Trojan.FakeMS

By JubileeX in Backdoors

Translate To:

Threat Scorecard

Popularity Rank:	97
Threat Level:	80 % (High)
Infected Computers:	1,726,950

First Seen:	May 18, 2012
Last Seen:	February 7, 2026
OS(es) Affected:	Windows

What is Trojan.FakeMS?

Trojan.FakeMS is a threatening computer program that masquerades as a legitimate Microsoft application. It is designed to gain access to a user's system and collect sensitive information, such as passwords, financial data or other confidential information. The Trojan also can be used to install additional malware on the infected system, which can further compromise the security of the user's data and personal information. It is typically spread through malicious websites, email attachments, or instant messages. Once installed, it can be difficult to detect and remove from the system without specialized anti-malware software, which makes it even more threatening.

Why Trojan.FakeMS is Threatening

Trojan.FakeMS is difficult to detect and remove from the system without specialized anti-malware software, making it even more dangerous. It may be spread through peer-to-peer networks and removable media, such as USB drives, making it even easier for attackers to gain access to a user's

What Harm Trojan.FakeMS will Cause Once Inside a Computer?

Once inside a computer, Trojan.FakeMS can create various files, including corrupted executables, Registry entries, and other unsafe components. It also may create hidden folders or files to conceal its presence. Additionally, it may modify existing system files or install additional malware on the system to further compromise the security of the user's data and personal information.

Are There Other Threats Similar to Trojam.FakeMSs?

Yes, there are other threats similar to Trojan.FakeMS. These include Trojans such as Zeus, SpyEye, and Citadel; ransomware such as CryptoLocker and CryptoWall; and rootkits such as TDSS and ZeroAccess. All of these threatening programs can be used to gain access to a user's system without their knowledge or permission, collect sensitive information, or install additional malware on the infected system.

How a Computer Gets Infected with Trojan.FakeMS

A computer can get infected with Trojan.FakeMS through various means, such as downloading corrupted files from the Internet, opening suspicious email attachments, or visiting unsafe websites. Additionally, it can be spread through peer-to-peer networks and removable media such as USB drives. It is essential to practice safe browsing habits and use an up-to-date anti-malware program to protect your system from this threat.

Is Trojan.FakeMS Easily Detectable?

No, Trojan.FakeMS is not easily detectable. It can be difficult to detect and remove from the system without specialized anti-malware software. Additionally, it can masquerade as a legitimate Microsoft application, making it even harder to detect.

How Can I Get Rid of a Trojan.FakeMS Infection

To get rid of a Trojan.FakeMS infection, it is essential to use an up-to-date anti-malware program that is capable of detecting and removing the threat. Additionally, users should practice safe browsing habits and avoid downloading files from suspicious websites or opening email attachments from unknown sources. It also is recommended to regularly scan your system with an anti-malware program to detect any potential threats.

SpyHunter Detects & Remove Trojan.FakeMS

File System Details

Trojan.FakeMS may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	CheckUpdate.exe	a1de3affe5d4abbfee86b3151ca91c66	608
Name: CheckUpdate.exe MD5: a1de3affe5d4abbfee86b3151ca91c66 Size: 1.17 MB (1174984 bytes) Detections: 608 Type: Executable File Path: %WINDIR%\SysWOW64\CheckUpdate.exe Group: Malware file Last Updated: December 14, 2022
2.	scheduled.exe	ea2e720fa23a60db8b01c5fadd142a6c	384
Name: scheduled.exe MD5: ea2e720fa23a60db8b01c5fadd142a6c Size: 4.74 MB (4748288 bytes) Detections: 384 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\local\temp\csrss\scheduled.exe Group: Malware file Last Updated: March 28, 2022
3.	randprocobolmainof.exe	454d3e45ead4e29ab2975a76a827dccb	347
Name: randprocobolmainof.exe MD5: 454d3e45ead4e29ab2975a76a827dccb Size: 737.79 KB (737792 bytes) Detections: 347 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\randpapkamainof\randprocobolmainof.exe Group: Malware file Last Updated: August 5, 2020
4.	33wae02h.exe	54088027902cf33e9c8e7a3df952acea	300
Name: 33wae02h.exe MD5: 54088027902cf33e9c8e7a3df952acea Size: 375.29 KB (375296 bytes) Detections: 300 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\Temp\33wae02h.exe Group: Malware file Last Updated: April 15, 2021
5.	printui.exe	24ae321e8f573320e3956ca139b12934	237
Name: printui.exe MD5: 24ae321e8f573320e3956ca139b12934 Size: 317.61 KB (317613 bytes) Detections: 237 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\drpsu\programs\printui.exe Group: Malware file Last Updated: August 5, 2020
6.	DA6F.tmp.exe	a3dc08d765e92c1148bad891ab226744	128
Name: DA6F.tmp.exe MD5: a3dc08d765e92c1148bad891ab226744 Size: 4.95 MB (4950528 bytes) Detections: 128 Type: Executable File Path: C:\Windows.old.000\Users\<username>\AppData\Local\Temp\DA6F.tmp.exe Group: Malware file Last Updated: May 24, 2022
7.	refhostMonitorcommonHostCrt.exe	0db7ad191d4abeb532538025b8cd5593	128
Name: refhostMonitorcommonHostCrt.exe MD5: 0db7ad191d4abeb532538025b8cd5593 Size: 2.15 MB (2157056 bytes) Detections: 128 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\refhostMonitorcommonHostCrt.exe Group: Malware file Last Updated: November 28, 2024
8.	adobeupd.exe	4bff0dbfb415b978c07deaf854c0d9f7	117
Name: adobeupd.exe MD5: 4bff0dbfb415b978c07deaf854c0d9f7 Size: 2.79 MB (2791936 bytes) Detections: 117 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\adobeupd.exe Group: Malware file Last Updated: August 7, 2020
9.	defender.exe	046ff5ae29d6e6f5ff669e5296024d49	71
Name: defender.exe MD5: 046ff5ae29d6e6f5ff669e5296024d49 Size: 544.76 KB (544768 bytes) Detections: 71 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\windows defender\defender.exe Group: Malware file Last Updated: October 19, 2022
10.	explore.exe	a8c10a968795762ce899809cddb3cf34	53
Name: explore.exe MD5: a8c10a968795762ce899809cddb3cf34 Size: 169.47 KB (169472 bytes) Detections: 53 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\Microsoft\explore.exe Group: Malware file Last Updated: October 24, 2025
11.	WindowsLauncher.exe	93e070e1b2de8ac3a5c182105e4a2ec8	36
Name: WindowsLauncher.exe MD5: 93e070e1b2de8ac3a5c182105e4a2ec8 Size: 135.68 KB (135680 bytes) Detections: 36 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe Group: Malware file Last Updated: June 26, 2020
12.	prevhost.exe	c16e90c7f2c9765d0ba552dde5568ce2	33
Name: prevhost.exe MD5: c16e90c7f2c9765d0ba552dde5568ce2 Size: 7.07 MB (7073280 bytes) Detections: 33 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Hosts\prevhost.exe Group: Malware file Last Updated: July 30, 2025
13.	Microsoft Edge.exe	d8ae303458059a9b17e4047d40bd74c1	28
Name: Microsoft Edge.exe MD5: d8ae303458059a9b17e4047d40bd74c1 Size: 331.77 KB (331776 bytes) Detections: 28 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft Edge.exe Group: Malware file Last Updated: June 26, 2020
14.	TSTheme.exe	bc6c04a9d6dd8f9387f0615bf91f6811	25
Name: TSTheme.exe MD5: bc6c04a9d6dd8f9387f0615bf91f6811 Size: 7.07 MB (7078912 bytes) Detections: 25 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\tstheme\TSTheme.exe Group: Malware file Last Updated: December 5, 2022
15.	svehost.exe	59fab2d31ab0ef21322a6fb39c0c5184	11
Name: svehost.exe MD5: 59fab2d31ab0ef21322a6fb39c0c5184 Size: 885.76 KB (885760 bytes) Detections: 11 Type: Executable File Path: C:\WINDOWS\SysWOW64 Group: Malware file Last Updated: February 25, 2020
16.	NTKernel.exe	9221b095e34bfd26f8d61b21d940ca03	9
Name: NTKernel.exe MD5: 9221b095e34bfd26f8d61b21d940ca03 Size: 303.1 KB (303104 bytes) Detections: 9 Type: Executable File Path: C:\Windows\SysWOW64\NT Kernel Group: Malware file Last Updated: October 24, 2025
17.	LocalHost.exe	c5b5fc27d65e400964a21e712c165dcb	8
Name: LocalHost.exe MD5: c5b5fc27d65e400964a21e712c165dcb Size: 19.96 KB (19968 bytes) Detections: 8 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LocalHost.exe Group: Malware file Last Updated: September 10, 2020
18.	msupdate.exe	72dffcc28ee645887c10b1a94b6bf7d0	8
Name: msupdate.exe MD5: 72dffcc28ee645887c10b1a94b6bf7d0 Size: 57.34 KB (57344 bytes) Detections: 8 Type: Executable File Path: c:\windows\system32 Group: Malware file Last Updated: February 24, 2020
19.	svchostsw.exe	3a06a9e14f6e83a201d4b7801d6ab951	6
Name: svchostsw.exe MD5: 3a06a9e14f6e83a201d4b7801d6ab951 Size: 4.15 MB (4155847 bytes) Detections: 6 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\windows\start menu\programs\startup Group: Malware file Last Updated: July 10, 2019
20.	conhos.exe	c2675fdbb25e8fe4c74e9ccc788693ad	5
Name: conhos.exe MD5: c2675fdbb25e8fe4c74e9ccc788693ad Size: 1.34 MB (1344512 bytes) Detections: 5 Type: Executable File Path: c:\windows Group: Malware file Last Updated: October 14, 2018
21.	hosted.exe	750f18f50256db37748db93eacb83aed	5
Name: hosted.exe MD5: 750f18f50256db37748db93eacb83aed Size: 1.28 MB (1282560 bytes) Detections: 5 Type: Executable File Path: %WINDIR%\hosted\hosted.exe Group: Malware file Last Updated: June 26, 2020
22.	wmmvsvc.dll	76598a5c7e4146b2b92145b7547c80fa	4
Name: wmmvsvc.dll MD5: 76598a5c7e4146b2b92145b7547c80fa Size: 91.66 KB (91664 bytes) Detections: 4 Type: Dynamic link library Path: %WINDIR%\syswow64\wmmvsvc.dll Group: Malware file Last Updated: June 26, 2020
23.	scardprv.dll	116ab6dc2d06ca2c862c42830d3c2564	4
Name: scardprv.dll MD5: 116ab6dc2d06ca2c862c42830d3c2564 Size: 81.92 KB (81920 bytes) Detections: 4 Type: Dynamic link library Path: %WINDIR%\syswow64\scardprv.dll Group: Malware file Last Updated: June 26, 2020
24.	winstarup.exe	30b3119f4a8ab1b85776d8eb217ddef5	4
Name: winstarup.exe MD5: 30b3119f4a8ab1b85776d8eb217ddef5 Size: 557.05 KB (557056 bytes) Detections: 4 Type: Executable File Path: C:\Users\<username>\AppData\Local\Temp\winstarup Group: Malware file Last Updated: February 6, 2019
25.	microsoft.system.exe	5c84ec832661facef227d82e23c00c3f	3
Name: microsoft.system.exe MD5: 5c84ec832661facef227d82e23c00c3f Size: 275.96 KB (275968 bytes) Detections: 3 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft.system.exe Group: Malware file Last Updated: June 26, 2020
26.	aahk.dll	b629d1747542961b578a0d3af9860a68	2
Name: aahk.dll MD5: b629d1747542961b578a0d3af9860a68 Size: 19.45 KB (19456 bytes) Detections: 2 Type: Dynamic link library Path: C:\Windows\SysWOW64\aahk.dll Group: Malware file Last Updated: May 4, 2021
27.	public.exe	22e55e5562d5ed28c5d9462c4e6d75aa	1
Name: public.exe MD5: 22e55e5562d5ed28c5d9462c4e6d75aa Size: 528.38 KB (528384 bytes) Detections: 1 Type: Executable File Path: %PUBLIC% Group: Malware file Last Updated: October 30, 2018
28.	windows_update.exe	d2884b9122db206f950de9568f8c0ff8	1
Name: windows_update.exe MD5: d2884b9122db206f950de9568f8c0ff8 Size: 100.35 KB (100352 bytes) Detections: 1 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\windows\start menu\programs\startup Group: Malware file Last Updated: December 27, 2018
29.	%programfiles\Trojan.FakeMS.kd\uninstall.exe
Name: %programfiles\Trojan.FakeMS.kd\uninstall.exe Type: Executable File Group: Malware file
30.	%desktop%\Trojan.FakeMS.kd.lnk
Name: %desktop%\Trojan.FakeMS.kd.lnk Type: Shortcut Group: Malware file
31.	%programfiles\Trojan.FakeMS.kd\activate.ico
Name: %programfiles\Trojan.FakeMS.kd\activate.ico Group: Malware file
32.	%commonprograms%\Trojan.FakeMS.kd\Trojan.FakeMS.kd support.lnk
Name: %commonprograms%\Trojan.FakeMS.kd\Trojan.FakeMS.kd support.lnk Type: Shortcut Group: Malware file
33.	%desktop%\Trojan.FakeMS.kd support.lnk
Name: %desktop%\Trojan.FakeMS.kd support.lnk Type: Shortcut Group: Malware file
34.	%programfiles\Trojan.FakeMS.kd\about.ico
Name: %programfiles\Trojan.FakeMS.kd\about.ico Group: Malware file
35.	%commonprograms%\Trojan.FakeMS.kd\about.lnk
Name: %commonprograms%\Trojan.FakeMS.kd\about.lnk Type: Shortcut Group: Malware file
36.	%commonprograms%\Trojan.FakeMS.kd\Trojan.FakeMS.kd.lnk
Name: %commonprograms%\Trojan.FakeMS.kd\Trojan.FakeMS.kd.lnk Type: Shortcut Group: Malware file
37.	%appdata%\microsoft\internet explorer\quick launch\Trojan.FakeMS.kd.lnk
Name: %appdata%\microsoft\internet explorer\quick launch\Trojan.FakeMS.kd.lnk Type: Shortcut Group: Malware file
38.	%programfiles\Trojan.FakeMS.kd\update.ico
Name: %programfiles\Trojan.FakeMS.kd\update.ico Group: Malware file
39.	%programfiles\Trojan.FakeMS.kd\virus.mp3
Name: %programfiles\Trojan.FakeMS.kd\virus.mp3 Group: Malware file
40.	%commonprograms%\Trojan.FakeMS.kd\update.lnk
Name: %commonprograms%\Trojan.FakeMS.kd\update.lnk Type: Shortcut Group: Malware file

More files

Registry Details

Trojan.FakeMS may create the following registry entry or registry entries:

File name without path

1saas.exe

1sass.exe

adobe update.com

chorme.exe

Chrome updater.exe

Chrome updaters.exe

code new.exe

collectchromefingerprint.exe

conhst.exe

covid.exe

crrcs.exe

crss.vbs

cspsvc.exe

d1lhots.exe

default.vbe

Dfnder windows.exe

DispleyService.exe

dllhost.vbs

dllhostn.exe

dllwindefender.exe

doc.vbs

drf.url

drfhost.url

EXPL0RER.exe

explerer.exe

google chorme.vbs

google chrome.vbs

Google Crash Handler.exe

google.com.exe

Isasss.exe

Microsoft Edge.exe

microsoft onedrive.exe

Microsoft Startup.lnk

microsoft windows protocol services host.exe

Microsoft-Windows-Update.exe

Microsoft.vbe

microsofthost.exe

MicrosoftStores.exe

Mozilla.vb

Mozilla.vbs

mssecsvr.exe

mstsc.vbs

mvlc.vbs

NetworkConfigurationSvc.exe

notepad.vbs

One Drive Up-Date.exe

outlook.vbs

payment invoice.exe

r.vbe

RecoveryDriveDel.exe

registeryfixer.vbs

rundll3.0.exe

Runtime Broker.exe

scmvhosts.exe

script.vbs

scrss.exe

scvrrv.exe

Security Protection Windows.pif

Service Host Network Service.exe

servisc.exe

sihost64.exe

spolsv.exe

spoolsvc.exe

spoolsvc.url

srchost.exe

start bot.js

svcchost.exe

svchcst.exe

svchoct.exe

svchosst.exe

svchost..exe

svchost.exe.exe

svchost_.exe

svchost_ms.exe

svchoste.exe

svchostt.exe

svchostwindows.vbs

svchots.exe

svchtisks.exe

svchоst.exe

svcpool.exe

svcpool.vbs

svcsystem.vbs

svhosts.exe

svсhоst.com

System-Registry.exe

system32_.exe

taskmqr.exe

taskost.exe

virtualhostsupdate.exe

Wiindows.exe

windefender.exe

WinDefenderSrvc.vbs

Windows 32.vbs

windows defender update.vbs

Windows host service .exe

Windows Host Sync.exe

windows host.exe

Windows Modules Installer Worker.exe

windows search activity.exe

Windows Security Health Service.exe

Windows Security Shell.exe

Windows Security Update.pif

windows security.exe

Windows Update Registry.exe

windows update.exe

windows updates service.vbe

windows.bat

windows.networking.hostname.exe

Windows.Shell.Search.UriHandler.exe

windows.system.exe

Windows10Update.vbe

Windows32.exe

WindowsAutoUpdate.exe

WindowsSecurityService.exe

windowssupportdll32.dll

WindowsSystemczx.exe

windowsupdate.vbs

windowsvc.exe

winhlp.exe

winmain64.exe

WMPDMC.url

wocualts.exe

wrshost.exe

Regexp file mask

%allusersprofile%\application data\soft.exe

%ALLUSERSPROFILE%\Application Data\taskhost.exe

%allusersprofile%\application data\windows\dlhosts.exe

%ALLUSERSPROFILE%\Microsoft System Diagnostic.exe

%ALLUSERSPROFILE%\Microsoft\Client\rundll32.exe

%ALLUSERSPROFILE%\NetFramework\mscore.exe

%allusersprofile%\ntoskrnl.exe

%ALLUSERSPROFILE%\ProgramData.exe

%allusersprofile%\soft.exe

%allusersprofile%\sql.exe

%ALLUSERSPROFILE%\Start Menu\Programs\Startup\sysdll.exe

%allusersprofile%\svchoste.exe

%ALLUSERSPROFILE%\taskhost.exe

%ALLUSERSPROFILE%\taskmanager.exe

%allusersprofile%\windows\dlhosts.exe

%ALLUSERSPROFILE%\windows\profile\dllhostn.exe

%ALLUSERSPROFILE%\windows\profile\host.exe

%ALLUSERSPROFILE%\Windows\Profile\winlogin.exe

%allusersprofile%\windows\takshost.exe

%allusersprofile%\windows\windows defender.exe

%allusersprofile%\windows\windows search activity.exe

%ALLUSERSPROFILE%\wuauclt.exe

%appdata%\.minecraft\assets\virtual\legacy\dllhost.exe

%appdata%\.minecraft\assets\virtual\legacy\music\igfxtray.exe

%appdata%\[RANDOM CHARACTERS].cpl

%appdata%\cexplorer.exe

%APPDATA%\cftmon.exe

%APPDATA%\defenderupdater.vbs

%APPDATA%\Discord.exe

%APPDATA%\dll.vbs

%appdata%\drivers\drivers.exe

%appdata%\hkcmd.exe

%appdata%\java\svchost.exe

%APPDATA%\JetBrains\PrivacyPolicy\dllhost.exe

%APPDATA%\Media Center Programs\[RANDOM CHARACTERS]host.exe

%APPDATA%\Media Center Programs\vbs.vbs

%appdata%\media\svchost.exe

%appdata%\microsoft onedrive.exe

%appdata%\microsoft\config.ini

%appdata%\microsoft\intel\intel.exe

%APPDATA%\microsoft\microsoft.vbs

%APPDATA%\Microsoft\office\svchost.exe

%appdata%\microsoft\securedata\ushell.exe

%APPDATA%\Microsoft\SetingSync64.exe

%appdata%\microsoft\soundmodule\soundmodule.exe

%APPDATA%\microsoft\windows\ctfmon.exe

%APPDATA%\Microsoft\Windows\Driver\cuda\crss.exe

%appdata%\microsoft\windows\helpers.exe

%APPDATA%\microsoft\windows\lsass.exe

%appdata%\microsoft\windows\runtime\csrss.exe

%appdata%\microsoft\windows\start menu\conhost.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\1svhost.exe

%appdata%\microsoft\windows\start menu\programs\startup\[RANDOM CHARACTERS].cpl

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[RANDOM CHARACTERS].vbs

%appdata%\microsoft\windows\start menu\programs\startup\[RANDOM CHARACTERS]service.exe

%appdata%\microsoft\windows\start menu\programs\startup\chrome updater.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\crypt[RANDOM CHARACTERS].vbs

%APPDATA%\microsoft\windows\start menu\programs\startup\crypted.vbs

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Desktop.vbs

%appdata%\microsoft\windows\start menu\programs\startup\empty.pif

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\intel.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Api.vbs

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft[RANDOM CHARACTERS].vbs

%APPDATA%\microsoft\windows\start menu\programs\startup\ms_office.exe

%appdata%\microsoft\windows\start menu\programs\startup\mscorsvw.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\officeupdate.lnk

%appdata%\microsoft\windows\start menu\programs\startup\run.vbs

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\system.exe

%appdata%\microsoft\windows\start menu\programs\startup\taskhost.exe

%appdata%\microsoft\windows\start menu\programs\startup\taskmgr.exe

%appdata%\microsoft\windows\start menu\programs\startup\updates.vbs

%appdata%\microsoft\windows\start menu\programs\startup\url.url

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vbs.vbs

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wina.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Windows Services.url

%appdata%\microsoft\windows\start menu\programs\startup\windowssrv[RANDOM CHARACTERS].exe

%appdata%\microsoft\windows\start menu\programs\startup\windowsupdater.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winupdsvcs.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wuauclt.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\x[RANDOM CHARACTERS].vbs

%appdata%\microsoft\windows\svchost.exe

%appdata%\microsoft\windows\templates\wincontroler.exe

%appdata%\microsoft\windows\templates\wincontroller.exe

%APPDATA%\microsoft\windows\themes\win64.exe

%APPDATA%\microsoft\windows\winupmgr.exe

%APPDATA%\microsoft\windows\wkernelcrash.exe

%APPDATA%\mstwain32.exe

%appdata%\msvc\msvc.vbs

%APPDATA%\MyFolder\WindowsExplorers.exe

%appdata%\nvidia.exe

%APPDATA%\offices.exe

%appdata%\public.exe

%APPDATA%\services.exe

%appdata%\smss.exe

%APPDATA%\svc\svcsvchost.dll

%appdata%\svchost.dll

%appdata%\svchost.exe

%APPDATA%\svchostt.exe

%appdata%\svmost.exe

%APPDATA%\sys.exe

%APPDATA%\system[RANDOM CHARACTERS].exe

%APPDATA%\SystemCPU.exe

%appdata%\view\view.exe

%APPDATA%\win[RANDOM CHARACTERS].exe

%appdata%\windows host process.exe

%appdata%\windows host.exe

%appdata%\windowsact.exe

%APPDATA%\WinRAR\sihost.exe

%APPDATA%\WinUpdat.vbs

%APPDATA%\winupmgr.exe

%appdata%\wlan.exe

%commonprogramfiles%\system\msadc\svchost.exe

%commonprogramfiles(x86)%\system\msadc\svchost.exe

%HOMEDRIVE%\winces.exe

%homedrive%\winlogon.exe

%localappdata%\[RANDOM CHARACTERS]svchost.exe

%Localappdata%\App\csrss.exe

%LOCALAPPDATA%\App\svchost.exe

%localappdata%\chrome.exe

%LOCALAPPDATA%\defenderupdater.vbs

%LOCALAPPDATA%\local.vbs

%localappdata%\macromedia\scvhost.exe

%localappdata%\microsoft\spoolsvc.exe

%localappdata%\microsoft\windows\lsass.exe

%LOCALAPPDATA%\system.vbs

%LOCALAPPDATA%\system32 \system32.exe

%localappdata%\taskhandler\microsofttaskhandler.exe

%LOCALAPPDATA%\Temp.exe

%LOCALAPPDATA%\Tempsvchost.exe

%localappdata%\winx.exe

%programfiles%\services.exe

%PROGRAMFILES%\Windows Updater\windefend.exe

%public%\svchost.exe

%PUBLIC%\svchost.vbs

%PUBLIC%\svchosts.exe

%PUBLIC%\taskmgr.exe

%PUBLIC%\window.bat

%public%\wininit.exe

%temp%\[NUMBERS].exe

%temp%\[RANDOM CHARACTERS].doc.exe

%TEMP%\appone.exe

%TEMP%\bat.bat

%TEMP%\csrss.exe

%temp%\csrss\scheduled.exe

%TEMP%\firefox\firefox[RANDOM CHARACTERS]

%temp%\msctfmonitor.dll

%TEMP%\mssecsvr.exe

%TEMP%\schost.exe

%TEMP%\syscheck[RANDOM CHARACTERS].exe

%temp%\sysupdate.exe

%temp%\wi[RANDOM CHARACTERS]ndows.exe

%temp%\win64.exe

%useprofile%\downloads\[RANDOM CHARACTERS].doc.exe

%USERPROFILE%\Documents\chrome.exe

%USERPROFILE%\Documents\documents.exe

%USERPROFILE%\Downloads\svchost.exe

%UserProfile%\Local Settings\Application Data\Tempsvchost.exe

%userprofile%\svchost.exe

%USERPROFILE%\Videos\Captures\WindowsMediaPlayer.exe

%userprofile%\windows.bat

%userprofile%\windows.exe

%USERPROFILE%\windows[RANDOM CHARACTERS].exe

%windir%\chromesvc.exe

%windir%\dell\svchost.exe

%windir%\explorer .exe

%WINDIR%\fonts\data\smss.exe

%windir%\fonts\lsass.exe

%windir%\fonts\smss.exe

%windir%\fonts\spoolsv.exe

%WINDIR%\help\help\helpdb.dat

%WINDIR%\help\hlp11.dat

%WINDIR%\Help\svchost.exe

%WINDIR%\help\winlogon.exe

%WINDIR%\IME\Microsoft\MaintenancesServices.dll

%WINDIR%\IME\Microsoft\spoolsv.exe

%WINDIR%\IME\Microsoft\svchost.exe

%windir%\ime\svchost.exe

%windir%\inf\cluster\svchost.exe

%windir%\localsys.exe

%windir%\microsecurity.exe

%windir%\networksys.exe

%WINDIR%\resources\themes\explorer.exe

%WINDIR%\smsvchost.exe

%WINDIR%\system32.exe

%WINDIR%\System32\clientmon.exe

%windir%\system32\devicesys.exe

%WINDIR%\system32\drivers\system32.exe

%windir%\system32\inf\svchost.exe

%windir%\system32\resmon\csvc.exe

%WINDIR%\System32\spool\roaming\svchost.exe

%WINDIR%\System32\system3[RANDOM CHARACTERS].exe

%WINDIR%\System32\Tasks\csrss

%WINDIR%\System32\Tasks\services update

%windir%\system32\windows nt\svchost.exe

%windir%\system\winsma32.exe

%WINDIR%\SysWOW64\clientmon.exe

%windir%\syswow64\csrs.exe

%windir%\syswow64\devicesys.exe

%WINDIR%\SysWOW64\drivers\system32.exe

%windir%\syswow64\microsoft.com

%WINDIR%\syswow64\svchosts.exe

%windir%\syswow64\windows services\win32.exe

%WINDIR%\temp\svvosts.exe

%WINDIR%\temp\terminal.dll

%WINDIR%\temp\termsvc.dll

%windir%\wdms\wlan.exe

HKEY..\..\..\..{RegistryKeys}

hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trojan.FakeMS.kd

hkcr\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}

hkcu\Software\Microsoft\Windows\CurrentVersion\Run "Trojan.FakeMS.kd"

hklm\SOFTWARE\Trojan.FakeMS.kd

Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows-SecureOS

Software\Microsoft\WindowsUpdater

Software\Microsoft\WindowsUpdater\multishare

Software\Microsoft\WindowsUpdater\pushbot

Software\Microsoft\WindowsUpdater\svchost

Software\pushbot2

Directories

Trojan.FakeMS may create the following directory or directories:

%ALLUSERSPROFILE%\Application Data\Update

%ALLUSERSPROFILE%\ComponentPackageSupport

%ALLUSERSPROFILE%\ComponentUpdater

%ALLUSERSPROFILE%\FileManagerIME

%ALLUSERSPROFILE%\GatherNetlinkInfo

%ALLUSERSPROFILE%\Loosger

%ALLUSERSPROFILE%\Microsoft Essentials

%ALLUSERSPROFILE%\NetFrameworkSvc

%ALLUSERSPROFILE%\PrintDialogHostwmiprop

%ALLUSERSPROFILE%\Program Files (x86)

%ALLUSERSPROFILE%\SmartScreen

%ALLUSERSPROFILE%\SystemAppsSpeech

%ALLUSERSPROFILE%\SystemInfoConfig

%ALLUSERSPROFILE%\SystemInformation

%ALLUSERSPROFILE%\SystemModuleInformation

%ALLUSERSPROFILE%\Update

%ALLUSERSPROFILE%\Updates

%ALLUSERSPROFILE%\WMI Provider Host

%ALLUSERSPROFILE%\Windows Apps Certification Kit

%ALLUSERSPROFILE%\WindowsLogs

%ALLUSERSPROFILE%\application services

%ALLUSERSPROFILE%\hdcphandlerdll

%ALLUSERSPROFILE%\intelcore

%ALLUSERSPROFILE%\microsoft host

%ALLUSERSPROFILE%\microsoft\microsofttaskmanager

%ALLUSERSPROFILE%\msconfig

%ALLUSERSPROFILE%\ntspecd

%ALLUSERSPROFILE%\searchdata

%ALLUSERSPROFILE%\searchfiles

%ALLUSERSPROFILE%\searchreplace

%ALLUSERSPROFILE%\searchstrain

%ALLUSERSPROFILE%\systemconfiginfo

%ALLUSERSPROFILE%\tmploog

%ALLUSERSPROFILE%\win32

%ALLUSERSPROFILE%\windowscomponent

%ALLUSERSPROFILE%\windowstools

%ALLUSERSPROFILE%\windowsystemagent2.0

%ALLUSERSPROFILE%\windowsystemdrivers

%ALLUSERSPROFILE%\winhost

%ALLUSERSPROFILE%\winkernel

%ALLUSERSPROFILE%\winnmgr

%ALLUSERSPROFILE%\wmi services

%APPDATA%\ActiveX

%APPDATA%\AppReadiness

%APPDATA%\Host Process for Windows Services

%APPDATA%\InExplor

%APPDATA%\MSBuildF

%APPDATA%\Microsoft Drivers

%APPDATA%\Microsoft\ApiMM1M0

%APPDATA%\MsLibs

%APPDATA%\PrintDialog

%APPDATA%\SlideToShutDown

%APPDATA%\System Volume Information

%APPDATA%\W1ndows

%APPDATA%\WinRAR (x86)

