\Desktop\PublishRename.tmp

Filesize
773KB

MD5
2efb1963e11cb9060b0d10d3cc29bdc8

SHA1
d80b84b6e964063b5d5e6c1b9ee26dbcf970753c

SHA256
7145451a9fa333047c55ce4517a6d8c0552813c8c083eb55c3e8223e72c9e41a

SHA512
d04af0fc6fe0240f7961e2aecac6edee6f0e54ed17dd017c3305a6526bde2ba68a56f61d26cd366021b52aa949cedc9625940f0492c61231a2481e6d85da5442

Download Submit
C:\Users\Admin\Desktop\RedoCompress.docm

Filesize
666KB

MD5
735dc22b4c76c306accc9868f344480e

SHA1
a0e6b2cd044e5ea54ca56c425b21948f3f8addc4

SHA256
aa86f48922a0973b46fb5eb9f0a1f63974eebef6836d4c3c84d77fce77a24684

SHA512
9aee7e5bdcd7a548601f4547eaa2395a40ccf9abcdbece5b858ceb6e20fbaa45ab99cf4188a531bde56641757150cba102578b46dc6c392f2c263267bb6159bb

Download Submit
C:\Users\Admin\Desktop\RenameFormat.dotm

Filesize
560KB

MD5
3030afaed362bf75895bb4093e22aa65

SHA1
80a8b505a92610c24e7e97d72f76e54f31c3264b

SHA256
7446fae7af9b8d3bd52a3014c4a676f84e4b68a82abd97a4206ac2c29d7247d9

SHA512
1eecdedf403da1c92dd64cbd6aadcc12dd88876379340a285a5d89d762cc607d1baae04d243d503f8f2537e431c3abfe70b90a7f33fd0c005f8cd0177ec2d37f

Download Submit
C:\Users\Admin\Desktop\RenameRepair.odt

Filesize
906KB

MD5
4b20af2e06a443381611f6b2c8ac74e9

SHA1
b00be43bf643b30ae202fcf0b8498418c192aef2

SHA256
9be0f8b9bbba374f03759e92a24fe75e6bbbea554a3143bef0f6691b283cf77d

SHA512
3a96c49d0fe527bee464a73d75c464cf8350ea78db00cca48811cbd4f2be6b9f31e644f87b016ac5c61d6fe1546289b45f0f24b047d38f71b4312d1b484291c1

Download Submit
C:\Users\Admin\Desktop\ResolveUpdate.xht

Filesize
346KB

MD5
6838e7f528d6e8ef4d5fddf0ba80674c

SHA1
f84d57e2ef6cbbda946b850425495f4c71c46457

SHA256
96d4ccdc9a419734953a49df031ebbeeb539c4ba9497c8b1f10ed42a20b5d079

SHA512
c4637fb6df66f59ab36d8165646269c73383e9caf175529372d7fb57f1c5ed36f89ec3dbe37e0c251ed01652e17f858c957b9ddbc9f166f0f2a41025c09441b2

Download Submit
C:\Users\Admin\Desktop\RestoreInitialize.au

Filesize
693KB

MD5
3a62094d223e6d3a3a5ff449d1dea69d

SHA1
3e6dd37615cdc1f2ca6fbe30172c76b989a88382

SHA256
c088bb38d8cecbbf24001b13b20cabbad0ba39774582fd60f4e4a43d56f67fd2

SHA512
911dfdbfc2094e8edf3ef114be55c96803bb86b3c462943b9a518436e5fc981f94478a95eeb9f7ea2a2645c64bc26cd66e3dffec0356a3c07b8837d53386651f

Download Submit
C:\Users\Admin\Desktop\SplitSet.hta

Filesize
453KB

MD5
a291a78608e04bd5ec89ea8f3499d5b9

SHA1
d8d30e24594224feeba5ea33d76e600d95a27587

SHA256
6c83778e006532e01a273877752517bb0339048b18d87df684c46f335aeefcc1

SHA512
5ae833c98b54511e9c4ffc0d3e54bc8d137f9145285dee04bac442ba0ba740c8f3a30dc4b67baa7b96f2a1f378d09db6f73545f0af458968541c8ed9a25a655a