%APPDATA%\Winbooterr

%APPDATA%\Windows Apps Certification Kit

%APPDATA%\Windows Defender

%APPDATA%\Windows Objects

%APPDATA%\Windows Objects x86

%APPDATA%\Windows10Update

%APPDATA%\WindowsAPI

%APPDATA%\Winlog

%APPDATA%\Winlogon

%APPDATA%\audiodgg

%APPDATA%\interneexplore

%APPDATA%\interneexplorer

%APPDATA%\kernelwindows

%APPDATA%\localadmin

%APPDATA%\memory32

%APPDATA%\microsoft office

%APPDATA%\microsoft office update

%APPDATA%\msnetsys

%APPDATA%\swchost

%APPDATA%\systemoswin

%APPDATA%\taskdrive

%APPDATA%\virtual disk service

%APPDATA%\windows folder

%APPDATA%\windows media player

%APPDATA%\windows media video

%APPDATA%\windowssecurity

%APPDATA%\winmediaplay

%APPDATA%\winrar-services

%APPDATA%\winrarx86

%APPDATA%\winreg

%Appdata%\winservhost

%COMMONPROGRAMFILES%\rundll

%COMMONPROGRAMFILES(x86)%\rundll

%HOMEDRIVE%\systemx86x

%HOMEDRIVE%\win32system

%LOCALAPPDATA%\DesktopPathWinsock

%LOCALAPPDATA%\MicroSoft Updatea

%LOCALAPPDATA%\Microsoft Conhost

%LOCALAPPDATA%\Microsoft Console

%LOCALAPPDATA%\Windows Host

%LOCALAPPDATA%\microsoft.securitykl

%LOCALAPPDATA%\viphost

%PROGRAMFILES%\apppatch

%PROGRAMFILES%\microsoft windows service

%PROGRAMFILES%\microsoft windows update utility

%PROGRAMFILES%\microsoft windows updatingh

%PROGRAMFILES%\sysconfig

%PROGRAMFILES%\system32

%PROGRAMFILES(x86)%\Microsoft-System

%PROGRAMFILES(x86)%\apppatch

%PROGRAMFILES(x86)%\microsoft windows service

%PROGRAMFILES(x86)%\microsoft windows update utility

%PROGRAMFILES(x86)%\microsoft windows updatingh

%PROGRAMFILES(x86)%\sysconfig

%PROGRAMFILES(x86)%\system32

%PUBLIC%\music\microsoft\windows

%TEMP%\Micromedia

%TEMP%\SCVHOST

%TEMP%\csrss.off

%TEMP%\svchost.exe

%USERPROFILE%\AppReadiness

%USERPROFILE%\Favorites\Microsoft\Windows

%USERPROFILE%\PrintDialog

%USERPROFILE%\SlideToShutDown

%UserProfile%\Local Settings\Application Data\Windows Host

%UserProfile%\Local Settings\Application Data\microsoft.securitykl

%UserProfile%\Local Settings\Application Data\viphost

%WINDIR%\Fonts\Mysql

%WINDIR%\IME\Microsoft\Crypt

%WINDIR%\SysWOW64\WMIScriptingAPI

%WINDIR%\SysWOW64\windefence

%WINDIR%\System32\WMIScriptingAPI

%WINDIR%\System32\windefence

%WINDIR%\microsoft windows service

%WINDIR%\system32\Winbooterr

%WINDIR%\windowslogszero

%WINDIR%\winevrst

%appdata%\$recycle.bin

%appdata%\Microsoft Management Console

%appdata%\ProgramFiIes

%appdata%\Windows SDK Services

%appdata%\WindowsFolder

%appdata%\WindowsSearch

%appdata%\ZSSDVol

%appdata%\drf

%appdata%\drfhost

%appdata%\microsoft.com

%appdata%\microsoft\svchost1

%appdata%\microsoft\windows\screentogif

%appdata%\pathwin

%appdata%\runtimebroker

%appdata%\spoolsvc

%appdata%\svcp

%appdata%\url

%appdata%\windows services

%appdata%\windowslogs

%appdata%\windowsncpx86

%appdata%\windowsystem

%appdata%\winm

%localappdata%\Internet Explorer Browser

%localappdata%\Windows Security

%localappdata%\folder name

%userprofile%\LocationNotificationWindows

%userprofile%\WMPDMC

%windir%\system32\mutantw

%windir%\syswow64\pluginmanager

Analysis Report

General information

Family Name:	Trojan.FakeMS
Signature status:	No Signature

Known Samples

MD5: 1c26cc0dbff25fdb45cbc1ea11992c9f

SHA1: 8da6a47314fb9ef8cdb77f79faf9dd2750d323ae

File Size: 6.50 MB, 6495248 bytes

MD5: 18941efae18cc0a07e6fe80bcc0d6a4a

SHA1: 046f7f821ae9e910b5607bbc5420d54507f00132

File Size: 5.32 MB, 5319258 bytes

MD5: db4c909faa9481302b8c4715aabf1fe0

SHA1: efda66a04c0e00f33665d65f94c400787d6dfb95

File Size: 8.00 MB, 7995392 bytes

MD5: e11e499d6d69be32e4f833acea82c71d

SHA1: dd8a459558c46a44f5f4e17f04630e9cccd4a8a5

File Size: 3.13 MB, 3131904 bytes

MD5: 1467b21c48bccfa32e4a25a9920362cd

SHA1: 14ad67ebb8e661fa137c5848b89b27f8280f0856

File Size: 6.47 MB, 6465552 bytes

MD5: d94a3470dd6d0730926de7ff209ab38a

SHA1: 35c89b8df33ddee7e95c2eb17875752d4679c79e

File Size: 3.34 MB, 3336704 bytes

MD5: ca41e83f9bba831e624e6c3af45f826e

SHA1: 58575dd3acf7df3ab6919d1f31ba86fa1508da2f

File Size: 3.34 MB, 3336704 bytes

MD5: 2235a78198468cf2a79770087bfa1acd

SHA1: 1f798245723e88523e0b0cc402b523dc7ca5c25d

File Size: 6.36 MB, 6360080 bytes

MD5: b4648597abcca88e187c68bcd729f6dd

SHA1: a9b6c803c0b5dbba19a6cf891074bca449378782

File Size: 6.23 MB, 6230544 bytes

MD5: 0ee614e2baeb86c4d8f729c25d587c98

SHA1: 19da3bd89959c865beca601d06d41727000077e8

File Size: 3.01 MB, 3011072 bytes

MD5: 2e2f88dd59027236b06f5abc95a639fc

SHA1: 2f8852985c0a6a53f6e2147e1acdd2f90f71c03c

File Size: 4.13 MB, 4134912 bytes

MD5: 7376f830feb32de405a712e65b18dca5

SHA1: cb22002a474c7d5f96b0430d23c6cdcfd15ebaa1

File Size: 3.81 MB, 3809280 bytes

MD5: 5c4fc7ade3ef6ce9aef1df461bdded9f

SHA1: 7c18553f16051ba15dcee795da6832a387b27a90

File Size: 961.54 KB, 961536 bytes

MD5: ddaf6c60e5f3ca7ab307c8dad89c874d

SHA1: 87293dcbb864de9db82bb010e3b90fc6eab82071

File Size: 4.61 KB, 4608 bytes

MD5: 7f053cba538ab335ab1c1e5d25c701ce

SHA1: f33734e7aba848ec2a480c729f1e97aeec8f9247

File Size: 263.17 KB, 263168 bytes

MD5: 5faedbe284b0e1004a31074f540b8ef7

SHA1: 88cdfb18fe7cc64ba4d24a7237c08c39cc516e28

File Size: 6.59 MB, 6594064 bytes

MD5: 81e17579a284342147f8360efb46c147

SHA1: 720caa514dd95e902d8696043369aa4f8920d849

File Size: 2.98 MB, 2978816 bytes

MD5: 3789e8709f8c926c8706b52a5b87e079

SHA1: ca0adc1934f244f50fb8ba9de9432fa65b776622

File Size: 3.17 MB, 3166720 bytes

MD5: fb77662fb00f6d63a0d4c800b3a47c4d

SHA1: 746157737d70da30bf8933b6d33d3f9525d7d1cd

File Size: 6.05 MB, 6049808 bytes

MD5: 58c7ab8a0dc9503c2399ce546c6a5994

SHA1: 05b5a633e04120b9ff22dfffd9e250a2fc154ed9

File Size: 6.56 MB, 6560272 bytes

MD5: e0bc3d32207cf4e2eea6fc7fd51f7aa0

SHA1: f68ce32406d2e92d0ef304c2cc0b7fa30381f43e

File Size: 6.29 MB, 6294032 bytes

MD5: 7694d6660841c30b2f62fb46054f6f00

SHA1: bbf57cd864700f1b789651755d24b0c78bbd5417

File Size: 6.46 MB, 6461456 bytes

MD5: 99bac0cd504ee55e3097b79f17221b00

SHA1: fb73d64e544a40a200e826a8377718922f786912

File Size: 6.76 MB, 6755344 bytes

MD5: 1b80c13df67b6e1f97e27e4112de7389

SHA1: bbf38fbdcb113522458dbda6a9a1bdffcb81b4fb

File Size: 3.03 MB, 3030016 bytes

MD5: b5001d168ba5139846f2848c8e05a6ee

SHA1: 080f353ab857f04ea65b78570bfa998d1e421ea2

File Size: 1.85 MB, 1850912 bytes

MD5: 16fcc97b9539d521a6dac28626ea0e56

SHA1: ec4910e41ea7648907e903af67ef55440d1338e0

File Size: 1.79 MB, 1791520 bytes

MD5: b1d95c6783489bd7e26a08e2023ceeed

SHA1: b928e66d6e0936307f6a7ec756283d8d9f4d4839

File Size: 3.33 MB, 3328000 bytes

MD5: b271ac96f102e55022b5764ae48a8d36

SHA1: f2d6a3c479dfbc6ca1ca23983ebc77d7bab3846e

File Size: 6.48 MB, 6481424 bytes

MD5: 5a05dffaff7899ee827cf09efdc9dacf

SHA1: f8252e54d16eecb9ef8ac3db3d3638fd07b8fe7a

File Size: 4.30 MB, 4300304 bytes

MD5: a20dea60b5aa8fd426c0aa401fd3f4b0

SHA1: 986420217b23adfb6d1d59f9d385c0cd217d82be

File Size: 6.50 MB, 6502928 bytes

MD5: 443fac82d15fc1d3d9d8ff52bbf47a8b

SHA1: 2de83c94ca8f35beb94601715e9ff91d718caec8

File Size: 4.13 MB, 4134912 bytes

MD5: c0b0365f570123893bebf7b50b83e643

SHA1: 5d77d64ddafe2f9737699c2cdbb5ae6ccc797688

File Size: 6.39 MB, 6391824 bytes

MD5: ac65820c915dd925aee95787c5811480

SHA1: d971f8f00570f620e9a1f6cfdcd6d089ea262f31

File Size: 41.47 KB, 41472 bytes

MD5: 2195ee9abd1698cf78c4365b6c99d4c6

SHA1: ae7621b572652bc7575cd7b51f34a7b3026b8357

File Size: 5.16 MB, 5159440 bytes

MD5: dcd615f921bb70d6dbcc227e63f65d5a

SHA1: ee699962aff5f1a4dd6cd67e853c93e4782b25f2

File Size: 3.17 MB, 3166720 bytes

MD5: 0f0f624520569c0cfe9fefd5d5e09ca5

SHA1: 2b27bcd8d88dd10e1a48df344ae33bcb1d159b27

File Size: 5.46 MB, 5463056 bytes

MD5: 6a19f64ece581d804412edb64b7541ec

SHA1: 2ccc71892be7dc00b4b11dbcfb1a899872a8d7e3

File Size: 3.24 MB, 3241690 bytes

MD5: 1787fbfe2234003862fcfc7732c549f6

SHA1: 7fb7a6ebe5e49687a6453f838deea7a101449b8a

File Size: 6.71 MB, 6710800 bytes

MD5: a08f580d7e340abc5bc36d031e2f1c18

SHA1: d9085f4a8a9962defe8d1004d21248a117ac8a2e

File Size: 6.34 MB, 6337552 bytes

MD5: 56a1ceba25970f9130c3a836df4e0d29

SHA1: cd6d3fd5199eb8a9f41fd5e7de1ceaaf974dc714

File Size: 4.98 MB, 4982288 bytes

MD5: b59aed683529eb6614e77a1cb1e5628f

SHA1: c49a1dfd4a4100041413889c9f3183aac1f6b145

File Size: 609.79 KB, 609792 bytes

MD5: 8032880a336b873b46e82bf3efa8c5fe

SHA1: 0df5905ba777c2f0887adfb29cad3ac2488066ff

File Size: 5.44 MB, 5435408 bytes

MD5: 689f3cef028122cccd67edde87bade21

SHA1: 3005fb541430ffd150383b9da68850047b2c27b4

File Size: 5.18 MB, 5184016 bytes

MD5: 17bc5615ec549ae986e9e6527068d862

SHA1: 2c84aa2b600e32cc4195e022cb67bba96f4e81fb

File Size: 570.44 KB, 570436 bytes

MD5: 854795016e6bd5ce60f30da4f58e9e0a

SHA1: fb1e4ea31703d5d7861acbedb990ffce77ba0d85

File Size: 5.43 MB, 5429776 bytes

MD5: ae70639d0c3085b7deafea61ecd6ad50

SHA1: bcfd01e842f2af4a50f482561a7863f07bbe53e6

File Size: 6.63 MB, 6630928 bytes

MD5: d04d879d712c8d65cc524548d79b703a

SHA1: e6ce8a6f221db06adaa563bd28d6e3c7cafa6a53

File Size: 240.64 KB, 240640 bytes

MD5: 90084a0330035cdf88d4f167a4baeb96

SHA1: e312f0b10a83ab0a8b339284f8168deb82697e75

File Size: 5.17 MB, 5169680 bytes

MD5: 6f9101689d3f07d4975f5455817a9e8a

SHA1: 37e2516ad3f38c9a4d9978fb9846b6ea391271d3

File Size: 6.46 MB, 6462480 bytes

MD5: cd74394c573fe996c20ecaba0f6668e9

SHA1: efbffe06370e621cd5e5ca9728b926cd9e4ca5ce

File Size: 4.21 MB, 4205168 bytes

MD5: 27f1bc4cde73c73102d6430734977e3b

SHA1: 0cd5f806e7c19b286b70cf656618e49660fcb0b0

File Size: 549.36 KB, 549360 bytes

MD5: 0344d1dcec0e4a0774ca8f48e94694ac

SHA1: 2e874757f6b83a01f4468eec992ffdcbb1fea0ed

File Size: 5.23 MB, 5228048 bytes

MD5: 50f526d03dd2477425c45bff9d9b1763

SHA1: c597655fe9238c01c989aefcd0390aee4c665de9

File Size: 6.50 MB, 6504976 bytes

MD5: 9e3f5d38d0eb805df9000d7b0c226472

SHA1: 02a78cc84bead7e4329177d066af9f0e2bc4f69f

File Size: 5.72 MB, 5723152 bytes

MD5: d715e7f9dd3a3a205752e53dcb5b464d

SHA1: ef69121696e642cb258435bd6e90a457356664e7

File Size: 5.06 MB, 5056016 bytes

MD5: 92d44d824a77d4da1bf3fdb6296cd48d

SHA1: 8eab06069076d5cf738a75c129cbf5e3582efa39

File Size: 5.50 MB, 5499920 bytes

MD5: d33821a18631b1a4f79c8079567836fa

SHA1: 8197d0bcae2da6be465198190190fb75125a3e59

File Size: 5.44 MB, 5442576 bytes

MD5: c14799f661935e52aec837f242f6e4ca

SHA1: 558819fb04a4f25d70f157aea7f67c5dd9716124

File Size: 6.35 MB, 6345232 bytes

MD5: 083cea2d5c692777bebdc08c54ba344d

SHA1: 9067d97ef012f21a02268f9821bc12fc1b2f447b

File Size: 6.57 MB, 6569488 bytes

MD5: 5955a9314e172ef46498c5f071b6f8e6

SHA1: b00dd2934e0ad7b27ed0bb3733d10f028c0d5fd9

File Size: 6.29 MB, 6291984 bytes

MD5: a8e7470ff4b8e9c5da6c0605dee1db97

SHA1: 6edd6263d5ceb489eddb59c367b8a0b9b7987eb0

SHA256: 494966B3CD8C459BE0E684FE8F7500BDF8D68E3DDB4F9B83CBAAD95A03B8A851

File Size: 6.32 MB, 6317584 bytes

MD5: 3b4e4cfb38432bc9c0174725af4fae43

SHA1: f479532e80d69b13880075eeeb97dd3dde1678b6

SHA256: 057AF99E192B39A0B2F74D3BCD298FB3E19E8886F34C9006F508C0B6F75D9D59

File Size: 8.68 MB, 8675328 bytes

MD5: 18fbb34a06f0734b8c5caa6dd0443293

SHA1: 4dbd439bc9debc52d33472ac2ce540384948f0cc

SHA256: 467AEB392B8BD6A88007096AEF2F45E526EB45DB73673426C8888C315A4171A8

File Size: 6.57 MB, 6567952 bytes

MD5: ca9c6e5e69da8083c1f4d90a3556c14b

SHA1: 55b3eec9138ad81789e5e8773ed6c4b895ba1700

SHA256: 1803D2573BFE7FA865760C6C7517961C6882963E511245C2DBE03C1A36A92671

File Size: 6.34 MB, 6344720 bytes

MD5: c139dd9e5e13a22bbadc5c68a642a190

SHA1: e2bfcc0011a1bd04580b9e56627d384704bb55f0

SHA256: 1FBB83BF83711F42B6802CD1586FAB5F3F08610929FA904F9388B4D7F643EAB7

File Size: 6.62 MB, 6624272 bytes

MD5: e4de96630a11bbb25dcaabb05b7fcfac

SHA1: d83fcc53dcf24d098d2aa366e2aa783aa09f2f24

SHA256: 9F0B9A57C36ED584B04329D2D296B9A6CA6D08E22CB34B2CF171A3729A8CF86F

File Size: 4.96 MB, 4960784 bytes

MD5: 4f81c187238f4d6d66dfac803a1bae98

SHA1: dc6ce357da32dfbd52825e5d9c483aef07b889c3

SHA256: 01D0554C9ABF05A2ACB3E69323E4BC9963FA220B9162B47E3DFEE556BC76D69B

File Size: 4.99 MB, 4988432 bytes

MD5: 62e632009698b24fd51344e0cf227b03

SHA1: c7095deb784d335487e8daeef2b382cde34cae5c

SHA256: 7F5F2CE283F4D98F8C3A6C01F8B1CD9E1D4E1A23B2680D97D365FD34EB1C0C47

File Size: 5.24 MB, 5243408 bytes

MD5: f2324f93c164c12b0dab6a46b3f73549

SHA1: c5904686ca72795f6edde49751fab9116bf07600

SHA256: C3EF081BC1392B79D3683ADD2C3181495892C3D6123B9A4BD580183BBA2465B7

File Size: 118.27 KB, 118272 bytes

MD5: 7fcb71937221723ac369ae5fc1223782

SHA1: 2ace0a7b9b63a76e037a7504ef973fbfc134c889

SHA256: EB8CCC944EEF2121185054B1F2FBA5E04E8646957678100A152E7200B113E6CF

File Size: 187.90 KB, 187904 bytes

MD5: 2c67eecc0ef7399c58ab0035d090e67b

SHA1: f4ea2454a2ee6080e24cd3e209c98bad4896216c

SHA256: 50AC6BA1935E01F86E3ECE96A04F5B54DFEA850CC67940B6DB344846961EB693

File Size: 5.20 MB, 5202960 bytes

MD5: 33a6681c69c78748358b56c5305858a9

SHA1: 1f0e0404caf67aaf4c0aff42168354e8f4f67de0

SHA256: 5D2C0168E01757C4F14F48522019560C7A46A30B3148DF3BF198068926247F38

File Size: 6.58 MB, 6581776 bytes

MD5: ee68a68e8d0fb34d0583e3ef82cf9dc8

SHA1: e16cb013cc4e441a4f0bb0a38e432a3dac47bdb8

SHA256: 95FF2A715DDFAE20F5F4AE13F4DEBEF20F8372876E66B739CF3F98136C0D4B8E

File Size: 6.61 MB, 6606352 bytes

MD5: 5c8c303e1a3fc3517b2c60a8dd767fe7

SHA1: d2c8990084f821381c0d4c22e2f91533e6466a1c

SHA256: FECCE370C2F33109318E298473A6BC897C10754786242238771844B7122B1D1C

File Size: 6.81 MB, 6809616 bytes

MD5: 3ee8f11c56ae7c90cc3d36b700817356

SHA1: 051635c7e709d03e958e10bd87791d8028f4f0e3

SHA256: 010EC13D5A9FDDAF282290B36C07E87B8C7640088582CA823910679105746A2E

File Size: 6.82 MB, 6820368 bytes

MD5: 40212b0a0dcb10eb092d76b3144e2734

SHA1: 9f6938d9de1c3b34ffb075f4cce72b29ef26cc6d

SHA256: 287E6890F944AA47086C4511DEA87C14C904F6B4B80188C22628BF8F98F630D8

File Size: 6.82 MB, 6816272 bytes

MD5: 74464c29ce88c5e97bea8ca07b7cad4f

SHA1: fddee6c53cfdec4d199a0c8014d4f52a45774ad2

SHA256: 81C65C8CE4CF6854DF169E3A29EC2B6CCF8CC1425C821F5CF4BEA254CD50FF00

File Size: 6.27 MB, 6268944 bytes

MD5: 5c0e5713c5c8c68dd5d4c116c33f2b7d

SHA1: 4c39a225d2504212e492367d595e81489e62155a

SHA256: 6E21170D6E5573ABEB02CE207F1B9E94B604436046CDB04A6BF1FB0CB7362CF2

File Size: 6.62 MB, 6617616 bytes

MD5: 9b506cb2d6e355a7b0fab9b8db152fa0

SHA1: f1820779c80616d66e82d1ab359e3d65e9fe98b8

SHA256: A03BB756D4BB4F102F4A86F95E6B99A77FF1AABC01C01FC998261208B66B1FF0

File Size: 6.78 MB, 6780432 bytes

MD5: 5bc938901df150d2cb87c8f5b89b6abf

SHA1: baa1421cd06e46f729e34bc62da4a03cd8fdf04c

SHA256: 448B0FAC53CEBE3D08A79ECCDF86D0E7729E2DD510F2E8BEA58A04BE979DDC75

File Size: 5.77 MB, 5768208 bytes

MD5: d6e301dabc5876c18ecb2fdb27f5975c

SHA1: db2626ae2a3f6ca0133ea88120b17a949549cb86

SHA256: 7E7DFCA6D90B93DEF536B19CD967564D22B5D3701C53372B96D12073B18DE83B

File Size: 5.29 MB, 5290496 bytes

MD5: 7be3bf795381719150678a70a49fac9c

SHA1: 8cdc13c64aa465c61f7c4361112a8268f985b73c

SHA256: B14B24FE7D3E73D53606641D84B6FCA124D705F4FAEDDBC8AA775F93D067D3EA

File Size: 6.86 MB, 6860304 bytes

MD5: 8b111f34e69518c4ffc764062571868d

SHA1: 6ff3f485a90651281306008d6d62149358202521

SHA256: 6DAE6604357D0E6B56EBCCA62A4064431256C157D7A177194A73FF2EA05A330C

File Size: 6.57 MB, 6568976 bytes

MD5: bfd21d2cb1848efca3c86080f164d5af

SHA1: 6a7533a7f042bb8ac63d76bb83df474f17b379cc

SHA256: 55FE7DE0F26AD92DBBA7FD0CB3C2C96B10E31F82E61E0996FDD82326856B252C

File Size: 6.22 MB, 6220304 bytes

MD5: 79e2c7696d6217b57e44e2f26c23aacb

SHA1: a7cc4903f0c7dbde6934b74af6e753ec6cac5fcc

SHA256: EE3C6118D95E1D01CF957324DDF4AA8C19EB812E3AA5A4F530CC35F329EE7D65

File Size: 7.06 MB, 7062032 bytes

MD5: 0f9edc04df79405b5ec4ada214e0d6f9

SHA1: 0a19efd556ca0d98ad2dd7afb8ec70fba1ba9d68

SHA256: A6552F696C4FB3830EFF8B7CD8F7E3DB4D93C0E78E107599E90A92D0B1341DCE

File Size: 6.36 MB, 6364176 bytes

MD5: 85eeef80e20509b00ee2fe7de7dfbcfb

SHA1: 5a148f21aa6ea31d2b2f0670675fc841fb2263f6

SHA256: C4F8023FC80F17B0679C32C2609821A6FD94BDB8B7129855263DA5EC22AD4405

File Size: 6.64 MB, 6641168 bytes

MD5: 03ac106272fd2ac84079c35ee70261a8

SHA1: 3eba48be8376b2cc32052c0160c43faf1722e0aa

SHA256: 105C5C70B49298C2F4E40A4050460702A467887F615FC44C659056DB2EBE7360

File Size: 7.03 MB, 7030800 bytes

MD5: 2038b4cb495a43102cf966a33738f794

SHA1: d75e1b1929c55ef945fe5e82ad5205a1fb9cad75

SHA256: 9F9AA4643ABAF7825A54E3245A45773D00EEF881D529D9FAC07FFEC06A8D785B

File Size: 1.89 MB, 1892634 bytes

MD5: a12bc9d4d5933942b657914156b98c79

SHA1: 795d905dd94eae13f8f937177073725e54d5d9b9

SHA256: ABBCC1417FBD6F782654B3D55AAF7F90535864FD4E078C8D3E5ECC6E4E5DABE3

File Size: 6.81 MB, 6807568 bytes

MD5: 82d4b8cad5e760779f3a73cf4e3cc1f2

SHA1: a44c18f1905580de6dee98aeb5a6208bd2076f1f

SHA256: 3E8289CD14612BD36ED98ECE5C672CC2F12F9E26859F244D6C82C30BC8A80E2A

File Size: 138.75 KB, 138752 bytes

MD5: 2f9bf19801621bc33e59b6d8c6082359

SHA1: a7b339f29b6da87042fa4ec6219545e54aa66ee5

SHA256: 4BFDC2235B6561A9C46564F2B90317517FCBACB1FDDFD6C315D8C42173B93C5C

File Size: 6.62 MB, 6617616 bytes

MD5: 598f056d1cac0a85801992e2a79a6358

SHA1: 53a9468918a1c06e26e83022ae534cb0a1699191

SHA256: 34535E62140F7E8DDB415927141700949D505EA09797E84B815F2F2B2E2DEBF2

File Size: 5.99 MB, 5987840 bytes

MD5: ba4dcd68abfeb4c8a6c851889b128004

SHA1: 44fe5759709c2113c19933a75b65f32c9f0e0f12

SHA256: 9E6E9AEC028147F216C6D3FCB7DF9ED82F97E61B6125600BC53CA41D7E482027

File Size: 6.55 MB, 6546960 bytes

MD5: 440dd8477f0d3e311ab692928bef257c

SHA1: f51177737ed648f1035c8a6e9395068549c8ef46

SHA256: 0FE20134B79BFAD8E14FDC1899B8CCA7FC26E833C79D5523638672BAE7371513

File Size: 2.20 MB, 2202645 bytes

MD5: ba22e642a8ab16f3ba1b4f3d5bacf20e

SHA1: 2db885d3d68652f9000b50185297f510764b22d5

SHA256: 01EAAD2EC25850701E51EFE6804133743981A4DB7B426507950117E70DAF4AB6

File Size: 6.41 MB, 6410768 bytes

MD5: ea2fe32511e103d5d0f0ef86a8bf4764

SHA1: 9b5770b10a92fd7d000f3e317da2d38aa23d541b

SHA256: 533256406EEB8AF5CD29B59BB83DC6B186167E793C120DE4819FF96AFDB2940E

File Size: 6.57 MB, 6570000 bytes

MD5: 1de89825f2bae27678c800785b315d6f

SHA1: cf3df3ea1cb069170b517687f93a590503203306

SHA256: 3BCB63E34D87991D38389116DE3FDE902EFF2E325159E84584A184756012CE1A

File Size: 5.50 MB, 5495824 bytes

MD5: ace571850d6277e917b397718c8a60f1

SHA1: 5f3ce38900bc5c14f4b5d75c32a8790b0739b268

SHA256: 22CB94C500C749A600E9D5F4BE44CE6C0170B5BAC8EA6461DD6F07BB18F5D7FA

File Size: 6.43 MB, 6425616 bytes

MD5: 345e150db0abb764249835db595fc9ea

SHA1: eaf63f7db6b6cfbba860d85068defc8acd0f1300

SHA256: F8404A9B5509FDB1EC20A056709CA9CAEA014B6401FD2B18561B5E3D2455E00A

File Size: 6.55 MB, 6554640 bytes

MD5: e0db2bdeb52f1fbec16985e049a92160

SHA1: 91d6d28c5b13193c1655c073e71e9358b41b7c1c

SHA256: E363B5330E6BF74815C12E45C7EF64D7EC675AE3FB45EB91B029A3CF5CACE4B1

File Size: 7.01 MB, 7014928 bytes

MD5: a8c80b152fdbed6bf80b9e11fcde3827

SHA1: a798fd228bed3f236fa68b03cda21b1922ec7ed5

SHA256: 2DDE56E940187B3AC5861D7EB9F0B9071AE05A759C373B5CF0CEED09BA0273D9

File Size: 7.29 MB, 7289872 bytes

MD5: 60f28d1e2bfc2e1562785a1174293000

SHA1: 80666f92340040c1e2ca461e68cf5cd1e424b7b6

SHA256: A5159C0FD248D78BDEFE6A2E4948CEFD5E409FBFF919A933BAB0A8C0A3890FF3

File Size: 6.35 MB, 6345744 bytes

MD5: 4ccc6ab26e5c2512f9c26321819862f5

SHA1: 1c54cf7f6d1008ff0894d325f37d5060a578e172

SHA256: F93DBA951780DD341AA4CD32865F90B9E192BC50D50D82A5C08B07795422A9F2

File Size: 26.62 KB, 26624 bytes

MD5: 86cb52bbf2e038c71eb4c82e8df14b71

SHA1: a33d1d3b3c3988297fd65e935629928747f6a604

SHA256: 4CBAA1562DEEA29E2F434A5C517B66F6F77D0BC4C24A2727D7A5478ED96B0402

File Size: 5.21 MB, 5208232 bytes

MD5: 0555b73ca3ac0791f845678744b8f35d

SHA1: 668d032adba0a8c2ebf2d0512dbba0dc7d32e8f0

SHA256: 56472469C6789F283831E9A3C8257A5B5808D9CDCE063F61B956EFD08A362E45

File Size: 6.29 MB, 6288400 bytes

MD5: 13483915234ef38ac66f8c10a3412d2b

SHA1: 95782c0615c2a17d326e235540846468555db21a

SHA256: EDA78253BB9F378687F5BAEDA854836F07A36362D03565DAB5B37E07AD19E5A4

File Size: 6.51 MB, 6511632 bytes

MD5: 0bf351df48f6d26624876059c7f4720f

SHA1: 1ec0214077363d607ea5390e6ba4b7a24c0a77bf

SHA256: 75B55F5BA7D8DD149835E250426DC21CAA0684CE5C8E263CAF7EE552FE02CE3B

File Size: 6.55 MB, 6549520 bytes

MD5: 3c9e947092022ffacdbbedd56a9328ea

SHA1: 7e3a6c0738d4d4513fc3499521f18bcd88c611fc

SHA256: C4B4F3F7C203621A5BC64708E589F1DB888347F74B3B4777583AD7B211986019

File Size: 6.55 MB, 6554128 bytes

MD5: 6d08e8f0042893a113bcdaef3fe72912

SHA1: 265a1243672c6fca6d81dfa39d937384fd0930dd

SHA256: BC132D2CDA565596ED15653AE57BF45EB2BD1D0D034C717CC8083E9CE4DEFD03

File Size: 6.54 MB, 6536720 bytes

MD5: a48cfaededb267fcb64ea88a7f7cdd89

SHA1: 0e9b26eed3b958fb8f57c87f10592d0bdcca74cb

SHA256: 59945389F2AE20CBEA1A7E77679B2E615517D8D6B898E98ABB20B963250005BB

File Size: 6.51 MB, 6509584 bytes

MD5: f4252a151aa9c684cdcd8744489adaf5

SHA1: f4916f82ecea382b053454b7a0db903484033d0a

SHA256: CC842D32ACE168D18130D250A7283531FF69913101402A20EF7A5CA4D2752BEA

File Size: 6.84 MB, 6836240 bytes

MD5: fef869caecf9fa11e5b01b79efd522bf

SHA1: 711b4432711e21706bff6ffab84a3fb338139ce0

SHA256: E67EEE6B1549D46346660E8D1940F5CDA965E794F0098D49E2E2889A71A53424

File Size: 6.57 MB, 6571536 bytes

MD5: fe1adb9c27a923b72d824083d689e9d3

SHA1: ade09385aeaae24a1a4900449525637fb8632edf

SHA256: BF59CE16F0855EF8174D727DF26AEFEE7EF55234F496776C8266DA249D2C5BDB

File Size: 6.89 MB, 6892560 bytes

MD5: 52bfcd955255f143c55abbc28fe69bbf

SHA1: f704464d3b3eefc7fa591f0f7c8a998b533492ac

SHA256: 61A426DAA20F1F7BA2752B95D19C1C84990BB4F6454625A3E84A70A4A16B7C5D

File Size: 82.94 KB, 82944 bytes

MD5: 56dc71bc93050a72dbbcf92ea3eb0b6f

SHA1: 376d7dd9882d9c38a661ddf907a52a1253df6eee

SHA256: 015645BA1484710720AE69716BA4BC370DC0B042FE54686CE89BCF02729A63B0

File Size: 6.56 MB, 6559248 bytes

MD5: be2eccfb4d51a5f5454fdabc93026159

SHA1: 611ed71b36f15b0a261677e8b5d799d4755995ae

SHA256: D110E483548A4C3FFE722200E895B5CDE8947B7A6FC8485506B795BE9751F75E

File Size: 6.65 MB, 6645264 bytes

MD5: cf9b0a1e732b60fb835b0891d4a1e516

SHA1: 6265bfe264c1b409e0d86a717f8ce0b0104c1e90

SHA256: AC26EBA542451AC367126A398BF3F92ABFA238579928243B6012366394645FF9

File Size: 6.65 MB, 6645264 bytes

MD5: 70faaf068c08a490fb6165e006670230

SHA1: 924b54f4be69e50a2e46f06a249f72a994e6bef3

SHA256: 99DCDAACABE5A4312A564782AF622430F1BA2AA2F820C9978ED17DF99CEDA20D

File Size: 6.79 MB, 6791184 bytes

MD5: be263edff4e17f296f7c41b9482438e9

SHA1: f555b45f1024b9dcdf201e9f27bd8d9dd9d8919f

SHA256: E758CF033EF2934069D96673D721C2E89CB4925EBF4BBE1D9081310F76CAE8A1

File Size: 6.65 MB, 6645264 bytes

MD5: 1c81299dd1add9302a9823498ae272c7

SHA1: e6cd8d997314ecae3ce8886fc2f0e1c483ab07a6

SHA256: EFD572E45D0E4701DFA1E28EBB231341ACE10BEC4D59636B0DA552CC794F4115

File Size: 5.29 MB, 5294096 bytes

MD5: bf0d9e99f7013ac179d1c526c4b90c78

SHA1: bd6379585d8b12a473860b9e9937d29a2e382c0d

SHA256: B01C1101EFB461E23DAC3DE5B0AEF01F37473677278A51574A819A2D65C3E87D

File Size: 160.77 KB, 160768 bytes

MD5: 767bb26c766f7712b747acf196cb4e2d

SHA1: b59ab480e5765b15dde23b4b32d301d2a355858a

SHA256: F46F8EAE746B3C42735525C94CE06E7A278697E10EF62E42816476FBDB225D91

File Size: 6.44 MB, 6440464 bytes

MD5: 962e303d6a2e5346f7efbb243f8a0522

SHA1: 88f70b6d5a1fe8a0ef0829199cd58bc73f1bf849

SHA256: 3535FEB400CE6BA3CD89721559ADDFDBE761EACC72339191964E9660E6AD6A03

File Size: 6.28 MB, 6277136 bytes

MD5: 236af38f41b1f7f1e6ad218cd58f2a68

SHA1: 960b88630e39abea1477f000c2b9076af8d46622

SHA256: 204CD07EFE8A4CF14C00C124E0FB3347ECF81C3AF83615B9589DFAA8DC7F24F1

File Size: 7.04 MB, 7038480 bytes

MD5: 236294878b56baac570147467b564dc6

SHA1: 508670124c30a1e20ad0a3cb6e4fbafbc3515937

SHA256: 321DEBC194FB86C4136077A1098D106D46E5C2320AA2BB51BD0563C724C4E520

File Size: 6.33 MB, 6333456 bytes

MD5: f8409666152c9b8157a7c56ab16d57f0

SHA1: c58649ccb64311eb8281a719e86d4d3b985e99c6

SHA256: 62F0FCF1805E0DDCD417154324BDB6CA879D0AF98D09BEC05DAB99B717DDC975

File Size: 6.44 MB, 6440464 bytes

MD5: c29b86db89e0f35334654753f458c40b

SHA1: 29e88699c5a6ba12d0900dce62e0c55e4c5b627f

SHA256: E7F027DE20674522FECEFADCA7E96B09BE103C60BAEB9B90623C073E8B69D82C

File Size: 6.65 MB, 6645264 bytes

MD5: 162bd78a8b2708805c8401285b98321d

SHA1: 792c3b9aac150ab730a6fc72842b052f052bf582

SHA256: B6C1A2887C63DBF5FCEB79349C77877633FB2EC5457B464C8ADF44FAD9C2301B

File Size: 2.91 MB, 2912256 bytes

MD5: 3e6264f0c90cd7f62e27c8b2b872bfd1

SHA1: 4198d4126d8b70938b45b3ea6dfc512565bb99dc

SHA256: 0726BEFA5D6DC06704B3CE6458DBC52E08C30D53DB59D8AE6991F83C6D25703E

File Size: 6.65 MB, 6645264 bytes

MD5: 2a844b9d49b0e8e38920613fe0b6d596

SHA1: dab391667161219f88b2e06c1072b1894b5ef6c7