Download Submit
C:\Users\Admin\Desktop\StartStep.docx

Filesize
17KB

MD5
3d5d02cd2fcefdb50a6d3a679cbcf7ac

SHA1
ee94176bdf8cb0a261979325e54a9ce7fd79f0ba

SHA256
ca5986a3ce2c75dfb4339ea4531f0d2ae982363522bf1681586d2af904bfb88b

SHA512
f167e4bd5ee423fcdb704f3675c26f65641e8c39efe32c10cc452bf3ab53f8842e6f05540da15834a9af42d015f1af0dcd965a35a2f7df46a8c3424c46731a98

Download Submit
C:\Users\Admin\Desktop\SuspendCheckpoint.emz

Filesize
880KB

MD5
781503a33dc25af278fde89a126bb205

SHA1
ed26deb48e4ac4dd88a4ab8ab9061c9794bb43f3

SHA256
0dd1b0cd23d54fbfb444b48e5b403fc7c1acaa8021e77860e19e35ec5b66418a

SHA512
e947963e941692b8c37f99b715c1fafab0bc899a03b53d2ddd8f165a5acff63635a22acaf36968c17d330622a9860f05442d51fe2a7555463db024d0376869ba

Download Submit
C:\Users\Admin\Desktop\UndoRequest.docx

Filesize
12KB

MD5
87cebbe3154576c7798680dbe202b6b6

SHA1
1e702d7363dede319556468d8746beaa8a404d99

SHA256
671a4f4b5c38cffaa546d2a9fc9d6ae8464740a9f67bd4e09bf914f03e8c6a78

SHA512
dd4b7b0749d835d194c202e93f92ed29019966bf2937dc9518fe0d5c257d9c768410e317280f857c3cc58ee64ce59045cf3326b9569fc051bae61ecddea9e173

Download Submit
C:\Users\Admin\Desktop\UninstallGroup.tif

Filesize
613KB

MD5
4197f9af76239b562d6cbffd72f09e76

SHA1
49c5d5029947d3028af5f0319829564ca84ee7ec

SHA256
448ba4932a114085de58d0e7360f2ee8ee83d330d06714873569f3ac615ef513

SHA512
e0e7711a7ff3f846ee7efb145aa49446c91cd26bdbdbef2b985e5c7f3ab6fefd3af280aaf8db6ace196f9a3f3dcf42b512e9b354dd4643d09291a579d71fa3ff

Download Submit
C:\Users\Admin\Desktop\UninstallSkip.eprtx

Filesize
640KB

MD5
d69d06cb3d668c755bd2870d08ae9183

SHA1
a399f12623f2f7d16f5df72bd1e8c565633e55cd

SHA256
72181db20c061cea55f2403dd879f8a053ecf426fb7c98c8b66e5ae6fb19f692

SHA512
a7383c42f16f7d35a66c895e44404d5b07547fd33fe5eb111cde1a9c2ad28887854c4e7ed4540a274a17b82e23a19a325d2834a5077ecfe7e31b5cab808b69f9

Download Submit
C:\Users\Admin\Desktop\UnregisterComplete.xlsx

Filesize
11KB

MD5
bb9c5b9ccc9ed9b81f437da085ff1b07

SHA1
b9c5a22edb41287ac2fa20e4744d95186ba703ec

SHA256
baacf8cfe77925f7c017f777a45ac0bbcc755437ef9f70ae393f414e5c5c9500

SHA512
97bbecca947d192bf59b49116749e9cf7e8237bc4c14f7c30815a99643f24721507413d0f488ba1a55331a2fd512ea66701083e8d61815d9c94fe5cddb1b05ce