SHA256: BDCAB0822FF87DB95FBEEBB19DC3A7FC107C34518CB3317C8D66604B7C86EFA5

File Size: 6.85 MB, 6850064 bytes

MD5: cb71367475f033cba10a7421e3d8cba9

SHA1: e2a0a282350d7b08eed0730a52124609cc5ca3c6

SHA256: 36F05B7D23641833CE5707169628E933D655DED349BA01D0B6CB0DCD35F14C34

File Size: 221.70 KB, 221696 bytes

MD5: b971464ecb9e61770a47bc210e2cc3c1

SHA1: 8aba79d015f882cc17e98553058bed95a0c22981

SHA256: 4D31BEB2A334B54C7807A193520E966825B9F9B9665B69D279F9DF4D346D5DB6

File Size: 6.65 MB, 6645264 bytes

MD5: e930cddb83e07cb687796ed64a90d29b

SHA1: 4d0c7638c7d7fa1a4dad91287a9add7235b8c4b5

SHA256: BE05D408489292930EE781196DEAE173D26056AD6A5BDA98CD6B89D37CB38406

File Size: 6.63 MB, 6625296 bytes

MD5: c0b02f0fd169fa01e119c6ba6a54f442

SHA1: 44beeeb1af438517b913a062333f2a8b0f4095b9

SHA256: 573879CB057BDA2CE6525595B562D6F48BA1D82781BCC28F83188DB709EA22FA

File Size: 6.65 MB, 6645264 bytes

MD5: 6c36b164b2693a194b434fbaa67fa866

SHA1: 06a77e56271527be3cae8e4f6b0dff434b729d86

SHA256: 89B6D227AFDF33A4D4F01E38FCC9F6ECC3C79201814832C1EED15290BF868564

File Size: 6.65 MB, 6645264 bytes

MD5: bc90202b304b458e72c567748269507b

SHA1: 950c8b80b335a0f10f77832c5c929da7492c2d19

SHA256: 87C2D2CC1617B75A58A08BBFBD994EC97EF99E1F6CC0A554F55D841C9AECED78

File Size: 6.28 MB, 6281232 bytes

MD5: 9c0f10445d5c002f61d0d6940be7026c

SHA1: 8b1356e92cc4a47b4bdb5ad02348075e2193fc3d

SHA256: 305409D6FCF24066BA28140936D1BBAC490A399D93D71D597591302DA8EFB272

File Size: 6.85 MB, 6850064 bytes

MD5: 0425cdd836525c720f3867fa3450c3b3

SHA1: 83b80f0aae0e2251f957653ca1e8f5e75ed85735

SHA256: CA050B21D489FBB525E1CFF24F669B3F1362D5D778B50F37C40FF524C8DA4B3A

File Size: 6.44 MB, 6440464 bytes

MD5: a3b187367906a0eb92b38ed80f8c0f7d

SHA1: 64b4dbaf20399e9569d887fbdb37acf10dc5e048

SHA256: A2CACA44247C555FE0D4FAA25320C58C6CEAB37CEE6A664EA76E594DB4CBE979

File Size: 6.65 MB, 6645264 bytes

MD5: 952b316b89b8053e6d56a0e817bb1f1e

SHA1: 3683f3b34979451d6e76dd1b1e106a301f41ad00

SHA256: FAD1ACB0F017E23CB0AA7F23863BFE5E90947A976336993307E1F0B470AFA056

File Size: 6.44 MB, 6440464 bytes

MD5: 22f7f7329d650f59d812e07ea9ecbaa4

SHA1: 863c0f71930f9b2fe63cce397c8d623718d82ed8

SHA256: 22866A61CB24795355E0FC9BC2AAB97B057C71AF5BB1A8BBF64A164EC08686D7

File Size: 6.65 MB, 6645776 bytes

MD5: ecf6d79ac5871cb05da771eab066d697

SHA1: 63157a8bf5ee0d2791f35eae011105b28eba95ac

SHA256: B9706CF2778CE11141671BF8F020901A7D475A5CC95070F54D40BF35C54B6B54

File Size: 6.80 MB, 6798864 bytes

MD5: 8f51af5d1a700184baa9b9302e978269

SHA1: cf5693b70ae030fedcbd5311c0d049498e180e6a

SHA256: 2B0040CD9EF6C0BF8D9B0C5170DEE13376A034FFC2D02009DD5E5F04336E13F5

File Size: 6.65 MB, 6645264 bytes

MD5: 7595f3b01ee96e4e80583da6d3b26f97

SHA1: abaa890080ef697b33bafa9472386344999cb1f8

SHA256: 3796A578065747428BB343CE7E931A063B3325C453D02FF877A60649803CAF43

File Size: 6.65 MB, 6645776 bytes

MD5: 91444a0257e3eb40c6dbb705da4013bd

SHA1: df1127a2235bd3639998bb83bb349c142ca6ad22

SHA256: 69685467322263116F68DE12DB92F4C672F59BAD4EA6A5C12AE218E6EC6E5EC0

File Size: 6.15 MB, 6145488 bytes

MD5: 1e1a82b9af82ef7cdc90e402c4d84f12

SHA1: f439c4ed4aabf71f08d2363a940570cf31c17e96

SHA256: 53C9BEFB5574D3D347C25E75152B9E992A393C545AE9A11857DB6EE5067F9D7C

File Size: 44.54 KB, 44544 bytes

MD5: 798d5407e367ada97ee427a988e826aa

SHA1: c1fb4885ac1b6fc8c949b18260d05d92edc7e5ed

SHA256: 2456D69BC42473B99D0A42745F1D6FB04D52E556E4FE7CA4C329146B16E792E1

File Size: 2.29 MB, 2285555 bytes

MD5: bf05af5666abc49dac4971d9ee11973c

SHA1: 67c374c90902c9199fbce03110324ca47551cc0c

SHA256: 018C608651EE1D4CAA76A84105CFF906111E37D61A7E15BCE2351F536FA7345E

File Size: 6.65 MB, 6645776 bytes

MD5: ea87c6b38e35c513781f58040713aedb

SHA1: e4954d1f932e5f90fc7c6e858b9541c7a8c99d12

SHA256: F88C5B6B15148402AAC4A5F63AD5E6E7616592537875956B71A8378DE3671F2C

File Size: 6.65 MB, 6646800 bytes

MD5: d2fbd90e01ea46ddb325f752d0255011

SHA1: 6cb00d23eddf5ee8b97f95d113b9629bdcc10bda

SHA256: E61B408B3F01153149755CF219630444B2B34BFDC844E02991FF025A02DF8B55

File Size: 1.24 MB, 1237217 bytes

MD5: 29434acddf936d67842138bb6d63b31c

SHA1: 1cc59ccab0fe79743308ce543eb4878ad4c7adec

SHA256: 3414299F2708E697F539F45D1398A737BFFCABB4D031D657A890F305855EBDD5

File Size: 3.33 MB, 3330048 bytes

MD5: 17b3a5fba572f7a91ad088333d789352

SHA1: 54e4bea39ae2e6af95ddc09aa5ebbb364881c03d

SHA256: CEBC49E7849427655E0B05599D3B03DCEB1E068BB3F438A7A50B6D5075E99710

File Size: 7.85 KB, 7849 bytes

MD5: d855f5d34ef1b5cbc2310b7b6e4ce2bf

SHA1: c8e2b0ffbd3b72ee02a06a6ea17cda2aa1d7e402

SHA256: 0B0601C47630C74FCEB66C32A74E32936108CF82ADA255E92F5711F2AE61AA1B

File Size: 8.15 MB, 8153616 bytes

MD5: 40a0f89396e40175cedeab92edabd45e

SHA1: 0cd1e9f03e7f0f97ad4ac22e37ea0a6782deda31

SHA256: 99138B98C655DC32D02AD68A835995B7257ED36260719C996B8F60A7C33F8027

File Size: 8.15 MB, 8153616 bytes

MD5: c2e1d19faef6d01a21e81363198743ad

SHA1: c1585b54961d74d6235bf20fc22106914cd6a347

SHA256: 6E21A63CF488B5FE3442D7C4CD2F4BC8BA66DC1BFEE71236323983E033C7E8FE

File Size: 6.82 MB, 6820880 bytes

MD5: 5937980b68122ba596b5194af04a55df

SHA1: 91544618c51dd8ea0075b6e527b1f6497fadb6da

SHA256: B5FD135D9AEE4B6955A66A49F88A3653A87BEAEA644AB5E8D5918431CF386A3A

File Size: 7.11 MB, 7110136 bytes

MD5: dc0b5675f69d6dcc8ae0a36402d1900e

SHA1: f32bcc3fa2924a5b80e92af04efa1c6f390859a5

SHA256: 16D4D29D56D8B4F1A58DD0EC98FAFFADA7F0306761420643CDDB1BF2D8D406DA

File Size: 8.15 MB, 8153616 bytes

MD5: 1d3f62472fb8da2d37fc1c84e7da914e

SHA1: 2af523d1a1f84479dbdef66032664cae3ab4af4b

SHA256: A42F37DF47FDBB173C7495E18128B693B087E9A3A9A2707AD7CDF18E8C2649A1

File Size: 2.52 MB, 2524504 bytes

MD5: 74cc1566cae05038e7d8431e7db8f5de

SHA1: 93cdfdf70a55cd9bdbd3780faea70514d9ac4ab9

SHA256: 0A458D5875881B714A44E9970FD255A77D6FB3C8DF336978BC441605711B171E

File Size: 7.95 MB, 7948816 bytes

MD5: 41c42709be5d33ac80315b75448b3cf4

SHA1: 5fec1f130c3cdf5fc99b065e10c5f8b5efd77c3d

SHA256: AA30713B0F423E0DD8225159925F3B741479886581C67C48EC9617625222B746

File Size: 7.95 MB, 7948816 bytes

MD5: ece09f792d1bb7a3a80f34e142abec8c

SHA1: 78715f9b631bafaaf9ed86d8497530f24967cecd

SHA256: 9D2DA410B6882D97388BAC5D548BD9964909D2C36FE32DC210849C36C699D58F

File Size: 2.53 MB, 2526552 bytes

MD5: 1e84cf2254e415a4f25908b0bd2fcd9f

SHA1: 1058dbe49a26cbd56183fdd3f188578dd2441130

SHA256: C88A92046233208507A30A61DF38EDFD23B9E51DED2B1D1A40AF2D6AF9DECB5D

File Size: 6.85 MB, 6850576 bytes

MD5: f68407776302321c76cce4f7aaf65d71

SHA1: 0acf07a099b0714e53cdf6d326838420d3848389

SHA256: 10B94043C696BCDE586F2D1CDEA361E2CBF564477E21DCAE0E553E6AD8FE5651

File Size: 7.05 MB, 7054864 bytes

MD5: b406297782e269e591e22149c6f5c39b

SHA1: 57fcb002e2caedb7ba37157cef8790bc948b9a03

SHA256: 6CBBDB1AD81D0C3069DC0590144CBBEC30BA6F1A8C635B7A273196D59859D0C2

File Size: 6.85 MB, 6850064 bytes

MD5: ee52ec46cb5c25dafa084d7727227ef1

SHA1: d7cb4a2008f59b4cdecf7bad7828f5c14410ec79

SHA256: 0852BE7839D759103049EFC4867F71472319996F7C07CB8420F4FB719EDF51DD

File Size: 8.15 MB, 8153616 bytes

MD5: edf8341ae72bb77d1ed1ccf6b5ece324

SHA1: 2fdd7643239ca882cea4c1a55a750a5ebcf48c72

SHA256: 02E108130D798B7EE14CDACDD7B21CF6A47519B3C70173544647D4088BFDA88D

File Size: 6.75 MB, 6752272 bytes

MD5: c24ba81050a4835c3c62125e562c0f7c

SHA1: 37a4a822b5291b599ea39ac7af591feeac5f3036

SHA256: 20AFBF81D200FF355DA1597C8E1ED6319A88CA962B0A4C47B4C1C99F389F317A

File Size: 7.95 MB, 7949840 bytes

MD5: 452b41cebd8a12d2ddf400c1b030e9a4

SHA1: 16cc676127681ca0a1a513b602b5d87cec318101

SHA256: 5C012355D800223C1BA249C1EDC127E3C19CCA28DC0417E23A270A05B2573E39

File Size: 7.95 MB, 7948816 bytes

MD5: 3f62ae1a169dfc77dd9afbe40bafe667

SHA1: dead6262fb2eff7f6dda60f41291400d9ec9c074

SHA256: 88376F53D4ED717D70BB826C1C7213B8D34FCD8A3AA3F8251F8853411AA7A27A

File Size: 7.95 MB, 7949840 bytes

MD5: 6cb4f664968b4e5fe3337d46fda29f4f

SHA1: 6411b130ae52ea95953b61f63ea5ed2e4efb6f25

SHA256: 2B0524B7A45942C974AA840C985A78EA1148D26F3032530B1B19CB504C2D2B93

File Size: 8.15 MB, 8154640 bytes

MD5: 1dde0aeb89835232ed17dc7395bf42cc

SHA1: aad7b7afcd85ea445206f9f81f14a8b4f27b65c1

SHA256: A0F9CB13988ADF17D87A45D8BBB5DDA0A5C9E4903C1FA78F8E1340B5583CC7A0

File Size: 7.95 MB, 7949840 bytes

MD5: c4f68f04386512535688d2514ef56e52

SHA1: 682cd9a90bb40d7a5d6063402ea1cddf2decff6c

SHA256: 0DEF83654D7163CA5BE8E5BB16C6F92F0037BB3FE2D8EEF78F64BCD282A2393C

File Size: 7.16 MB, 7159271 bytes

MD5: 2d5d0197c05ff59693459d8af05049c8

SHA1: f83344a421586fe7e0d53a46932009cb8481bd57

SHA256: 870475006A3873A916E4A3F4EDA8C006388E5AC59BB8E3895509EC921216F9F9

File Size: 8.15 MB, 8154640 bytes

MD5: e8a902b371dc07d448b2eb8597c3c7e1

SHA1: 901ff2657fabcd8def657efee18458f7e59dc55f

SHA256: FCC11A4C29AE64C13E0A71C06DE8C00D77F059F33517EED36DA71B378FDDA1CA

File Size: 1.18 MB, 1183821 bytes

MD5: 2286b488743079ac79247b5d855d3c53

SHA1: 52151de6b461eec0906271b847092a3108ebc43f

SHA256: 9B6137A33F5214485DBFAEE629DD60C33002C1C1129A973C100383ABC0B8DFDF

File Size: 7.95 MB, 7948816 bytes

MD5: 1218abddc3faa9b6e53433585d6eb4d5

SHA1: 54b4ab9b7ecb578ee103198e6ac36fe26ebd8425

SHA256: DB97426F26D68BCCE6433E13C6CFF594E8E887C403BB0900CB284AB00FEC2D11

File Size: 8.56 MB, 8564240 bytes

MD5: 27001a7aab13a9ac10e4a2330204c961

SHA1: 5c8ff680223cf869465487180f3458e7bb00b508

SHA256: 06E85EBBAD917A855210DB6B5848FAB12FCDF41A621D402E3247A686C9F976F7

File Size: 5.25 MB, 5251384 bytes

MD5: a3bdcc99efa6105cde29e10d7e3597d9

SHA1: 0e229e8ab41d25d4d4b693a60cc3f5f43fdf3f42

SHA256: 985DB6995EF2FB94C77E145BA831554D3EA34CC27778D00689D04B8F66293D3F

File Size: 7.95 MB, 7949840 bytes

MD5: a8b93b4a6297f0af5b3b8cf4b20721e1

SHA1: fcf73395ef5763dcf03328b94f55b708221fd256

SHA256: 9A37FC40B6CBCAE7CF1C5341B4067C9984327287BDCBD0EECD6F7BEEFEF8BFE3

File Size: 6.79 MB, 6791184 bytes

MD5: a42ee632b4447e6710ce28506d3d4b05

SHA1: 50546463b95544faa6c86d2cbc4ae2e43c02bdea

SHA256: EB450FDC759C53E8A21140BFE89804AC6BDE93F45D886A2FF89E7AFD3C1B916A

File Size: 8.15 MB, 8154640 bytes

MD5: 2bcc04ab14c9217e7ba0897880e92797

SHA1: 763f56166fd34346508b695c72c737b49224b4ed

SHA256: A18FE7906063995BEBF28C3267718137C90B78D24A9BD2DD7572446596676BB5

File Size: 7.95 MB, 7948816 bytes

MD5: 978d7036727c1fd75f4821e9b94c6a7b

SHA1: edacc9989558d05da103aee245ae1eb7b9e3e0ab

SHA256: 46CAAD206ACC0AACBD4C75E708D449FAACA9FC8526E8437A13688FEC2DAF42A6

File Size: 7.95 MB, 7949840 bytes

MD5: 1f9dc7fcb111c77432a0e08737569a1f

SHA1: 5e85716acb3f4f7ff2f1acbd2f738ce92cc598db

SHA256: CEE0AD431BD08D1C0BA3A12B2DF8723FF2CD5FDC1A9F050A17B9A14C8C886B71

File Size: 6.04 MB, 6037008 bytes

MD5: 4283d428c748637106b133733a0ed124

SHA1: 2c044262724b9892ebfa775ebe2a8e81fa86dc6d

SHA256: E6A670A3E2561375BE5F03399534A712EB32A79A75B55CE799D396C9C9273E36

File Size: 5.64 MB, 5635600 bytes

MD5: 40c38992a28ae4686a29e4d8c508db91

SHA1: 185d97a267328cba5ef00d12bf2510c0757aa5c5

SHA256: 703A40F77870BC9074C58E3865E924633F05860DFFA93F5F1CE620F2E1ED9D3C

File Size: 8.15 MB, 8154640 bytes

MD5: 3a0d8786db40084b4a55d10123ec0f70

SHA1: 7b75cd540c8f32269114208121f839b7cc3ddfde

SHA256: A15BCA01F3EFB9264037F81328EC8FB68AFE194A01975F0BB43A50934C998417

File Size: 3.34 MB, 3336704 bytes

MD5: 200ed8b554c4bfdf64faaa01029cdfe9

SHA1: 7189e1a4495ba7e377260a34e8c945528014c98e

SHA256: 953673FF877BE7DD92211CF4C77BC1020BA41F373F1BAAC0F18F08608BBC4278

File Size: 3.93 MB, 3930112 bytes

MD5: 90452227d7d030b89ba17364ed401e5d

SHA1: d06ed5fc088b88f49d1bbb0e8d53eaeca1d42355

SHA256: 88B7F226D9E880572ABBA6149B5389CB9D25C9CFD9FB6AB9FA9960890103C28C

File Size: 8.18 MB, 8184848 bytes

MD5: d1c11d204a659700465b013b3d89a618

SHA1: 8e4e8e7b7d6a3ac9a7d8c37e8a661507469e197c

SHA256: 09085B0E286FCEBEE013C472E6AA74725B100E2770C42C89CB140DA2AB92B805

File Size: 7.95 MB, 7949840 bytes

MD5: d59305d349fbcd811972a76645af2775

SHA1: 4722acf8b760373094ccdaef5b3c3a24df196006

SHA256: AD94DD0179A9679CF3AD6313B0729D52832597EB0859F824E387685C75D6AB26

File Size: 6.85 MB, 6850576 bytes

MD5: 9ca514ba23534c17aeedd912af44a911

SHA1: 45747e5f5b27c16b5a9a1562084055007eab6913

SHA256: F26097C6767C377A16A70D9F19D5407D7DDE870BDF46C927DA314E1CEF35EBA0

File Size: 7.95 MB, 7949840 bytes

MD5: c4cd77aede5d4ce34d43a6d24dff442c

SHA1: fb57561eeb342eff3f7ed5296444aafc4c2a2f09

SHA256: 20EF47B595E9771A9D4BE6BADA1638C28785172A3D4595DDC12EA88421FAD0E3

File Size: 8.18 MB, 8184848 bytes

MD5: 2e3a03a99097c4d1bba1c0665c46b8f8

SHA1: 17c23c4a3cc7254016998f3237fecaeaa724f2e1

SHA256: A0A58766FD23C66D0DD2DE5A38E80CE4591AAE300780576F4CDDB00E4C28C77F

File Size: 7.98 MB, 7980048 bytes

MD5: d638fdb89aa7acb0b1e6d03add23f3d4

SHA1: a2d6df1aca11062f9f2c87bb8cab0be6abe92d05

SHA256: E101A08E39C35D3671618EF7D918F8F24B4BCBF2363DE7D2DCC541F8831DA3AA

File Size: 8.39 MB, 8389648 bytes

MD5: dbdc75b27ef6dfe59583b715ea44398b

SHA1: 56727c6f5e6ec56b2dc74f106daa764f295ae25c

SHA256: 6AA2300FFA0E7FD656A0894B2B8C11CDB741EC429A0B926939A0B011B94C00E1

File Size: 579.63 KB, 579632 bytes

MD5: 41241c59614618e72877cf03e85196f6

SHA1: 0e68b36f1f1fdc13dc58bc790e5d9cbac07bd618

SHA256: 724ADCD217E12198B4E60C1091B6F13EDB0FCE11FB185C663D755348C4A48ADB

File Size: 6.88 MB, 6883344 bytes

MD5: 8d1166eb5b3b24f8d9b577c354df30ad

SHA1: 8e3cef2a656c8ad70ba73056d04c7bf011a6e12d

SHA256: 93CAB0EA217928DDAFE043D2C78670C385C6F6E10F473D7B47160108BFD26E71

File Size: 7.98 MB, 7980048 bytes

MD5: 6b26c3a6afa9363a3b44f1f1757a5f10

SHA1: ce8eefc4c39b19f773cbb6bec4a6ef209bdd3ca8

SHA256: 40161E38B12ABDC0090AD7094D45C689835E97A692B9766F932FE24C3C94C4BA

File Size: 6.81 MB, 6813712 bytes

MD5: d2d108cce142aadc184b119b701e7631

SHA1: a5a61c1e879da8e8844195e520b91fb696c1ac90

SHA256: 1F2EC6E7678919BB45003B91DB69EAB347AA951CBE3AF8EF5B3B2DD8DC4B2C20

File Size: 7.95 MB, 7949840 bytes

176 additional samples are not displayed above.

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File has been packed
File has exports table
File has TLS information
File is .NET application

File is 32-bit executable
File is 64-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

200 additional icons are not displayed above.

Windows PE Version Information

Name	Value
Assembly Version	50.26.36.51 10.0.26517.5158 8.1.0.0 6.9.9.4100 3.0.7.0 2.25.421.21 2.9.358.42 1.15.5.13821 1.8.3.0 1.7.0.31111 Show More 1.2.0.0 1.0.7918.23563 1.0.2903.40 1.0.3.9 1.0.0.2 1.0.0.0 0.0.0.0
Builder	ahileeeeeess 00:40:16 19/07/2025 Almany 15:34:12 19/07/2025
Comments	Automatic hardware driver update tool Client Server Runtime Process Created by Camille Rodriguez Flavor=Retail GoliathNet 6.0 MultiPlatform Version Microsoft MicrosoftApi Serviço de envio de alertas System integration support service This installation was built with Inno Setup. Show More Windows Logon Application 我的世界启动器
Company Name	17362-2017 ahKxYAkopZ Elysian Group Idonicsys. Lda. Intel Technology Partners Kaspersky Lab Microsoft Microsoft.Certificates Microsoft Corp. Microsoft Corp. Show More Microsoft Corporation Microsoft© Windows©Operating... MicroWorld Technologies Inc. MKSSoftwareManagement AG NetEase Razer RuntimeBroker Seventythree Networks GmbH Windaos www.ping-it.cn 打印服务
Company Short Name	Microsoft
Created	7z SFX Constructor v4.5.0.0 (http://usbtor.ru/viewtopic.php?t=798) 7z SFX Constructor v4.6.0.0 (http://usbtor.ru/viewtopic.php?t=798)
File Description	AddInProcess.exe AORadar Boot Sector Manipulation Tool Client Server Runtime Process ConsoleRuntSystem32 csrcssrv MFC Application DelcamSheet_S2 Direct driver preloader Environmental data overlay showing interactive object highlights. eScan Monitor Control Show More Event Collector Command Line Utility FileExplorer Application Generic Host Process for Win32 Services GetSystemInfo Host Data Services Host Process for Windows Services Host Process for Windows ServicesMicrosoft Corporation IDServiceIDAlert Installer for the Windows Installer Microsoft Microsoft.Certificates Microsoft.Web.WebView2.Core Microsoft 365 and Office MicrosoftApi Microsoft Carnaval Screen Saver Microsoft Edge Microsoft Edge WebView2 Microsoft Teams Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 Microsoft Windows Search Indexer Mks.BestbuyNet.BestbuyDriver NewSpoofer New Spoofer Phone Activation UI Process Verification Service PURPLE RefreshExplorer Remote Administration Tool RemoteApp Logon Application RM50zERWAuDH Run a DLL as an App Runtime Broker RuntimeBroker Screen Saver Installer Show Group Members svchost taskmgr TCP/IP Arp Command TechToolLicenseEditor U ModX User OOBE Broker v800ACCS Windows Command Processor Windows Explorer Windows Logon Application Windows Media Player Windows Recovery Environment Windows Shell Experience Host WMI Provider Host WMI Reverse Performance Adapter Maintenance Utility _SCREEN_CAPTURE 我的世界启动器打印服务数位板驱动
File Version	62100.35.1000.9701 3000.571.2008.152 2025.1224.1451.27 2005, 9, 23, 0 140.0.3485.54 103.0.1264.77 44.747.355.3198 25.7.15.1011 16.0.19029.20136 16.0.17126.20132 Show More 16.0.16731.20378 12.0.7601.18840 11.0.50727.1 10.109.26517.5158 10.14.31.81 10.12.2598.5040 10.0.26100.3624 (WinBuild.160101.0800) 10.0.26100.3323 (WinBuild.160101.0800) 10.0.26100.3037 (WinBuild.160101.0800) 10.0.26100.1882 (WinBuild.160101.0800) 10.0.22621.1 (WinBuild.160101.0800) 10.0.19041.4474 (WinBuild.160101.0800) 10.0.19041.1503 (WinBuild.160101.0800) 10.0.19041.1 10.0.17763.1697 (WinBuild.160101.0800) 10.0.14393.01 9.19.939.1105 8.1.22.0 8.1.0.0 7.0.19041.34 (WinBuild.160101.0800) 6.9.9.4100 6.3.9600.16384 6.1.7600.16385 (win7_rtm.090713-1255) 5.1.2600.5512 (xpsp.080413-2111) 5.1.2600.0 (xpclient.010817-1148) 5.00.2128.1 4.8.9032.0 built by: NET481REL1 4.8.1.905 4.7.1.10310 4.6.1.222 4.09.00.0900 4.01.0245 4, 0, 0, 323 3.5.30729.7903 built by: Win9Rel 3.0.7.0 2.25.421.21 2.3.2.0 2.3.0.0 2.0.2600.2 2.0.2600.1 1.20.1827.0 1.15.5.13821 1.8.3.0 1.7.1.0 1.7.0.31111 1.6.7.0 1.2.0.0 1.1.9437.0 1.1.24.04 1.00 1.0.7918.23563 1.0.2903.40 1.0.3.9 1.0.0.2 1.0.0.1 1.0.0.0 1.0.0 1, 0, 0, 1 0.1.4.8 0.0.0.0
Internal Name	AddInProcess.exe AddInProcess32.exe AdministrativeConsole.exe arp.exe bootsect.exe Bootstrapper.exe cbot cmd conhost.exe.exe ConsoleRuntSystem32.exe Show More csrcssrv csrss.exe D3DX9D.dll DelcamSheet S2.exe Diamond.Catalyst.Accs.v8.1.dll dreamwaylink.com.localservices.exe dsetup.dll ElysianFields explorer FileExplorer.exe GetSystemInfo IDServiceIDAlert.exe InstMsi.exe Microsoft.Certificates.dll Microsoft.Web.WebView2.Core.dll MicrosoftApi.exe Microsoft Edge.exe Mks.BestbuyNet.BestbuyDriver.dll msedgewebview2_exe msedge_exe NewSpoofer.exe New Spoofer.exe Permanent Spoofer.exe Purple.exe RecEnv.exe Refreshexplorer.exe Reload rundll32 RuntimeBroker.dll RuntimeBroker.exe ScreenSaver SearchIndexer.exe Service.exe setup ShellExperienceHost ShowMbrs.exe svchost.exe taskhostw.exe taskmgr.exe TJprojMain TTKG.exe U ModX.exe User OOBE Broker wecutil.exe Win wmicookr.dll Wmiprvse.exe WPFLauncher.exe XCliedwadadaadant.exe Z8WSY69HLPEVM4AY11H.exe zfDuDFy Zika.exe _SCREEN_CAPTURE.dll
Last Change	2b250f2585e4f7418e51e230b93685cdc0ed9db5 3cc379a8a5fb6b704b2169c01830296ed862ce0d
Legal Copyright	bISrvkIWHw Copyright (c) 1993-2025 the Wine project authors (see the file AUTHORS for a complete list) Copyright (C) 1998 Copyright (C) 2016 Microsoft. All rights reserved. Copyright (C) 2023 Copyright (C) 2024 Copyright (C) Microsoft Corp. 1981-1999 Copyright (C) Microsoft Corp. 1994-2007 Copyright (c) Microsoft Corp. 1999 Copyright (c) Microsoft Corp. 2000 Show More Copyright (c) Microsoft Corporation. All rights reserved. Copyright 2002 ScreenTime Media. All Rights Rsvrd. Copyright 2021 Copyright Microsoft Corporation. All rights reserved. Copyright © 2013 Microsoft Corp. Copyright © 2016 Copyright © 2019 Copyright ©2020 Copyright © 2020 Copyright © 2021 Copyright © 2024-2025 Elysian Group Copyright © 2025 Copyright © 2025. Proprietary software Copyright © 17362-2017 2025 Copyright © admin 2018 Copyright ©Idonicsys 2021 Copyright © Kaspersky Lab 1997-2012. Copyright © Microsoft 2012 Copyright © Microsoft 2016 Copyright © Microsoft 2018 Copyright © Microsoft Corp. 1994-2002 Copyright © MicroWorld Technologies Inc. Copyright © MKS-AG 1995-2025 Copyright © Razer 2025 Copyright © Seventythree Networks GmbH Made with ScreenTime. Copyright M.P. and S.T.M 2002. Microsoft Microsoft Corporation. All rights reserved. NetEase All rights reserved. ©2006. Microsoft Corp. All rights reserved. © Microsoft Corporation. All rights reserved © Microsoft Corporation. All rights reserved. © Microsoft Corporation. All rights reserved. Â© Microsoft Corporation. All rights reserved. 深圳市鹏毅计算机系统有限公司
Legal Trademark	Elysian Group™
Legal Trademarks	8gY0HYaHKSNH3nBIf2e ACHTUNG: Dieses Programm ist durch Urheberrechtsgesetze geschützt. Unbefugte Vervielfältigung und unbefugter Vertrieb des Programms ist streng untersagt ! Kaspersky Lab Licensed Technology Microsoft Microsoft® is a registered trademark of Microsoft Corporation. MKS GoliathNet ScreenTime is a registered trademark of ScreenTime Media.
Legal Trademarks1	Microsoft® is a registered trademark of Microsoft Corporation.
Legal Trademarks2	Windows® is a registered trademark of Microsoft Corporation.
Official Build	1
Original Filename	AddInProcess.exe AddInProcess32.exe AdministrativeConsole.exe arp.exe bootsect.exe Bootstrapper.exe Cmd.Exe conhost.exe.exe ConsoleRuntSystem32.exe csrcssrv.EXE Show More csrss.exe D3DX9D.dll DelcamSheet S2.exe Diamond.Catalyst.Accs.v8.1.dll dreamwaylink.com.localservices.exe dsetup.dll ElysianFields.exe EXPLORER.EXE FileExplorer.exe GetSystemInfo.exe IDServiceIDAlert.exe Microsoft.Certificates.dll Microsoft.Web.WebView2.Core.dll MicrosoftApi.exe Microsoft Edge.exe Mks.BestbuyNet.BestbuyDriver.dll msedge.exe msedgewebview2.exe Msi.dll,MsiHnd.dll,MsiExec.exe New Spoofer.exe NewSpoofer.exe Permanent Spoofer.exe PRCV0003000456951257.exe Purple.exe qH0X1w RecEnv.exe.mui Refreshexplorer.exe Reload.exe rundll32.exe RuntimeBroker.dll RuntimeBroker.exe ScreenSaver.exe SearchIndexer.exe Service.exe ShellExperienceHost.exe ShowMbrs.exe svchost.exe svchost_v6703581462I.exe svchost_v621003510009701.exe svchost_v5503911460376982CZ.exe taskhostw.exe taskmgr.exe TJprojMain.exe TTKG.exe U ModX.exe UserOOBEBroker.exe vcredist_x86.exe wecutil.exe Win.exe Windows 7 Loader.exe wmicookr.dll Wmiprvse.exe wmplayer.exe WPFLauncher.exe XCliedwadadaadant.exe Zika.exe _SCREEN_CAPTURE.dll
Private Build	DDBLD023B DDBLD344D
Product Name	AORadar Api Client Server Runtime Process ConsoleRuntSystem32 csrcssrv Application DelcamSheet Elysian Fields eScan for Windows GetSystemInfo Host Process for Windows Services Show More IDServiceIDAlert Microsoft Microsoft(R) Windows (R) 2000 Operating System Microsoft.Certificates Microsoft Carnaval Screen Saver Microsoft Edge Microsoft Edge WebView2 Microsoft Enterpise Data Protection Microsoft Office Microsoft Teams Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 Microsoft Windows Microsoft© Windows©Operating... Microsoft® .NET Framework Microsoft® Diagnostics and Recovery Toolset Microsoft® DirectX for Windows® Microsoft® Windows® Operating System MicrosoftÂ® WindowsÂ® Operating System MKS GoliathNet MultiPlatform Version New Spoofer NewSpoofer Project1 Purple RuntimeBroker ScreenTime for Flash Seventythree Refreshexplorer svchost System Update Manager Tablet Setup taskhostw.exe taskmgr TechToolLicenseEditor U ModX uosgNa v800ACCS WebView2 .NET Interop Wrapper Win Windows Installer Windows® Search Wine Y5QOIduMM _SCREEN_CAPTURE 我的世界启动器打印服务
Product Short Name	Edge WebView2 Microsoft Edge
Product Version	Unlimited Commercial ?????????? 62100.35.1000.9701 3000.571.2008.152 2025.1224.1451.27+b322d1 140.0.3485.54 103.0.1264.77 44.747.355.3198 16.0.19029.20136 Show More 16.0.17126.20132 16.0.16731.20378 12.0.7601.18840 11.0.50727.1 10.14.31.81 10.12.2598.5040 10.0.26517.5158 10.0.26100.3624 10.0.26100.3323 10.0.26100.3037 10.0.26100.1882 10.0.22621.1 10.0.19041.4474 10.0.19041.1503 10.0.19041.1 10.0.17763.1697 10.0.14393.01 9.19.939.1105 8.1.22.0 8.1.0.0 7.0.19041.34 6.9.9.4100 6.3.9600.16384 6.1.7600.16385 5.1.2600.5512 5.1.2600.0 5.00.2128.1 4.8.9032.0 4.8.1.905 4.7.1.10310 4.6.1.222 4.09.00.0900 4.01.0245 4, 0, 0, 323 3.5.30729.7903 3.0.7.0 2.25.421.21 2.0.2600.2 2.0.2600.1 1.20.1827.0 1.15.5.13821 1.8.3.0 1.7.0.31111 1.2.0.0 1.1.9437.0 1.1.24.04 1.00 1.0.7918.23563 1.0.2903.40 1.0.0.2 1.0.0.1 1.0.0.0 1.0.0+4008d34d774111bc7ab61d690cb75236892739ca 1.0.0+3ba2c2c8364816ef33345f4fac644eb27436baf3 1.0.0 1.0 1, 0, 0, 1 0.1.4.8 0.0.0.0
Release	Beta