Download Submit
C:\Users\Admin\Desktop\topi\20ca1f8c5fcf963fbbb10b527d041847.vir

Filesize
252KB

MD5
20ca1f8c5fcf963fbbb10b527d041847

SHA1
e6444518f375bc8d874d221d7f5661e80f740662

SHA256
393ecb019a145a62b32efee66c6086943945e869f848b42d4c72f4a0d3fe3ba3

SHA512
a0a78c8ef3793fb631ca3da1cbd49f517c360301d07db352228ceb30458db520402bda28784ebf6371592743f16e3dcf5034997c01806ff71b7b6bbef58d93a6

Download Submit
C:\Users\Admin\Desktop\topi\2a6db6ab86ab610982ba517dfcc73d91.vir

Filesize
420KB

MD5
2a6db6ab86ab610982ba517dfcc73d91

SHA1
06969d60c0c153f4a4cfcd32417d02498948c019

SHA256
88384f143df60d5ae4a2fcee570d867754c292efd96f2bb90581e8af7ac6bb58

SHA512
09fa8e1ab24953595a26f4c9575265b8b953a9492145d75f0a3a09e4e62210ff65dd30f02335f4111e27d523368a7a8f5f24ddfeec8e8b1bed77020dc3798651

Download Submit
C:\Users\Admin\Desktop\topi\2ab252c9b35bb25faabb4312f5df87ec.vir

Filesize
156KB

MD5
2ab252c9b35bb25faabb4312f5df87ec

SHA1
b6e17906d46b5c72f20851d665bff0bd3e7a89b2

SHA256
ef488003dd1a25457db9362cdd4b0747e441f7e8da37053b0318a0e205f575f0

SHA512
7dfc7b04d63489718eda236faaf65fbdeac0b76777ba2316e7526d973c605117b543629a260172b7b801b995bd9a6ee7bd1bc1ed709f000181dd4a2445dd2d7c

Download Submit
C:\Users\Admin\Desktop\topi\558b05e59b333aef5224e1da7d03f2e9.vir

Filesize
120KB

MD5
558b05e59b333aef5224e1da7d03f2e9

SHA1
d68e616cbf0b22680de34c4d3615cbfc866176bc

SHA256
55120454e6afa0416c07b905d38434768542cd93b36279bcdbc0a894854b7d11

SHA512
5ccffff98ac76452c802ff92cd566fff0ede3312ab2fcf5e379906c20412c56d4f6a5be71c2bf9f2cec90ec718fcef3bdfc321e6b969e556692c5f3b2d1d3fa9

Download Submit
C:\Users\Admin\Desktop\topi\6567ee3c90682ce956df2af88ac6d0d0.vir

Filesize
61KB

MD5
6567ee3c90682ce956df2af88ac6d0d0

SHA1
b907e266b4af7cdd5fe96488cc365fc4e41e31f6

SHA256
63bc229bdc039252c49a63b31d8c3a73542535c51153e408de55c8490a3ce24d

SHA512
23fa8de59c14c2abeedf6ba16dbcb15bc0f1a065335bdb57fe8cd42005197c5cba748af3ebea39f61c74583c45479d88895b93e797145af8a3de5a8e93929acf

Download Submit
C:\Users\Admin\Desktop\topi\6fdb9a5243232703b13cadc5cccfa253.vir

Filesize
288KB

MD5
6fdb9a5243232703b13cadc5cccfa253

SHA1
694d077a54a46daee4880633a38e0804fca88060

SHA256
16f97b141fcce54f677ab3c97901059705244b5e09f5c353b3ae99bfd9c8aa45

SHA512
929df3212c7e7222008e8e944e5a778582aa09c18e0afbaf4fa45bfda617dfa0d8a9a9381c4ab0ae7b7c75168b295483930326e0a7ffe2e3fb7957dab4a05e67

Download Submit
C:\Users\Admin\Desktop\topi\8b71967467522258a92a8d5dd734d565.vir

Filesize
120KB

MD5
8b71967467522258a92a8d5dd734d565

SHA1
5b40b3789f5fd3ba26493fd7a6b4c46848941914

SHA256
ee9a580245ff7bf4465b122a2bc3ef9c731daeb06897ea34579c009bc9fe988b

SHA512
81d669c56464d2c3c302360bbeafa5a7443e20c3cd4dfb80cc3cd28b736434d2b66789bed02571c4ff62a91e82bc811edf38202a4f3fa135e5075550d2035450

Download Submit
C:\Users\Admin\Desktop\topi\8d1d6e7c36bc9c97338a71c862dc52a0.vir

Filesize
153KB

MD5
8d1d6e7c36bc9c97338a71c862dc52a0

SHA1
ea0cd6c2983a4fda97302cf338b3fbac20a3cc1e

SHA256
636f404892310f7f7cbffd013d5ebd5895b309af2b0bb18814e52c5548e4d4a6

SHA512
fe89091867ddfb2e9b8a94edaf5c5d56d61fffa5dd9f604013ebfd19498625d5d0a8c7db0ae4c215bbe00c2c6682a90137abc91de24c89d16dbcd0f961194923

Download Submit
C:\Users\Admin\Desktop\topi\8e300a75d4dc0bb5ad7ca16f3b982c4d.vir

Filesize
1.5MB

MD5
8e300a75d4dc0bb5ad7ca16f3b982c4d

SHA1
acb3a0014a41c7002507281fa203051c2bfd6df7

SHA256
0e6b7297e0d268689c958889a39733a7367e6836eadd82c475f577f26b64d7de

SHA512
f0f5b84911bf027b2af783d10b23e2711a43fa7492dc7058d0a64bc109f06ed5f4f32c82bea73861c3786956783c7bd73cff5d1c359729a1a672dbb5312c725b

Download Submit
C:\Users\Admin\Desktop\topi\a99c10cb9713770b9e7dda376cddee3a.vir

Filesize
611KB

MD5
a99c10cb9713770b9e7dda376cddee3a

SHA1
1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98

SHA256
92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86

SHA512
1d410a7259469a16a1599fb28cb7cd82813270a112055e4fbe28327735a2968affbfdcba0a2001d504919e5ef3b271f40c45da6291be9c5f97c278418b241b79

Download Submit
C:\Users\Admin\Desktop\topi\cdb1365059c0e4973843dc0d0955bfbc.vir

Filesize
3.0MB

MD5
cdb1365059c0e4973843dc0d0955bfbc

SHA1
eaa991e3a9c57302f31ac5faba09d7f00f65c8b6

SHA256
1a880b81f53f4c162e7c90d098c185da9cc936988f0ea4fdb278c661d68f9996

SHA512
17d136b87efde90b50daccb84bd85dd09706af14ee5a2a963655ec2df06aa3173915ccb479010098061dbf079c716197d6a311eff3b0c722daf46c00295af4eb

Download Submit
C:\Users\Admin\Desktop\topi\d11cb523b9e2dcedff41c5346a48cc1f.vir

Filesize
180KB

MD5
d11cb523b9e2dcedff41c5346a48cc1f

SHA1
ed5458e2e82effe7c2eef1123956e108ed71c4e1

SHA256
7b86c29435cd174c8ac5bd80e5b77206d0fb7f95774e85ff407e644e0f46fae3

SHA512
28a4e41a729cef7f16a82595e9c69b70c0836a44c66b7381facb904a2845f403a53b39e1ed76ccaef6571eed029f158c343486f2f16b6b1103623efadcd852ed

Download Submit
C:\Users\Admin\Desktop\topi\d1955d1092f0615321bc60e5abd0d8cd.vir

Filesize
2.6MB

MD5
d1955d1092f0615321bc60e5abd0d8cd

SHA1
7e6d20b24d216628f0e7f81015a4f518af075575

SHA256
e1c0d8c1dddbf7cab773d14a60e8e342456a7c80f4b8cc7630927824506819a0

SHA512
cbf7c61868f9a97bc2aa2dc3b72f0227024e7bbf1d0e0c6f899408e6e7fd9202912c817a32bb6d917f1caa27be7c1749eb4681f91edefcfe41a31ed87fc57b14

Download Submit
C:\Users\Admin\Desktop\topi\d872770d3857a675142f706098e45fe8.vir

Filesize
1.0MB

MD5
d872770d3857a675142f706098e45fe8

SHA1
22ac9e35784e8804a1631556bbfca4801a92b322

SHA256
4f5ad84afbc4c814cac687912c528bbb0b6b926f94a0d7352fdd72c503bb6c61

SHA512
3c55158a2fcf92e20d2498c76c12ae887380b6b6293a83992e5c60e5df2c140b06b45c2f367de79fa961e5cfc8f46ed2c472d70c6fc0c5eb26263dfa7b11ab75

Download Submit
C:\Users\Admin\Desktop\topi\d9985f2669dadd11b529f6492198bde0.vir

Filesize
2.8MB

MD5
d9985f2669dadd11b529f6492198bde0

SHA1
401cde3ac2615da2ac121a297a79877e133ceacd

SHA256
227471b4cc68a25874e21e585bdcdf4e42905a291f293f8c549499df0a6cda56

SHA512
a2b53bcb111f326e5475013a0b5babfb95e2edbecabd7bd8120618cbb74a14172e39e5d0db2af6fc6776ec25992fc36634485c177a4f40ae84ec5a2d622c5c84

Download Submit
C:\Users\Admin\Desktop\topi\dad3b507b3519774672e6221a254f560.vir

Filesize
138KB

MD5
dad3b507b3519774672e6221a254f560

SHA1
6a7715c7615db96a73d41f32d0298a476c54d46c

SHA256
64fe980df1cb38cdd29a1d27b70719241b3052281795fd1654638ff47e37aa27

SHA512
85691b29b64b985d0e55872e52e6de7069a9f60b9f4ff1a7795c90290ae9bf06c9379dc857685041635ebbef50ac5e3160cd74ca2bde49037d5e92ee1a198264

Download Submit
C:\Users\Admin\Desktop\topi\deace9a9a08bd89616a9cc3ca1bac700.vir

Filesize
745KB

MD5
deace9a9a08bd89616a9cc3ca1bac700

SHA1
3ed1cf370a297fb653a8331ad370ba6f9f8c919c

SHA256
29a0b87b8495891215d3f7f2d9a7299ff5ad1c78aeecd078a4ee22c67abca3a5

SHA512
695612512c2e6eefe24610cd1f7271e79a4173d8a0046da14a5f90b847717b468211f4ef0bbf361fea954ff1491afc42ebe71f64d54fb269a3bbd7210f2fb30c

Download Submit
C:\Users\Admin\Desktop\topi\f77f8f2151012a32813ed0181c205882.vir

Filesize
560KB

MD5
f77f8f2151012a32813ed0181c205882

SHA1
6d652b36b38fc352060050f2608975749aae32b5

SHA256
dbd4052fc52d018d93db9ace8d02f3642320305677e070516fdcbf7effa34d82

SHA512
feec9974d0f5f3dc927d22b075d3dc7a3f7d33ef24d111be7d428a287dc3d604f14714a81144eb8ade7677d68a79c474083c2838e2c7735132dafdf4face5581

Download Submit
C:\Users\Admin\Desktop\topi\f9d77633d4548da678bd382fb41d33c7.vir

Filesize
484KB

MD5
f9d77633d4548da678bd382fb41d33c7

SHA1
18da4ee8292d3c3ef91a27ea3812802ab91a001a

SHA256
736e213b45a7a12511b3a7ce3aba2510996802ab14ede208817e85eb38e14f1b

SHA512
f8f965383b7e706ccbc959ecdc6365abc6a415c560b0e8bd9dd913b4e53116565779d89ea9f079775aae434d0682399b104bc3beb99962bc9ea05470a215dfa3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 533186.crdownload

Filesize
1.6MB

MD5
6c73cc4c494be8f4e680de1a20262c8a

SHA1
28b53835fe92c3fa6e0c422fc3b17c6bc1cb27e0

SHA256
bdd1a33de78618d16ee4ce148b849932c05d0015491c34887846d431d29f308e

SHA512
2e8b746c51132f933cc526db661c2cb8cee889f390e3ce19dabbad1a2e6e13bed7a60f08809282df8d43c1c528a8ce7ce28e9e39fea8c16fd3fcda5604ae0c85

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
1ad7963d7d64054c7659f5ce08150dc6

SHA1
d9f6f73a60ad588b851baed121f331be92e8fa8c

SHA256
f6539fbe7dd8f16a6feac18b4796eed13f499eff550490c63e0d96bf5fd592c3

SHA512
1a70f620725d106a82caa40fe5c807b0f6daeca291c29310f851965a2e57dd9eeb01a70a5d4d41d69e5296724d4fbc2858415f0c83ff73c543a6bb758aadb007

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1KB

MD5
a81b66d361314a41db60f28e0baf065e

SHA1
1c31de170991c58f6bd27845257c069c690a2244

SHA256
721a41524bbb2fadcc8f7bc317e843ab852fec7ee58fd675c2b45c147df1a8a7

SHA512
1c61a901743c9d26d5780b66cd529600ebbf0c9d71683feb61555a037b1f9360011d507a9ca01f2b038e8ef780dd0ad43b86aa79d8dbde5fd81e235475a9f591

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
03ad57d797ea6d5fbfcc6b5fa20a0b28

SHA1
c96da6b2f03f5c3bd4dd26f082a967844e8cddd0

SHA256
b24bf689b5cc3e4165318630dbb1d01c2cd446ccabb6e2efcfd40bdc3773623e

SHA512
22859c53814ebdb997e5921656cea7751fa4ca32563ae5b66cb31c414c9be4b6ed4fdede66aa93647ed0605c3f8d73d54a12fecf14484103328cb844e7377dd2

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
a08181197090bb61d65d9e398a8b6746

SHA1
d141b7351e185e5451e6db145a84d2713325ddde

SHA256
e5d5019389c5c00233ba6636fa6fba752c64263b59c7cba0b661b40d3bd8e11f

SHA512
acd3846096f2654bc4a218dd08e909d76c6bf26c89ce90f3b2a6b1a855002a2815179e3219e4d88823277d0afa13609a68f0bb95be953ed0305a46a8b86c96d1

Download Submit
C:\Windows\SysWOW64\atl71.dll

Filesize
87KB

MD5
8f2097e8b174f38178570c611464935f

SHA1
86476819229f4bf00f32e5f0969e19c5b61d1b2a

SHA256
3f25e7b097b65eaf82a6d5b58646dff38ca19347664f40c2b8a409b9d6939457

SHA512
85f60b00b4d2e7d5047d4d0f1b834c23073797fcaea0e14161baac9a7ec719d79782a17ba6aa8da55b933c89b3d94c89696da194c3cf7170c746c8bab7e38904

Download Submit
C:\Windows\SysWOW64\drivers\spo0lve.exe

Filesize
1.8MB

MD5
06038ed7357e8d00e0fcef11800dfb40

SHA1
4b885a0e2fa5b59338622ef7f2859c232d7ab7c6

SHA256
d85c8bbec339bdefe5e4c4409816554173974ffccd31272d5fcf138d022122d2

SHA512
6200aa51102d71eca42ecebd04253ce915244ef86a8409d6a3e86c9402e7081f3b4bebdfa9718543df3d332b17e6ec758d9556c533493d945905656108c72cbc

Download Submit
C:\Windows\SysWOW64\mfc71.dll

Filesize
1.0MB

MD5
f35a584e947a5b401feb0fe01db4a0d7

SHA1
664dc99e78261a43d876311931694b6ef87cc8b9

SHA256
4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32

SHA512
b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4

Download Submit
C:\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Windows\System\FcoppmT.exe

Filesize
1.6MB

MD5
38721d577d556246d682d325afde717e

SHA1
2a39a88e3b8072196bd97b2f3b20bacb3200d701

SHA256
6369a9833f611be1eace1df462a7fae52fe283a393cbef732c88c14b71b797bb

SHA512
558d09de12a9d55d6fda632e500bd21a7e610edfd55e15ce8a6ea7b33c5ee1546d4d7a4389da1e2cfa6623a7b5bbda6294678f3d5b0aa732855eb25b8a6176d9

Download Submit
memory/624-8091-0x00007FF728F40000-0x00007FF729291000-memory.dmp

Filesize
3.3MB

Download
memory/624-7994-0x00007FF728F40000-0x00007FF729291000-memory.dmp

Filesize
3.3MB

Download
memory/856-8023-0x00007FF606630000-0x00007FF606981000-memory.dmp

Filesize
3.3MB

Download
memory/860-6809-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1052-8036-0x00007FF64C3B0000-0x00007FF64C701000-memory.dmp

Filesize
3.3MB

Download
memory/1052-8075-0x00007FF64C3B0000-0x00007FF64C701000-memory.dmp

Filesize
3.3MB

Download
memory/1524-8064-0x00007FF7491A0000-0x00007FF7494F1000-memory.dmp

Filesize
3.3MB

Download
memory/1576-8025-0x00007FF7D7670000-0x00007FF7D79C1000-memory.dmp

Filesize
3.3MB

Download
memory/1576-8077-0x00007FF7D7670000-0x00007FF7D79C1000-memory.dmp

Filesize
3.3MB

Download
memory/1588-8031-0x00007FF7C7B60000-0x00007FF7C7EB1000-memory.dmp

Filesize
3.3MB

Download
memory/1732-8065-0x00007FF6F9220000-0x00007FF6F9571000-memory.dmp

Filesize
3.3MB

Download
memory/1792-6919-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2012-8024-0x00007FF6981E0000-0x00007FF698531000-memory.dmp

Filesize
3.3MB

Download
memory/2012-3740-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2012-2210-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2024-6916-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2024-13518-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2164-8066-0x00007FF6380B0000-0x00007FF638401000-memory.dmp

Filesize
3.3MB

Download
memory/2352-8032-0x00007FF7017E0000-0x00007FF701B31000-memory.dmp

Filesize
3.3MB

Download
memory/2356-8052-0x00007FF747DB0000-0x00007FF748101000-memory.dmp

Filesize
3.3MB

Download
memory/2412-8006-0x00007FF7F0B60000-0x00007FF7F0EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-8081-0x00007FF7F0B60000-0x00007FF7F0EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-8029-0x00007FF662E10000-0x00007FF663161000-memory.dmp

Filesize
3.3MB

Download
memory/2680-8008-0x00007FF7A4270000-0x00007FF7A45C1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-5743-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2880-5390-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2880-6927-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2912-8069-0x00007FF77D270000-0x00007FF77D5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-8037-0x00007FF77D270000-0x00007FF77D5C1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-8059-0x00007FF6C08E0000-0x00007FF6C0C31000-memory.dmp

Filesize
3.3MB

Download
memory/3156-7070-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3156-13565-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3504-8067-0x00007FF7085C0000-0x00007FF708911000-memory.dmp

Filesize
3.3MB

Download
memory/3532-8062-0x00007FF6D4300000-0x00007FF6D4651000-memory.dmp

Filesize
3.3MB

Download
memory/3648-7912-0x000001FA8CAE0000-0x000001FA8CAF0000-memory.dmp

Filesize
64KB

Download
memory/3648-7911-0x00007FF79D190000-0x00007FF79D4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-8107-0x00007FF79D190000-0x00007FF79D4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-8097-0x00007FF6CDAA0000-0x00007FF6CDDF1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-7959-0x00007FF6CDAA0000-0x00007FF6CDDF1000-memory.dmp

Filesize
3.3MB

Download
memory/3796-7939-0x00007FF6E9280000-0x00007FF6E95D1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-7953-0x00007FF6367B0000-0x00007FF636B01000-memory.dmp

Filesize
3.3MB

Download
memory/3888-8110-0x00007FF6367B0000-0x00007FF636B01000-memory.dmp

Filesize
3.3MB

Download
memory/3896-7938-0x00007FF797C10000-0x00007FF797F61000-memory.dmp

Filesize
3.3MB

Download
memory/4032-7996-0x00007FF7367E0000-0x00007FF736B31000-memory.dmp

Filesize
3.3MB

Download
memory/4104-7971-0x00007FF7DE540000-0x00007FF7DE891000-memory.dmp

Filesize
3.3MB

Download
memory/4104-8093-0x00007FF7DE540000-0x00007FF7DE891000-memory.dmp

Filesize
3.3MB

Download
memory/4304-8056-0x00007FF630BB0000-0x00007FF630F01000-memory.dmp

Filesize
3.3MB

Download
memory/4636-8063-0x00007FF75A8B0000-0x00007FF75AC01000-memory.dmp

Filesize
3.3MB

Download
memory/4688-7634-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4688-6242-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4908-7958-0x00007FF611500000-0x00007FF611851000-memory.dmp

Filesize
3.3MB

Download
memory/5124-7880-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5124-6784-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5368-8035-0x00007FF618290000-0x00007FF6185E1000-memory.dmp

Filesize
3.3MB

Download
memory/5440-7943-0x00007FF654990000-0x00007FF654CE1000-memory.dmp

Filesize
3.3MB

Download
memory/5440-8102-0x00007FF654990000-0x00007FF654CE1000-memory.dmp

Filesize
3.3MB

Download
memory/5488-7995-0x00007FF6B3650000-0x00007FF6B39A1000-memory.dmp

Filesize
3.3MB

Download
memory/5488-8089-0x00007FF6B3650000-0x00007FF6B39A1000-memory.dmp

Filesize
3.3MB

Download
memory/5560-7965-0x00007FF727BF0000-0x00007FF727F41000-memory.dmp

Filesize
3.3MB

Download
memory/5584-8106-0x00007FF781360000-0x00007FF7816B1000-memory.dmp

Filesize
3.3MB

Download
memory/5584-7927-0x00007FF781360000-0x00007FF7816B1000-memory.dmp

Filesize
3.3MB

Download
memory/5696-6157-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/5988-6915-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5988-3749-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5996-7968-0x00007FF723220000-0x00007FF723571000-memory.dmp

Filesize
3.3MB

Download
memory/6020-8101-0x00007FF6A5800000-0x00007FF6A5B51000-memory.dmp

Filesize
3.3MB

Download
memory/6020-7931-0x00007FF6A5800000-0x00007FF6A5B51000-memory.dmp

Filesize
3.3MB

Download
memory/6140-6808-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/6140-3741-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/6648-18737-0x0000000000AF0000-0x0000000000C48000-memory.dmp

Filesize
1.3MB

Download
memory/6648-18766-0x0000000002D50000-0x0000000002D5A000-memory.dmp

Filesize
40KB

Download
memory/6648-18747-0x0000000001580000-0x0000000001588000-memory.dmp

Filesize
32KB

Download
memory/6648-18746-0x0000000001570000-0x0000000001580000-memory.dmp

Filesize
64KB

Download
memory/6648-18760-0x0000000002BD0000-0x0000000002BDA000-memory.dmp

Filesize
40KB

Download
memory/6648-18762-0x0000000002BF0000-0x0000000002BFC000-memory.dmp

Filesize
48KB

Download
memory/6648-18763-0x0000000002C10000-0x0000000002C1A000-memory.dmp

Filesize
40KB

Download
memory/6648-18761-0x0000000002BE0000-0x0000000002BE8000-memory.dmp

Filesize
32KB

Download
memory/6648-18764-0x0000000002C20000-0x0000000002C28000-memory.dmp

Filesize
32KB

Download
memory/6648-18752-0x0000000001590000-0x000000000159C000-memory.dmp

Filesize
48KB

Download
memory/6648-18765-0x0000000002C30000-0x0000000002C3C000-memory.dmp

Filesize
48KB

Download
memory/6648-18751-0x0000000002BC0000-0x0000000002BCC000-memory.dmp

Filesize
48KB

Download