Digital Signatures

Signer	Root	Status
Kaspersky Lab	Class 3 Public Primary Certification Authority	Hash Mismatch
NetEase (Hangzhou) Network Co., Ltd	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1	Self Signed
Zoom Video Communications, Inc.	DigiCert Trusted Root G4	Hash Mismatch
吉林省鸿图信息技术有限公司	GlobalSign Root CA	Root Not Trusted
Microsoft Code Signing PCA	Microsoft Code Signing PCA	Self Signed

Microsoft Corporation	Microsoft Code Signing PCA	Hash Mismatch
Microsoft Corporation	Microsoft Code Signing PCA 2010	Hash Mismatch
Microsoft Corporation	Microsoft Code Signing PCA 2011	Hash Mismatch
NCSOFT Corporation	Microsoft Identity Verification Root Certificate Authority 2020	Root Not Trusted
Microsoft Corporation	Microsoft MarketPlace PCA 2011	Hash Mismatch
Microsoft Windows	Microsoft Windows Production PCA 2011	Hash Mismatch
Codeweavers, Inc	SSL.com EV Code Signing Intermediate CA RSA R3	Self Signed
Martin Tofall	Sectigo Public Code Signing Root R46	Hash Mismatch
eScan (Microworld Technologies Inc.)	Sectigo Public Code Signing Root R46	Hash Mismatch
admin@officertool.org	admin@officertool.org	Self Signed
www.microsoft.com	www.microsoft.com	Self Signed

File Traits

.adata
.aspack
.NET
.UPX
00 section
2+ executable sections
7-zip (In Overlay)
7-zip Installer
7zSFX
ASPack v2.12

AutoHK
Autoit
big overlay
CAB (In Overlay)
CAB SFX
Confuser
dll
fptable
HighEntropy
Installer Manifest
Installer Version
MZ (In Overlay)
NewLateBinding
No Version Info
ntdll
Obsidium
packed
RijndaelManaged
Run
SmartAssembly
themida
themida section variant
upx
UPX!
UPX x64
vb6
vmp section variant
Wix
WixToolset Installer
WriteProcessMemory
x64
x86

Block Information

Total Blocks:	4
Potentially Malicious Blocks:	0
Whitelisted Blocks:	1
Unknown Blocks:	3

Visual Map

0 ? ? ?

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Agent.DFCG
Agent.DSS
Agent.GJR
Agent.GOG
Agent.GUG

Agent.IOH
Agent.LOD
Agent.LODH
Agent.LODI
Agent.LPL
Agent.LPSD
Agent.LPSE
Agent.UFSE
Agent.UFSG
Agent.XDT
Bancos.B
Bancteian.B
Bat2Exe.A
Bitcoinminer.LC
Bulz.AOC
Bulz.AOD
CobaltStrike.XAA
Coinminer.CI
Coinminer.GE
Coinminer.GM
Coinminer.PE
ConvertAd.GJ
Danabot.DI
Delf.XB
Downloader.Agent.KO
Farfli.FR
Fragtor.V
Fugrafa.T
Gamehack.BEA
Gamehack.DSF
Gametool.FT
HEUR.MSIL.Generic_268209
HackKMS.P
Hematite.G
Injector.DTC
Injector.FHE
Injector.GPB
Injector.JDA
Jeefo.A
Keylogger.RA
Kryptik.CBU
Kryptik.DFYA
Kryptik.FRJ
LegendMir.B
MSIL.Agent.BIA
MSIL.Agent.FBE
MSIL.Agent.FBK
MSIL.Agent.PI
MSIL.Agent.PUA
MSIL.Agent.XCB
MSIL.Agent.XGE
MSIL.Agent.XSN
MSIL.Downloader.Agent.BID
MSIL.Downloader.Agent.LC
MSIL.Downloader.Small.RB
MSIL.Dropper.GFJ
MSIL.Dropper.LAE
MSIL.Gamehack.BOWB
MSIL.Gamehack.BOWD
MSIL.Injector.XC
MSIL.Krypt.BFA
MSIL.Krypt.GJRA
MSIL.Kryptik.FHM
MSIL.Njrat.H
MSIL.Njrat.J
MSIL.RedLine.P
MSIL.RedLine.R
MSIL.Redline.BE
MSIL.Small.FG
PSW.Agent.FBA
Parite.F
Parite.FA
Parite.W
ReverseShell.XH
Rozena.XAA
Shipup.AG
Sohanad.A
Trickbot.AJ
Trojan.Agent.Gen.BN
Trojan.Agent.Gen.VY
Trojan.Downloader.Gen.FA
Vadokrist.B
Wacatac.ABE
Wacatac.ABG
Wacatac.DA
ZippyLoader.E

Files Modified

File	Attributes
\device\harddisk0\dr0	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\dav rpc service	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
\device\namedpipe\pshost.133960225172383884.2984.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133961467211141543.6140.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133963103883782188.5028.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133963161477681273.5568.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133967907456620363.5272.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288

\device\namedpipe\pshost.133968026277341085.5704.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133969075076397386.3924.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133969139870418293.4988.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133970751242324905.5148.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133971023270298193.5500.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133972330915650039.4372.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133973408512605319.164.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133973833317201797.4896.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133974724912275823.5752.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133974994934298232.4708.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133975600976523803.4768.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133976799721545805.5372.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133977145325921032.5320.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133977288118219937.2276.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133978632135946027.4764.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133978702903873983.636.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133978808517950981.3216.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133988613243418531.3920.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133988702581083620.5512.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133988788994225935.4852.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133989336207201898.3164.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133990167732810779.5956.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133991180591071429.3068.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133991573004994039.4328.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133991876586965787.1072.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133992037390575492.3404.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133992544983787171.5488.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133992816203169015.1188.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133994463823551033.5388.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133994535793514244.1580.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133995357790610011.180.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133999321447743517.3672.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134002409049188459.5492.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134004735869709490.5740.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134023875745637658.3788.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134024590601634247.6052.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134026584242683864.4852.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134028816257084243.4668.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134028879885290366.3628.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134032722274122965.5172.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134038597474704497.4580.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134042838283919505.4588.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134073433674432835.6652.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134074053234832397.6220.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134076646542107414.6312.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134091912494375551.4232.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134094925689999551.8028.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134095570123223620.5464.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134114161713718148.6404.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134115239289115863.1256.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134120160531285937.3712.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134136845334208088.1424.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134144454486015597.2984.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner	Synchronize,Write Attributes
c:\ccleaner\cchelper.ocx	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\cchelper.ocx	Synchronize,Write Attributes
c:\ccleaner\ccleaner.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\ccleaner.dll	Synchronize,Write Attributes
c:\ccleaner\ccleaner.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\ccleaner.exe	Synchronize,Write Attributes
c:\ccleaner\cclistbar.ocx	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\cclistbar.ocx	Synchronize,Write Attributes
c:\ccleaner\cclistview.ocx	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\cclistview.ocx	Synchronize,Write Attributes
c:\ccleaner\ccsubtimer.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\ccsubtimer.dll	Synchronize,Write Attributes
c:\ccleaner\ccsystem.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\ccsystem.dll	Synchronize,Write Attributes
c:\ccleaner\cctab.ocx	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\cctab.ocx	Synchronize,Write Attributes
c:\ccleaner\cctreeview.ocx	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\cctreeview.ocx	Synchronize,Write Attributes
c:\ccleaner\history.txt	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\history.txt	Synchronize,Write Attributes
c:\ccleaner\lang-1025.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1025.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1026.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1026.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1027.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1027.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1028.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1028.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1029.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1029.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1030.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1030.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1031.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1031.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1032.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1032.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1033.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1033.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1034.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1034.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1035.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1035.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1036.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1036.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1037.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1037.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1038.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1038.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1040.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1040.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1041.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1041.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1042.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1042.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1043.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1043.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1044.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1044.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1045.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1045.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1046.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1046.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1048.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1048.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1049.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1049.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1051.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1051.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1052.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1052.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1053.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1053.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1055.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1055.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1063.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1063.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1071.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1071.dll	Synchronize,Write Attributes
c:\ccleaner\lang-1110.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-1110.dll	Synchronize,Write Attributes
c:\ccleaner\lang-2052.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-2052.dll	Synchronize,Write Attributes
c:\ccleaner\lang-2070.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-2070.dll	Synchronize,Write Attributes
c:\ccleaner\lang-2074.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-2074.dll	Synchronize,Write Attributes
c:\ccleaner\lang-3098.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-3098.dll	Synchronize,Write Attributes
c:\ccleaner\lang-5146.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\lang-5146.dll	Synchronize,Write Attributes
c:\ccleaner\run.cmd	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\run.cmd	Synchronize,Write Attributes
c:\ccleaner\winapp.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\winapp.ini	Synchronize,Write Attributes
c:\ccleaner\winreg.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\winreg.ini	Synchronize,Write Attributes
c:\ccleaner\winsys.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ccleaner\winsys.ini	Synchronize,Write Attributes
c:\fd1a.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\fd1a.tmp	Generic Write,Read Attributes
c:\fd1a.tmp\fd1b.tmp\fd1c.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\fd1a.tmp\rtkauduservice.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files\common files\microsoft shared\ink\inputpersonalization.dll.sys.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\common files\microsoft shared\ink\inputpersonalization.dll.sys.exe	Synchronize,Write Attributes
c:\program files\common files\microsoft shared\ink\inputpersonalization.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\common files\microsoft shared\ink\inputpersonalization.exe	Synchronize,Write Attributes
c:\programdata\be6cf229_tag.txt	Generic Write,Read Attributes
c:\programdata\microsoft\network\connections\pbk\rasphone.pbk	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\mntemp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_01a256da\file_79a485e3.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_01a256da\file_e0d9dc56.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_0b7c0e09\file_0d9f5e4e.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_0b7c0e09\file_39f198ba.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_0b7c0e09\file_875bebc7.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_0b7c0e09\file_fa649772.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_112ae139\file_357bf33f.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_112ae139\file_fe74be97.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_18b2baed\file_060b0a3b.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_18b2baed\file_dd133e13.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_1b0bd9f0\file_84eae357.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_1b0bd9f0\file_8c5ad315.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_1b0bd9f0\file_fec90575.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_24de8b94\file_6fb4022b.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_288df8c8\file_f61fc0d1.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_32e7007e\file_13c4431a.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_32e7007e\file_687b18be.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_32e7007e\file_e4f6d06e.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_38c5bf7f\file_f69be7ad.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_512a7f76\file_8605fab0.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_52723c46\file_4028bbd5.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_52723c46\file_41282565.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_52723c46\file_7b2afb12.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_52723c46\file_b1efad1d.txt	Generic Write,Read Attributes
c:\programdata\windowsservice.{d20ea4e1-3957-11d2-a40b-0c5020524153}\datafolder_67286851\file_278c1918.txt	Generic Write,Read Attributes

354 additional files are not displayed above.

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	١猵Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	㊅ꉹǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	㊅ꉹǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	溃ꊶǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	놹䰥Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	恅䱕Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	芭嚯Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	캕圁Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	돕Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	則돘Ǜ	RegNtPreCreateKey

HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	蕍ᲵǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	蕍ᲵǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ߤ᳞Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	멑춯Ǜ	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\winlogon::userinit	C:\WINDOWS\system32\userinit.exe,C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ᗮ췰Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\eventlog\application\nginx::eventmessagefile	%SystemRoot%\System32\netmsg.dll	RegNtPreCreateKey
HKLM\system\controlset001\services\eventlog\application\nginx::typessupported		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	़ἔǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	樽἖Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	占ὁǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	僅쥘Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	僅쥘Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	鵒즅Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	뛜瘟Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ᣞ直Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䀘Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	雩ႯǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	雩ႯǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ᨰიǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	愕Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	敂Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	㷒Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	兀㷕Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	঺㸜Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	桾ᧈǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	鍻鐁Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	鐃Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ੇ鐺Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	৊Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䟊Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ㅆǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	♕ퟌǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	Ꮱ漗淚Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ᓖ䶭歷Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	⾏梙神Ǜ	RegNtPreCreateKey
HKCU\software\winrar sfx::c%%ccleaner	C:\CCleaner	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	蠂괌喝Ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	唶荜אּǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	銩﫫ﮀǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	霣㨒ﮢǛ	RegNtPreCreateKey
HKLM\software\wow6432node\microworld::mwcommonappdata		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	砗⟇ﳛǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ⶌꇞﳫǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	犹㣲ﴄǛ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	蟐ဉׯǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ꔳ﮷ؗǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	搦ڗǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	홸ﻟݘǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ꀼ퇽ࡄǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ڍ⾯ࢠǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	礧伺ऌǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	㷙縢ংǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	㷙縢ংǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	觞繏ংǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	╚ꐔুǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ꓘ䇥ୁǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ަ䇨ୁǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䈒ୁǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	緙Σ୒ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	Υ୒ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	쯍ϐ୒ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	˖晼఑ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	搓晾఑ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䱐暩఑ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	硓뢑౛ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\software\microsoft\tracing\cmstp::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\cmstp::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\cmstp::enableconsoletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\cmstp::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\cmstp::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\cmstp::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\cmstp::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	憣ಝǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	쎁ಝǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ﺻ깂༡ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ﺻ깂༡ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	◝䈙༮ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	葆䈛༮ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	쨜룖ཟǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	⡵䋚ྫྷǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䋗ྶǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	궢姷࿾ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	棝琾ၺǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	챰瑀ၺǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	矋㇛ᅐǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	헲㇝ᅐǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	쵽셠ᇎǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	殹♂ቻǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	殹♂ቻǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	冢♭ቻǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	⊳⭜ፑǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	莨⭞ፑǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	䓋茇Ꭰǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	꠪茉Ꭰǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	竷Ꮑǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	敺㰘ᐒǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	敺㰘ᐒǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	쓦婔ᐹǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	⤴婗ᐹǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	៬ᒘǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	៬ᒘǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	⦊ᒘǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ㅈ孁ᕮǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ㅈ孁ᕮǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ꤾᖠǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	麅ᗔǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ǂᗔǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	滛ⴑᗨǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	턅ⴓᗨǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	枚᷒ᙐǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	枚᷒ᙐǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ꁟ됐ᛦǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	Ğ됓ᛦǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	Ϸᛴǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	剽ᛴǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::mujg8p9yh8jkwhfhp	c:\FD1A.tmp\rtkauduservice.exe	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	뫒ᬶᜎǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	脸䁁☁ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\slump::delayedautostart		RegNtPreCreateKey
HKLM\system\controlset001\services\slump::dependonservice	rpcss	RegNtPreCreateKey
HKLM\system\controlset001\services\slump::description	@%systemroot%\system32\usosvc.dll,-102	RegNtPreCreateKey
HKLM\system\controlset001\services\slump::displayname	Update Orchestrator Service	RegNtPreCreateKey
HKLM\system\controlset001\services\slump::errorcontrol		RegNtPreCreateKey
HKLM\system\controlset001\services\slump::failureactions	冀퓀鏠	RegNtPreCreateKey
HKLM\system\controlset001\services\slump::imagepath	%systemroot%\system32\svchost.exe -k netsvcs -p	RegNtPreCreateKey
HKLM\system\controlset001\services\slump::objectname	LocalSystem	RegNtPreCreateKey
HKLM\system\controlset001\services\slump::preshutdowntimeout	6	RegNtPreCreateKey
HKLM\system\controlset001\services\slump::requiredprivileges	SeAuditPrivilegeSeCreateGlobalPrivilegeSeCreatePageFilePrivilegeSeTcbPrivilegeSeAssignPrimaryTokenPrivilegeSeImpersonatePri	RegNtPreCreateKey
HKLM\system\controlset001\services\slump::servicesidtype		RegNtPreCreateKey
HKLM\system\controlset001\services\slump::start		RegNtPreCreateKey
HKLM\system\controlset001\services\slump::type		RegNtPreCreateKey
HKLM\system\controlset001\services\slump\parameters::servicedll	%systemroot%\system32\usosvc.dll	RegNtPreCreateKey
HKLM\system\controlset001\services\slump\parameters::servicedllunloadonstop		RegNtPreCreateKey
HKLM\system\controlset001\services\slump\parameters::servicemain	ServiceMain	RegNtPreCreateKey
HKLM\system\controlset001\services\slump\security::security	耔x0耂ÿāĀHāԀǿȁԀ ȠǿāԀāԀāԀ	RegNtPreCreateKey
HKLM\system\controlset001\services\pure::dependonservice	rpcss	RegNtPreCreateKey
HKLM\system\controlset001\services\pure::description	@WaaSMedicSvc.dll,-101	RegNtPreCreateKey
HKLM\system\controlset001\services\pure::displayname	@WaaSMedicSvc.dll,-100	RegNtPreCreateKey
HKLM\system\controlset001\services\pure::errorcontrol		RegNtPreCreateKey
HKLM\system\controlset001\services\pure::failureactions	΄퓀鏠	RegNtPreCreateKey
HKLM\system\controlset001\services\pure::imagepath	%systemroot%\system32\svchost.exe -k wusvcs -p	RegNtPreCreateKey
HKLM\system\controlset001\services\pure::launchprotected		RegNtPreCreateKey
HKLM\system\controlset001\services\pure::objectname	LocalSystem	RegNtPreCreateKey
HKLM\system\controlset001\services\pure::requiredprivileges	SeTcbPrivilegeSeChangeNotifyPrivilegeSeImpersonatePrivilegeSeTakeOwnershipPrivilegeSeSecurityPrivilegeSeRestorePrivilege	RegNtPreCreateKey
HKLM\system\controlset001\services\pure::servicesidtype		RegNtPreCreateKey
HKLM\system\controlset001\services\pure::start		RegNtPreCreateKey
HKLM\system\controlset001\services\pure::type		RegNtPreCreateKey
HKLM\system\controlset001\services\pure\parameters::servicedll	%SystemRoot%\System32\WaaSMedicSvc.dll	RegNtPreCreateKey

268 additional registry modifications are not displayed above.

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAccessCheckByType ntdll.dll!NtAddAtomEx ntdll.dll!NtAdjustPrivilegesToken ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAllocateLocallyUniqueId ntdll.dll!NtAlpcAcceptConnectPort ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePort Show More ntdll.dll!NtAlpcCreatePortSection ntdll.dll!NtAlpcCreateResourceReserve ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelIoFileEx ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCopyFileChunk ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateUserProcess ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeleteValueKey ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetCompleteWnfStateSubscription ntdll.dll!NtGetContextThread ntdll.dll!NtImpersonateAnonymousToken ntdll.dll!NtLoadKeyEx ntdll.dll!NtLockVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenMutant ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFile ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryTimerResolution 200 additional items are not displayed above.
Anti Debug	CheckRemoteDebuggerPresent IsDebuggerPresent NtQuerySystemInformation OutputDebugString
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation OpenClipboard
Process Shell Execute	CreateProcess ShellExecuteEx WriteConsole
Process Terminate	TerminateProcess
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext
Other Suspicious	AdjustTokenPrivileges SetWindowsHookEx
Network Winsock2	WSASend WSASocket WSAStartup WSAttemptAutodialName
Network Winsock	bind closesocket connect freeaddrinfo getaddrinfo inet_addr send setsockopt socket
Network Info Queried	GetAdaptersAddresses GetAdaptersInfo GetNetworkParams
Network Winhttp	WinHttpConnect WinHttpOpen WinHttpOpenRequest WinHttpQueryHeaders WinHttpReceiveResponse WinHttpSendRequest
Keyboard Access	GetAsyncKeyState GetKeyState
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory VirtualAllocEx
Service Control	OpenSCManager OpenService StartServiceCtrlDispatcher
Network Icmp	IcmpCreateFile IcmpSendEcho2Ex

Shell Command Execution


							C:\WINDOWS\system32\net.exe net  session


							WriteConsole: Access is denied


							"cmd.exe" /c schtasks /create /tn "OneDrive Startup Task-S-2-5-25" /tr "C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe" /SC MINUTE /MO 1 /IT /F


							C:\WINDOWS\system32\schtasks.exe schtasks  /create /tn "OneDrive Startup Task-S-2-5-25" /tr "C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe" /SC MINUTE /MO 1 /IT /F


							"cmd.exe" /c timeout 5 >nul && del "c:\users\user\downloads\dd8a459558c46a44f5f4e17f04630e9cccd4a8a5_0003131904.exe"


									C:\WINDOWS\system32\timeout.exe timeout  5


									"cmd.exe" /c timeout 5 >nul && del "c:\users\user\downloads\35c89b8df33ddee7e95c2eb17875752d4679c79e_0003336704.exe"


									"cmd.exe" /c timeout 5 >nul && del "c:\users\user\downloads\58575dd3acf7df3ab6919d1f31ba86fa1508da2f_0003336704.exe"


									"cmd.exe" /c schtasks /create /tn "WinServiceTask" /tr "C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe" /SC MINUTE /MO 1 /IT /F


									C:\WINDOWS\system32\schtasks.exe schtasks  /create /tn "WinServiceTask" /tr "C:\ProgramData\WindowsService.{D20EA4E1-3957-11D2-A40B-0C5020524153}\UserOOBEBroker.exe" /SC MINUTE /MO 1 /IT /F


									"cmd.exe" /c timeout 5 >nul && del "c:\users\user\downloads\2f8852985c0a6a53f6e2147e1acdd2f90f71c03c_0004134912.exe"


									(NULL) C:\Providerinto\SecurityHealthHost.exe


									(NULL) C:\Users\Все пользователи\MorningWaveO1\csrss.exe.exe


									"cmd.exe" /c timeout 5 >nul && del "c:\users\user\downloads\b928e66d6e0936307f6a7ec756283d8d9f4d4839_0003328000.exe"


									"cmd.exe" /c timeout 5 >nul && del "c:\users\user\downloads\2de83c94ca8f35beb94601715e9ff91d718caec8_0004134912.exe"


									C:\WINDOWS\system32\fondue.exe "C:\WINDOWS\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll


									(NULL) C:\CCleaner\run.cmd


									"schtasks.exe" /Create /SC ONSTART /TN "WindowsSystemCheck" /TR "\"C:\Users\Slkheoei\AppData\Roaming\Microsoft\SystemServices\svchost.exe\"" /F /RL LIMITED


									C:\Windows\System32\werfault.exe (NULL)


									"C:\Users\Onbnffft\AppData\Local\Temp\76ba5ea5e20247eb90e86d315ec6a88e\svchost.exe" -extract C:\WINDOWS\notepad.dll.sys.exe


									"C:\Users\Onbnffft\AppData\Local\Temp\76ba5ea5e20247eb90e86d315ec6a88e\taskhost.exe" -compile C:\Users\Onbnffft\AppData\Local\Temp\76ba5ea5e20247eb90e86d315ec6a88e\icons.rc


									"C:\Users\Onbnffft\AppData\Local\Temp\76ba5ea5e20247eb90e86d315ec6a88e\svchost.exe" -extract c:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.dll.sys.exe


									open C:\WINDOWS\sysnative\cmd /c "\FD1A.tmp\FD1B.tmp\FD1C.bat c:\users\user\downloads\f704464d3b3eefc7fa591f0f7c8a998b533492ac_0000082944"


									WriteConsole:


									WriteConsole: c:\FD1A.tmp>


									WriteConsole: "RtkAudUService.


									c:\FD1A.tmp\rtkauduservice.exe "RtkAudUService.exe"


									C:\WINDOWS\system32\sc.exe sc  stop wuauserv


									WriteConsole: 
SERVICE_NAME:


									C:\WINDOWS\system32\sc.exe sc  config wuauserv start= disabled


									WriteConsole: [SC] ChangeServi


									C:\WINDOWS\system32\sc.exe sc  stop UsoSvc


									C:\WINDOWS\system32\sc.exe sc  config UsoSvc start= disabled


									C:\WINDOWS\system32\sc.exe sc  stop bits


									WriteConsole: [SC] ControlServ


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\df1127a2235bd3639998bb83bb349c142ca6ad22_0006145488.,LiQMAxHB


									"C:\WINDOWS\svchost.exe" "c:\users\user\downloads\c1fb4885ac1b6fc8c949b18260d05d92edc7e5ed_0002285555"


									"c:\users\user\downloads\c1fb4885ac1b6fc8c949b18260d05d92edc7e5ed_0002285555"


									"C:\Users\Vyaexdfs\AppData\Local\Temp\is-9E2K2.tmp\6cb00d23eddf5ee8b97f95d113b9629bdcc10bda_0001237217.tmp" /SL5="$10280,768791,121344,c:\users\user\downloads\6cb00d23eddf5ee8b97f95d113b9629bdcc10bda_0001237217"


									"cmd.exe" /c timeout 5 >nul && del "c:\users\user\downloads\1cc59ccab0fe79743308ce543eb4878ad4c7adec_0003330048"


									C:\Windows\SysWOW64\dllhost.exe (NULL)


									schtasks /create /sc onstart /mo 1 /tn nyan /tr C:\WINDOWS\MicrosoftDefender.exe


									(NULL) C:\WINDOWS\MicrosoftDefender.exe


									"cmd.exe" /c timeout 5 >nul && del "c:\users\user\downloads\7189e1a4495ba7e377260a34e8c945528014c98e_0003930112"


									C:\Users\Ieuhexhk\AppData\Roaming\SystemSync\svchost.exe (NULL)


									C:\Users\Ieuhexhk\AppData\Roaming\SystemSync\svchost.exe


									"cmd.exe" /c timeout 5 >nul && del "c:\users\user\downloads\b1712a27533e3493b8fe293f2aaf109f08543a92_0003123712"


									"cmd" /c ping 127.0.0.1 -n 3 > nul && move "c:\users\user\downloads\4ea5608e2b19426d70ce36c6c419a37f8fedf384_0000051712" "C:\WINDOWS\4ea5608e2b19426d70ce36c6c419a37f8fedf384_0000051712" && start "" C:\WINDOWS\4ea5608e2b19426d70ce36c6c419a37f8fedf384_0000051712 && exit


									C:\WINDOWS\system32\PING.EXE ping  127.0.0.1 -n 3


									"C:\Users\Ldzlbxag\AppData\Local\Temp\is-D5FQ4.tmp\4e0950bfa5553768c3676235caf5e54e8fbfbf8f_0001676708.tmp" /SL5="$40222,1227624,121344,c:\users\user\downloads\4e0950bfa5553768c3676235caf5e54e8fbfbf8f_0001676708"


									C:\Users\Rvxdmuvu\AppData\Local\Temp\IXP000.TMP\msiinst.exe /i instmsi.msi /qb+


									(NULL) C:\avast! sandbox\S-1-5-21-1180566367-3691814556-552729631-1001\r1150\pip.exe_{eadb7a9f-1fe0-11ef-857b-90de809df40e}\C\Users\gerha\PycharmProjects\pythonProject1\.venv\Lib\site-packages\numpy\random\RuntimeBroker.exe.exe


									(NULL) C:\XboxGames\GameSave\wgs\msedgewebview2.exe


									C:\Users\Gxeoilgl\AppData\Local\Temp\IXP000.TMP\msiinst.exe /i instmsi.msi MSIEXECREG=1 /m /qb+!


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\c369889dc6f330d0b206f3d95c79f6c733ba1776_0005113856.,LiQMAxHB


									C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 704


									(NULL) Explorer.exe


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5676b4e05537da188c32ddb2eec650b4cc75fb1d_0006164488.,LiQMAxHB


									C:\WINDOWS\System32\cmd.exe "C:\WINDOWS\System32\cmd.exe" /C "C:\Users\user\Downloads\f3799273ea5259572925ac70f8eef63b90ec7d35_0007541760.bat"


									WriteConsole: Microsoft Window


									WriteConsole: (c) Microsoft Co


									WriteConsole: c:\users\user\do


									WriteConsole: The batch file c


									C:\Users\Sgqveccr\AppData\Local\Temp\IXP000.TMP\msiinst.exe /i instmsi.msi MSIEXECREG=1 /m /qb+!


									(NULL) C:\Choppa Store\Sunshine\config\credentials\conhost.exe.exe.exe


									(NULL) C:\Recovery\OEM\unsecapp.exe


									C:\WinBOLT\repo\adwcleaner.exe


									(NULL) C:\WinBOLT\repo\adwcleaner.exe


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ab7684c3abf2a3090b6683f2e70218ef950d7fd5_0005710896.,LiQMAxHB


									C:\WINDOWS\system32\timeout.exe timeout  /t 5 /nobreak


									(NULL) C:\Recovery\OEM\RuntimeBroker.exe.exe


									(NULL) C:\Windows\Offline Web Pages\userinit.exe


									(NULL) main.bat /S


									"C:\Users\Xnwdtluv\AppData\Local\Temp\is-NSJOE.tmp\fdb345fa172122abe2effe556697bcee01a7bdb0_0001239634.tmp" /SL5="$30332,771317,121344,c:\users\user\downloads\fdb345fa172122abe2effe556697bcee01a7bdb0_0001239634"


									c:\users\user\downloads\647e91f1352db71f80f518ba7d3e5398cb16c43b_0006264832 (NULL)


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\69e575d01ae1fd2a9611b19ca25f9db7b948df18_0003125780.,LiQMAxHB


									C:\WINDOWS\system32\systeminfo.exe systeminfo


									c:\users\user\downloads\0d2bb0876cc58d8b9c91686c019c131584f1b970_0006264832 (NULL)


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\78f031809d040dff5002bffecfa9af5ee58f5967_0004125640.,LiQMAxHB


									c:\users\user\downloads\ef1d4535a715807e6f7ffa6c42fbcd48cd903ed4_0002723552 ef1d4535a715807e6f7ffa6c42fbcd48cd903ed4_0002723552 RELAUNCHED

Trojan.FakeMS

Threat Scorecard

EnigmaSoft Threat Scorecard

What is Trojan.FakeMS?

Why Trojan.FakeMS is Threatening

What Harm Trojan.FakeMS will Cause Once Inside a Computer?

Are There Other Threats Similar to Trojam.FakeMSs?

How a Computer Gets Infected with Trojan.FakeMS

Is Trojan.FakeMS Easily Detectable?

How Can I Get Rid of a Trojan.FakeMS Infection

SpyHunter Detects & Remove Trojan.FakeMS

File System Details

Registry Details

Directories

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed