agenttesla | 5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5

Resubmissions

05-09-2023 01:34

230905-by5lrsch46 10

Analysis

max time kernel
176s
max time network
542s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-05-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-09-04.zip
Size

299.5MB
MD5

eea227737face033b823122d906dabed
SHA1

a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd
SHA256

5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5
SHA512

99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760
SSDEEP

6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

seznam.zapto.org:5050

Mutex

587285a8a9a841d

Attributes

reg_key
587285a8a9a841d
splitter
@!#&^%$

Extracted

Family

asyncrat

Version

1.0.7

Botnet

PIJAO 4 SEPT

16agostok.duckdns.org:8004

Mutex

DcRatMutex_qwqdanchunfdsaf

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

040923_rc

sept4em.tuktuk.ug:11290

Attributes

auth_value
47c23aee408443d5484756dcc468f53a

Extracted

Family

formbook

Version

4.1

Campaign

mh21

Decoy

qiandaye.top

zltgw.com

getxgp.link

forest-create.site

parsefilm.com

foodstore.top

reynoldsquality.com

tripleshops.com

altuwaijrifood.com

seniorassistedlivinglocator.com

essencedelanature.com

hrwv098.xyz

olkja.xyz

10685johansen.com

ajidenhp.com

sensifiedregistration.com

timetodatings.life

bizbet-review-pt.com

zhangming.asia

xn--vhq074eeozsda.top

Extracted

Family

formbook

Version

4.1

Campaign

he2a

Decoy

connectioncompass.store

zekicharge.com

dp77.shop

guninfo.guru

mamaeconomics.net

narcisme.coach

redtopassociates.com

ezezn.com

theoregondog.com

pagosmultired.online

emsculptcenterofne.com

meet-friends.online

pf326.com

wealthjigsaw.xyz

arsajib.com

kickassholdings.online

avaturre.biz

dtslogs.com

lb92.tech

pittalam.com

Extracted

Family

agenttesla

https://discord.com/api/webhooks/1145377925911290017/Z97pWUel52_tvWrOxk5XM_0ix9wRotIAl7h7K28Vywe0zXm3VwLHM3OoIEB0RzM-IrRE

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		6840	schtasks.exe
		1824	schtasks.exe
		1288	schtasks.exe
		6100	schtasks.exe
		5496	schtasks.exe
		5912	schtasks.exe
		2888	schtasks.exe
		6000	schtasks.exe
		4428	schtasks.exe
		2472	schtasks.exe
		7000	schtasks.exe
		2964	schtasks.exe
		2668	schtasks.exe
		5216	schtasks.exe
		5664	schtasks.exe
		2300	schtasks.exe
		4052	schtasks.exe
		5648	schtasks.exe
		5476	schtasks.exe
		4312	schtasks.exe
		4948	schtasks.exe
		512	schtasks.exe
		5492	schtasks.exe
		6688	schtasks.exe
		5944	schtasks.exe
		5804	schtasks.exe
		204	schtasks.exe
		5944	schtasks.exe
		3164	schtasks.exe
		5024	schtasks.exe
		2784	schtasks.exe
		1040	schtasks.exe
		3864	schtasks.exe
		3112	schtasks.exe
		5404	schtasks.exe
		5376	schtasks.exe
		1484	schtasks.exe
		2560	schtasks.exe
		3148	schtasks.exe
		6116	schtasks.exe
		1260	schtasks.exe
		7668	schtasks.exe
		2564	schtasks.exe
		5904	schtasks.exe
		4808	schtasks.exe
		980	schtasks.exe
		768	schtasks.exe
		5388	schtasks.exe
		3508	schtasks.exe
		3912	schtasks.exe
		3164	schtasks.exe
		5648	schtasks.exe
		9512	schtasks.exe
		7056	schtasks.exe
		3080	schtasks.exe
		3628	schtasks.exe
		5724	schtasks.exe
		5504	schtasks.exe
		2156	schtasks.exe
		8356	schtasks.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\e6c9b481da804f		1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
		4948	schtasks.exe
		512	schtasks.exe
		6024	schtasks.exe

Detect Neshta payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000700000001692e-1393.dat	family_neshta

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Users\\Default\\spoolsv.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Windows\\CbsTemp\\sihost.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Windows\\CbsTemp\\sihost.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\services.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\wininit.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\", \"C:\\Users\\Default User\\sppsvc.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Windows\\CbsTemp\\sihost.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\services.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Windows\\CbsTemp\\sihost.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\services.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Windows\\CbsTemp\\sihost.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\services.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\wininit.exe\", \"C:\\Users\\Admin\\csrss.exe\""	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Users\\Default\\spoolsv.exe\", \"C:\\Windows\\CbsTemp\\sihost.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\services.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\wininit.exe\", \"C:\\Users\\Admin\\csrss.exe\", \"C:\\Windows\\ModemLogs\\wininit.exe\""	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5372	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5492	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5648	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5796	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5904	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5944	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5724	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6000	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6060	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6024	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6100	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5124	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5216	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5204	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5476	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5504	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5664	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5648	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5912	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5932	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5260	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5408	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5388	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5644	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4300	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	4300	schtasks.exe	87

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4888-125-0x00000000059B0000-0x0000000005A12000-memory.dmp	family_redline
behavioral1/memory/4888-124-0x00000000034F0000-0x0000000003556000-memory.dmp	family_redline
behavioral1/memory/4564-150-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral1/memory/532-174-0x0000000005990000-0x00000000059F6000-memory.dmp	family_redline
behavioral1/memory/3248-175-0x0000000005910000-0x0000000005976000-memory.dmp	family_redline
behavioral1/memory/532-176-0x0000000005EF0000-0x0000000005F52000-memory.dmp	family_redline
behavioral1/memory/6184-489-0x0000000000190000-0x00000000001EA000-memory.dmp	family_redline
behavioral1/memory/7084-549-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
behavioral1/memory/5540-548-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/4412-15-0x0000000000D30000-0x0000000000E24000-memory.dmp	dcrat
behavioral1/files/0x000800000001abce-22.dat	dcrat
behavioral1/memory/1956-61-0x0000000000290000-0x000000000036A000-memory.dmp	dcrat
behavioral1/files/0x000700000001ade2-74.dat	dcrat

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1840-313-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1840-330-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/6060-358-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/996-389-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
7216	powershell.exe
9236	powershell.exe
9748	powershell.exe
4224	powershell.exe
5248	powershell.exe
2932	powershell.exe
9064	powershell.exe
7684	powershell.exe
8672	powershell.exe
5756	powershell.exe
9724	powershell.exe
6960	powershell.exe
7872	powershell.exe
9360	powershell.exe
7544	powershell.exe
6536	powershell.exe
6672	powershell.exe
8172	powershell.exe
7504	powershell.exe
6208	powershell.exe
1488	powershell.exe
9004	powershell.exe
5544	powershell.exe
7264	powershell.exe

Loads dropped DLL 4 IoCs

Processes:

regsvr32.exeregsvr32.exeb4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288.exe

pid	Process
2388	regsvr32.exe
3696	regsvr32.exe
2488	b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288.exe
2488	b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Defender\\de-DE\\services.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\wininit.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\spoolsv.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\CbsTemp\\sihost.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Defender\\de-DE\\services.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\RuntimeBroker.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\csrss.exe\""	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\spoolsv.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\csrss.exe\""	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\ModemLogs\\wininit.exe\""	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Adobe\\Setup\\dllhost.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\CbsTemp\\sihost.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\RuntimeBroker.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\wininit.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\ModemLogs\\wininit.exe\""	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\""	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1108	api.ipify.org
1328	api.ipify.org
1455	api.ipify.org
947	api.ipify.org
1177	api.ipify.org
1187	api.ipify.org
1938	api.ipify.org
434	api.ipify.org
436	api.ipify.org
439	api.ipify.org
946	api.ipify.org

Drops file in Program Files directory 5 IoCs

Processes:

1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\e6c9b481da804f	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
File created	C:\Program Files\Windows Defender\de-DE\services.exe	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
File created	C:\Program Files\Windows Defender\de-DE\c5b4cb5e9653cc	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe

Drops file in Windows directory 8 IoCs

Processes:

1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exetaskmgr.exe

description	ioc	Process
File created	C:\Windows\CbsTemp\sihost.exe	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
File created	C:\Windows\CbsTemp\66fc9ff0ee96c2	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
File created	C:\Windows\SystemResources\Windows.Data.TimeZones\pris\wininit.exe	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
File created	C:\Windows\SystemResources\Windows.Data.TimeZones\pris\56085415360792	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
File created	C:\Windows\ModemLogs\wininit.exe	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
File created	C:\Windows\ModemLogs\56085415360792	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Program crash 44 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2880	2780	WerFault.exe	135
5424	5132	WerFault.exe	164
3800	2780	WerFault.exe	135
4712	5816	WerFault.exe	215
5244	5816	WerFault.exe	215
6216	5816	WerFault.exe	215
7136	5816	WerFault.exe	215
6732	5816	WerFault.exe	215
6740	5816	WerFault.exe	215
2544	5816	WerFault.exe	215
1380	5816	WerFault.exe	215
5656	5816	WerFault.exe	215
148	1772	WerFault.exe	294
6032	5816	WerFault.exe	215
8148	5816	WerFault.exe	215
7496	5816	WerFault.exe	215
7232	5816	WerFault.exe	215
2688	6580	WerFault.exe	247
6984	5816	WerFault.exe	215
1548	5816	WerFault.exe	215
5580	5816	WerFault.exe	215
6344	5816	WerFault.exe	215
3104	2780	WerFault.exe	330
8604	6580	WerFault.exe	247
9384	5816	WerFault.exe	215
7100	8644	WerFault.exe	465
9960	5816	WerFault.exe	215
9956	7080	WerFault.exe	441
8204	9800	WerFault.exe	533
4420	5816	WerFault.exe	215
5340	5816	WerFault.exe	215
10100	5816	WerFault.exe	215
7316	5816	WerFault.exe	215
8796	5816	WerFault.exe	215
5512	5816	WerFault.exe	215
1988	5816	WerFault.exe	215
7584	5816	WerFault.exe	215
4624	8936	WerFault.exe	537
736	5816	WerFault.exe	215
9404	5816	WerFault.exe	215
7656	5816	WerFault.exe	215
4952	5816	WerFault.exe	215
8596	5816	WerFault.exe	215
7892	5816	WerFault.exe	215

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	Process
5476	schtasks.exe
2784	schtasks.exe
5360	schtasks.exe
1812	schtasks.exe
7028	schtasks.exe
2964	schtasks.exe
5716	schtasks.exe
3628	schtasks.exe
1484	schtasks.exe
2560	schtasks.exe
6024	schtasks.exe
3864	schtasks.exe
5944	schtasks.exe
2940	schtasks.exe
2116	schtasks.exe
5128	schtasks.exe
2668	schtasks.exe
5372	schtasks.exe
5124	schtasks.exe
512	schtasks.exe
2300	schtasks.exe
768	schtasks.exe
3164	schtasks.exe
5204	schtasks.exe
7828	schtasks.exe
3508	schtasks.exe
4116	schtasks.exe
5796	schtasks.exe
4424	schtasks.exe
5296	schtasks.exe
5376	schtasks.exe
4428	schtasks.exe
1824	schtasks.exe
6000	schtasks.exe
5496	schtasks.exe
4948	schtasks.exe
3148	schtasks.exe
9512	schtasks.exe
5260	schtasks.exe
5024	schtasks.exe
5904	schtasks.exe
5944	schtasks.exe
3080	schtasks.exe
2472	schtasks.exe
3112	schtasks.exe
5408	schtasks.exe
6168	schtasks.exe
5388	schtasks.exe
7668	schtasks.exe
8084	schtasks.exe
4052	schtasks.exe
4628	schtasks.exe
4948	schtasks.exe
6992	schtasks.exe
3912	schtasks.exe
204	schtasks.exe
6100	schtasks.exe
6840	schtasks.exe
2888	schtasks.exe
5912	schtasks.exe
5644	schtasks.exe
5960	schtasks.exe
8356	schtasks.exe
9076	schtasks.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	Process
5696	ipconfig.exe
2268	ipconfig.exe
5944	ipconfig.exe
5776	ipconfig.exe

Modifies registry class 2 IoCs

Processes:

1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

taskmgr.exe1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe

pid	Process
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1956	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
1956	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
1956	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
1508	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

taskmgr.exe1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe608c9d863cb5d8e929e019965787ced2f9b697b2344f7e1a5cd341fb131d9518.exe9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d.exe

description	pid	Process
Token: SeDebugPrivilege	1508	taskmgr.exe
Token: SeSystemProfilePrivilege	1508	taskmgr.exe
Token: SeCreateGlobalPrivilege	1508	taskmgr.exe
Token: SeDebugPrivilege	4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
Token: SeDebugPrivilege	1956	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
Token: SeDebugPrivilege	4940	608c9d863cb5d8e929e019965787ced2f9b697b2344f7e1a5cd341fb131d9518.exe
Token: SeDebugPrivilege	2780	9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

taskmgr.exe

pid	Process
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

taskmgr.exe

pid	Process
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.execmd.exe83cb7222ad53590ca2bcb504002f633a4a79b76204517dc2e99652227521a197.exe49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe2810fec0fa1ce5497bacc6ab6f7b13a1396f641fe2466985ae55f742bbb3515c.execmd.exe

description	pid	Process	procid_target
PID 4412 wrote to memory of 740	4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe	116
PID 4412 wrote to memory of 740	4412	1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe	116
PID 740 wrote to memory of 4264	740	cmd.exe	118
PID 740 wrote to memory of 4264	740	cmd.exe	118
PID 3984 wrote to memory of 2388	3984	83cb7222ad53590ca2bcb504002f633a4a79b76204517dc2e99652227521a197.exe	305
PID 3984 wrote to memory of 2388	3984	83cb7222ad53590ca2bcb504002f633a4a79b76204517dc2e99652227521a197.exe	305
PID 3984 wrote to memory of 2388	3984	83cb7222ad53590ca2bcb504002f633a4a79b76204517dc2e99652227521a197.exe	305
PID 1956 wrote to memory of 2980	1956	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe	129
PID 1956 wrote to memory of 2980	1956	49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe	129
PID 2960 wrote to memory of 3696	2960	2810fec0fa1ce5497bacc6ab6f7b13a1396f641fe2466985ae55f742bbb3515c.exe	131
PID 2960 wrote to memory of 3696	2960	2810fec0fa1ce5497bacc6ab6f7b13a1396f641fe2466985ae55f742bbb3515c.exe	131
PID 2960 wrote to memory of 3696	2960	2810fec0fa1ce5497bacc6ab6f7b13a1396f641fe2466985ae55f742bbb3515c.exe	131
PID 2980 wrote to memory of 2156	2980	cmd.exe	187
PID 2980 wrote to memory of 2156	2980	cmd.exe	187

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2023-09-04.zip
1⤵
PID:4116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3840

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508

C:\Users\Admin\Desktop\fol\2023-09-04\35327393d2e14ff4b73dadb9432d9c531f6d3b1d4d0d1ed139aea99c70e55281.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\35327393d2e14ff4b73dadb9432d9c531f6d3b1d4d0d1ed139aea99c70e55281.exe"
1⤵
PID:3812

C:\Users\Admin\Desktop\fol\2023-09-04\56f03a91d654f16d84bdf638fcfe9656f9c2865e3b88456834b2b62961ff7055.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\56f03a91d654f16d84bdf638fcfe9656f9c2865e3b88456834b2b62961ff7055.exe"
1⤵
PID:2336

C:\Users\Admin\Desktop\fol\2023-09-04\afa1925b54b7d405a44749b2d349dd7c658ebf4c1e5725e181874919ea22c132.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\afa1925b54b7d405a44749b2d349dd7c658ebf4c1e5725e181874919ea22c132.exe"
1⤵
PID:1896

C:\Users\Admin\Desktop\fol\2023-09-04\1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\28f8dD4oeg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4264
- - C:\Users\Default\spoolsv.exe
    "C:\Users\Default\spoolsv.exe"
    3⤵
    PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Setup\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Setup\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\de-DE\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Users\Admin\Desktop\fol\2023-09-04\860c3c28fe9c4d8b7a334ea7df96b0e18d8cec439738c744b891a954160bbe1f.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\860c3c28fe9c4d8b7a334ea7df96b0e18d8cec439738c744b891a954160bbe1f.exe"
1⤵
PID:4908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\evvGaEBjqQitb.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5544
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\evvGaEBjqQitb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8AE.tmp"
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:512
- C:\Users\Admin\Desktop\fol\2023-09-04\860c3c28fe9c4d8b7a334ea7df96b0e18d8cec439738c744b891a954160bbe1f.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\860c3c28fe9c4d8b7a334ea7df96b0e18d8cec439738c744b891a954160bbe1f.exe"
  2⤵
  PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.Data.TimeZones\pris\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.Data.TimeZones\pris\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.Data.TimeZones\pris\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Users\Admin\Desktop\fol\2023-09-04\83cb7222ad53590ca2bcb504002f633a4a79b76204517dc2e99652227521a197.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\83cb7222ad53590ca2bcb504002f633a4a79b76204517dc2e99652227521a197.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" GRz41KVB.JxD -S
  2⤵
  - Loads dropped DLL
  PID:2388

C:\Users\Admin\Desktop\fol\2023-09-04\49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VSKioGbcuq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2156
- - C:\Users\Admin\Desktop\fol\2023-09-04\49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe
    "C:\Users\Admin\Desktop\fol\2023-09-04\49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe"
    3⤵
    PID:1924
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gFSIl1zlHq.bat"
      4⤵
      PID:6140
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:6552
    - - C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe
        
        "C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe"
        5⤵
        
        PID:6356
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9775dbaf-9340-4c38-9184-6c18d9264a96.vbs"
        6⤵
        
        PID:6492
        
        C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe
        
        "C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe"
        7⤵
        
        PID:7968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e01d2435-ab9f-4d77-84e3-a219e6eb178a.vbs"
        8⤵
        
        PID:4220
        
        C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe
        
        "C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe"
        9⤵
        
        PID:9632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\448fe79f-5af1-4ce6-8f89-73f2fca7a3ff.vbs"
        10⤵
        
        PID:8808
        
        C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe
        
        "C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe"
        11⤵
        
        PID:4412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\effd0a2f-bd77-46e1-85f0-2c160c585b9a.vbs"
        10⤵
        
        PID:5028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\644d7a13-a751-47bf-95ab-df70ab1974f6.vbs"
        8⤵
        
        PID:3984
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6926a7df-218f-4b56-aa25-71422367825e.vbs"
        6⤵
        
        PID:200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Users\Admin\Desktop\fol\2023-09-04\2810fec0fa1ce5497bacc6ab6f7b13a1396f641fe2466985ae55f742bbb3515c.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\2810fec0fa1ce5497bacc6ab6f7b13a1396f641fe2466985ae55f742bbb3515c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /u /S J9SMW.NXS
  2⤵
  - Loads dropped DLL
  PID:3696

C:\Users\Admin\Desktop\fol\2023-09-04\608c9d863cb5d8e929e019965787ced2f9b697b2344f7e1a5cd341fb131d9518.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\608c9d863cb5d8e929e019965787ced2f9b697b2344f7e1a5cd341fb131d9518.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Users\Admin\Desktop\fol\2023-09-04\9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1816
  2⤵
  - Program crash
  PID:2880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1816
  2⤵
  - Program crash
  PID:3800

C:\Users\Admin\Desktop\fol\2023-09-04\b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288.exe"
1⤵
- Loads dropped DLL
PID:2488
- C:\Users\Admin\Desktop\fol\2023-09-04\b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\b4cdcd853c6ff95dfa20e1667b4b7901dc74e13a7fa0ee1300da949e527ce288.exe"
  2⤵
  PID:3084

C:\Users\Admin\Desktop\fol\2023-09-04\c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487.exe"
1⤵
PID:4856

C:\Users\Admin\Desktop\fol\2023-09-04\2040a9add2ed71beb77c5440ef8c12e033c26488aaaed73333d97db37d9b02b2.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\2040a9add2ed71beb77c5440ef8c12e033c26488aaaed73333d97db37d9b02b2.exe"
1⤵
PID:2372

C:\Users\Admin\Desktop\fol\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe"
1⤵
PID:2952
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  PID:5788
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1884
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:5940
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:9712
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4648

C:\Users\Admin\Desktop\fol\2023-09-04\a7ba40524b86052ac99a051c5f0543f32e241a98faf4d5281c0ae0b8832c9f96.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\a7ba40524b86052ac99a051c5f0543f32e241a98faf4d5281c0ae0b8832c9f96.exe"
1⤵
PID:4888

C:\Users\Admin\Desktop\fol\2023-09-04\fe9a3910b655d38c2aafa3512aedcdba96fd352d896fc68d8ed345a49c93ec6b.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\fe9a3910b655d38c2aafa3512aedcdba96fd352d896fc68d8ed345a49c93ec6b.exe"
1⤵
PID:4420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hUpHogpmfLDNN.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4224
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hUpHogpmfLDNN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:5128
- C:\Users\Admin\Desktop\fol\2023-09-04\fe9a3910b655d38c2aafa3512aedcdba96fd352d896fc68d8ed345a49c93ec6b.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\fe9a3910b655d38c2aafa3512aedcdba96fd352d896fc68d8ed345a49c93ec6b.exe"
  2⤵
  PID:6904

C:\Users\Admin\Desktop\fol\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe"
1⤵
PID:1868
- C:\Users\Admin\Desktop\fol\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe"
  2⤵
  PID:6908

C:\Users\Admin\Desktop\fol\2023-09-04\4d0e2778ee5d3e6ecd06d412459a79d86e9d2742403e378c7581a70cf0e2451e.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\4d0e2778ee5d3e6ecd06d412459a79d86e9d2742403e378c7581a70cf0e2451e.exe"
1⤵
PID:1288
- C:\Users\Admin\Desktop\fol\2023-09-04\4d0e2778ee5d3e6ecd06d412459a79d86e9d2742403e378c7581a70cf0e2451e.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\4d0e2778ee5d3e6ecd06d412459a79d86e9d2742403e378c7581a70cf0e2451e.exe"
  2⤵
  PID:6060

C:\Users\Admin\Desktop\fol\2023-09-04\bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d.exe"
1⤵
PID:3144
- C:\Users\Admin\Desktop\fol\2023-09-04\bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\bd03f21ffe0e1b5628a0f890aeb7c186e2330a4e59e554f675fee7994ed3ea5d.exe"
  2⤵
  PID:5964

C:\Users\Admin\Desktop\fol\2023-09-04\06dda69b17263ab5278c87789c0229886c676db72fafc8d503492fce45a78418.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\06dda69b17263ab5278c87789c0229886c676db72fafc8d503492fce45a78418.exe"
1⤵
PID:2356
- C:\Users\Admin\Desktop\fol\2023-09-04\06dda69b17263ab5278c87789c0229886c676db72fafc8d503492fce45a78418.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\06dda69b17263ab5278c87789c0229886c676db72fafc8d503492fce45a78418.exe"
  2⤵
  PID:5484

C:\Users\Admin\Desktop\fol\2023-09-04\63467054417c08142bccbc1e884540deccc6e7dee2cdd5c30733f3eb70398fe0.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\63467054417c08142bccbc1e884540deccc6e7dee2cdd5c30733f3eb70398fe0.exe"
1⤵
PID:1232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4564

C:\Users\Admin\Desktop\fol\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe"
1⤵
PID:3248
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:236

C:\Users\Admin\Desktop\fol\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe"
1⤵
PID:532

C:\Users\Admin\Desktop\fol\2023-09-04\97556d3262caa44ece90b032af0f4892b34fc2564ba16684667ea1c48a89e665.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\97556d3262caa44ece90b032af0f4892b34fc2564ba16684667ea1c48a89e665.exe"
1⤵
PID:4444

C:\Users\Admin\Desktop\fol\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe"
1⤵
PID:1556
- C:\Users\Admin\Desktop\fol\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe"
  2⤵
  PID:6404

C:\Users\Admin\Desktop\fol\2023-09-04\cbc8fcdf10136e947c68cc5cc2b55364ef04a30c92c4b875cc194a675b322ec7.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\cbc8fcdf10136e947c68cc5cc2b55364ef04a30c92c4b875cc194a675b322ec7.exe"
1⤵
PID:1112

C:\Users\Admin\Desktop\fol\2023-09-04\901284065d9965909444432aaa22ac55a74d64a8c5932712777cb2f020b3e01c.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\901284065d9965909444432aaa22ac55a74d64a8c5932712777cb2f020b3e01c.exe"
1⤵
PID:1308
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  PID:3496
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2452

C:\Users\Admin\Desktop\fol\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe"
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe
  "C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"
  2⤵
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe
    "C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 416
    3⤵
    - Program crash
    PID:5424

C:\Users\Admin\Desktop\fol\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe"
1⤵
PID:1312

C:\Users\Admin\Desktop\fol\2023-09-04\c0ca3b7b303eb521724a9304137fc6a0c4b41b1f0af8c42da41275f17a880114.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\c0ca3b7b303eb521724a9304137fc6a0c4b41b1f0af8c42da41275f17a880114.exe"
1⤵
PID:1404
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -u -s BoHVhBvo.fYN
  2⤵
  PID:5432

C:\Users\Admin\Desktop\fol\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe"
1⤵
PID:1360

C:\Users\Admin\Desktop\fol\2023-09-04\7c26b59eb42db1f55cdf62dae1faefdded5ff0116266b9c025a108f1b0b92155.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\7c26b59eb42db1f55cdf62dae1faefdded5ff0116266b9c025a108f1b0b92155.exe"
1⤵
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487c" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5724

C:\Users\Admin\Desktop\fol\2023-09-04\b54441492c600f40cc81d695ddec0bbc824920ed1567b3f8b14c545ec326f867.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\b54441492c600f40cc81d695ddec0bbc824920ed1567b3f8b14c545ec326f867.exe"
1⤵
PID:5732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487c" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\c923878c9c57da5f62d876f98adb44b7dcb289a9f745ac5ce97b7ac31815b487.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec15754" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec15754" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6024

C:\Users\Admin\Desktop\fol\2023-09-04\bcc3b49ae655985e603719e39588c754c32a65aefe5a7c38658abb211f18764a.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\bcc3b49ae655985e603719e39588c754c32a65aefe5a7c38658abb211f18764a.exe"
1⤵
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e30" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\WinMSIPC\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\WinMSIPC\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e30" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\WinMSIPC\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec15754" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\Offline\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\Offline\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec15754" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\Offline\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "regsvr32r" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\en-US\regsvr32.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "regsvr32" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\regsvr32.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "regsvr32r" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\en-US\regsvr32.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Users\Admin\Desktop\fol\2023-09-04\d1e98d098f45c722026716f6b574a056d535813805d00a8cc2f1943efc271fa9.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\d1e98d098f45c722026716f6b574a056d535813805d00a8cc2f1943efc271fa9.exe"
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\qaxruk.exe
  "C:\Users\Admin\AppData\Local\Temp\qaxruk.exe"
  2⤵
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\qaxruk.exe
    "C:\Users\Admin\AppData\Local\Temp\qaxruk.exe"
    3⤵
    PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\spoolsv.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:5944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:700

C:\Users\Admin\Desktop\fol\2023-09-04\b54441492c600f40cc81d695ddec0bbc824920ed1567b3f8b14c545ec326f867.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\b54441492c600f40cc81d695ddec0bbc824920ed1567b3f8b14c545ec326f867.exe"
1⤵
PID:2092

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
1⤵
PID:5832
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\qaxruk.exe"
  2⤵
  PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d9" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d9" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\9cf6d5cd29fb18af1b61c0a16afbb98bc5ee95cca75539a6a84749ee18f76b4d.exe'" /rl HIGHEST /f
1⤵
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
PID:5404

C:\Users\Admin\Desktop\fol\2023-09-04\b2823172397c389e1ff948bd03473193ed8527eb19edff06cbb16e2b43ebc19f.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\b2823172397c389e1ff948bd03473193ed8527eb19edff06cbb16e2b43ebc19f.exe"
1⤵
PID:5816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 736
  2⤵
  - Program crash
  PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 712
  2⤵
  - Program crash
  PID:5244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 704
  2⤵
  - Program crash
  PID:6216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 752
  2⤵
  - Program crash
  PID:7136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 704
  2⤵
  - Program crash
  PID:6732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 720
  2⤵
  - Program crash
  PID:6740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 768
  2⤵
  - Program crash
  PID:2544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 704
  2⤵
  - Program crash
  PID:1380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 820
  2⤵
  - Program crash
  PID:5656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 828
  2⤵
  - Program crash
  PID:6032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 824
  2⤵
  - Program crash
  PID:8148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 752
  2⤵
  - Program crash
  PID:7496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 808
  2⤵
  - Program crash
  PID:7232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 836
  2⤵
  - Program crash
  PID:6984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 744
  2⤵
  - Program crash
  PID:1548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 816
  2⤵
  - Program crash
  PID:5580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 788
  2⤵
  - Program crash
  PID:6344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 840
  2⤵
  - Program crash
  PID:9384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 768
  2⤵
  - Program crash
  PID:9960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 680
  2⤵
  - Program crash
  PID:4420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 912
  2⤵
  - Program crash
  PID:5340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 848
  2⤵
  - Program crash
  PID:10100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 944
  2⤵
  - Program crash
  PID:7316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 908
  2⤵
  - Program crash
  PID:8796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 788
  2⤵
  - Program crash
  PID:5512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 908
  2⤵
  - Program crash
  PID:1988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 716
  2⤵
  - Program crash
  PID:7584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 820
  2⤵
  - Program crash
  PID:736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 884
  2⤵
  - Program crash
  PID:9404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 812
  2⤵
  - Program crash
  PID:7656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 952
  2⤵
  - Program crash
  PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 816
  2⤵
  - Program crash
  PID:8596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 896
  2⤵
  - Program crash
  PID:7892

C:\Users\Admin\Desktop\fol\2023-09-04\b54441492c600f40cc81d695ddec0bbc824920ed1567b3f8b14c545ec326f867.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\b54441492c600f40cc81d695ddec0bbc824920ed1567b3f8b14c545ec326f867.exe"
1⤵
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
PID:1116

C:\Users\Admin\Desktop\fol\2023-09-04\d1e98d098f45c722026716f6b574a056d535813805d00a8cc2f1943efc271fa9.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\d1e98d098f45c722026716f6b574a056d535813805d00a8cc2f1943efc271fa9.exe"
1⤵
PID:5756
- C:\Users\Admin\AppData\Local\Temp\qaxruk.exe
  "C:\Users\Admin\AppData\Local\Temp\qaxruk.exe"
  2⤵
  PID:5196
- - C:\Users\Admin\AppData\Local\Temp\qaxruk.exe
    "C:\Users\Admin\AppData\Local\Temp\qaxruk.exe"
    3⤵
    PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:6108

C:\Users\Admin\Desktop\fol\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe"
1⤵
PID:5316
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ClWWWrRvtgVoLl.exe"
  2⤵
  PID:4676
- - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
    C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\ClWWWrRvtgVoLl.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6536
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ClWWWrRvtgVoLl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8663.tmp"
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\System32\schtasks.exe /Create /TN Updates\ClWWWrRvtgVoLl /XML C:\Users\Admin\AppData\Local\Temp\tmp8663.tmp
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:6840
- C:\Users\Admin\Desktop\fol\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe"
  2⤵
  PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5804

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
1⤵
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:6116

C:\Users\Admin\Desktop\fol\2023-09-04\ec2a93fc951dac56dd988691db138c94ea8cbd477127bf95c2a9483f602d6b1e.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\ec2a93fc951dac56dd988691db138c94ea8cbd477127bf95c2a9483f602d6b1e.exe"
1⤵
PID:5796
- C:\Windows\SysWOW64\SndVol.exe
  C:\Windows\System32\SndVol.exe
  2⤵
  PID:6696

C:\Users\Admin\Desktop\fol\2023-09-04\822d0f5ac3a56bad03ec102674e60c38bbc99f34f2df3a903ff173bbcaa3eb34.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\822d0f5ac3a56bad03ec102674e60c38bbc99f34f2df3a903ff173bbcaa3eb34.exe"
1⤵
PID:5568

C:\Users\Admin\Desktop\fol\2023-09-04\9972272899a7a165546fd3c97f1df1c068c658154b947dd234db1a1204d0a484.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\9972272899a7a165546fd3c97f1df1c068c658154b947dd234db1a1204d0a484.exe"
1⤵
PID:316
- C:\Users\Admin\Desktop\fol\2023-09-04\9972272899a7a165546fd3c97f1df1c068c658154b947dd234db1a1204d0a484.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\9972272899a7a165546fd3c97f1df1c068c658154b947dd234db1a1204d0a484.exe"
  2⤵
  PID:6580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 1464
    3⤵
    - Program crash
    PID:2688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 1464
    3⤵
    - Program crash
    PID:8604

C:\Users\Admin\Desktop\fol\2023-09-04\80e79e78a00245dbe120085f7d1e4e30e6674bcb9f539540e4de667c5783e545.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\80e79e78a00245dbe120085f7d1e4e30e6674bcb9f539540e4de667c5783e545.exe"
1⤵
PID:5676
- C:\Users\Admin\Desktop\fol\2023-09-04\80e79e78a00245dbe120085f7d1e4e30e6674bcb9f539540e4de667c5783e545.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\80e79e78a00245dbe120085f7d1e4e30e6674bcb9f539540e4de667c5783e545.exe"
  2⤵
  PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:6168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\csrss.exe'" /rl HIGHEST /f
1⤵
PID:6680

C:\Users\Admin\Desktop\fol\2023-09-04\5ed4dfb7da504438688d779092a717cb2426ee88bc4f0ee588b3e989b7567dff.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\5ed4dfb7da504438688d779092a717cb2426ee88bc4f0ee588b3e989b7567dff.exe"
1⤵
PID:6756

C:\Users\Admin\Desktop\fol\2023-09-04\928900f2a698b6a791232f581192418a953064abbe11f6453cb0bdf7eeec26f2.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\928900f2a698b6a791232f581192418a953064abbe11f6453cb0bdf7eeec26f2.exe"
1⤵
PID:6764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:6184
- C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe
  "C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe"
  2⤵
  PID:6636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\csrss.exe'" /rl HIGHEST /f
1⤵
PID:6820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cbc8fcdf10136e947c68cc5cc2b55364ef04a30c92c4b875cc194a675b322ec7c" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cbc8fcdf10136e947c68cc5cc2b55364ef04a30c92c4b875cc194a675b322ec7.exe'" /f
1⤵
- DcRat
PID:7000

C:\Users\Admin\Desktop\fol\2023-09-04\554990b8636baf5af393d52ce85150a8b263b9c5fb214bc0e69a1b032ee8f3ae.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\554990b8636baf5af393d52ce85150a8b263b9c5fb214bc0e69a1b032ee8f3ae.exe"
1⤵
PID:7020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cbc8fcdf10136e947c68cc5cc2b55364ef04a30c92c4b875cc194a675b322ec7" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cbc8fcdf10136e947c68cc5cc2b55364ef04a30c92c4b875cc194a675b322ec7.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:7028

C:\Users\Admin\Desktop\fol\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe"
1⤵
PID:7080
- C:\Users\Admin\Desktop\fol\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe"
  2⤵
  PID:6572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cbc8fcdf10136e947c68cc5cc2b55364ef04a30c92c4b875cc194a675b322ec7c" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cbc8fcdf10136e947c68cc5cc2b55364ef04a30c92c4b875cc194a675b322ec7.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2300

C:\Users\Admin\Desktop\fol\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe"
1⤵
PID:7124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:7084
- C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe
  "C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe"
  2⤵
  PID:6564

C:\Users\Admin\Desktop\fol\2023-09-04\ca859659dae38d6b501ffd0f6a24e887ad3904422f088760062df9935cfe2d1d.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\ca859659dae38d6b501ffd0f6a24e887ad3904422f088760062df9935cfe2d1d.exe"
1⤵
PID:5844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:5540
- C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe
  "C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe"
  2⤵
  PID:6768

C:\Users\Admin\Desktop\fol\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe"
1⤵
PID:3904

C:\Users\Admin\Desktop\fol\2023-09-04\71abfe67023b4b2085b187859621c1a5ef06fc8c8eafb4d084881a62a47ffc61.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\71abfe67023b4b2085b187859621c1a5ef06fc8c8eafb4d084881a62a47ffc61.exe"
1⤵
PID:204
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jaeWLN.exe"
  2⤵
  PID:5964
- - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
    C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\jaeWLN.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6672
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jaeWLN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC93.tmp"
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\System32\schtasks.exe /Create /TN Updates\jaeWLN /XML C:\Users\Admin\AppData\Local\Temp\tmpCC93.tmp
    3⤵
    - Creates scheduled task(s)
    PID:6992
- C:\Users\Admin\Desktop\fol\2023-09-04\71abfe67023b4b2085b187859621c1a5ef06fc8c8eafb4d084881a62a47ffc61.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\71abfe67023b4b2085b187859621c1a5ef06fc8c8eafb4d084881a62a47ffc61.exe"
  2⤵
  PID:5128

C:\Users\Admin\Desktop\fol\2023-09-04\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe"
1⤵
PID:6404
- C:\Users\Admin\Desktop\fol\2023-09-04\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe"
  2⤵
  PID:6484

C:\Users\Admin\Desktop\fol\2023-09-04\ad7cbe9a265326ac497121d6421e3d2c7db8e6c0ed11aacee84f4b6674317dee.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\ad7cbe9a265326ac497121d6421e3d2c7db8e6c0ed11aacee84f4b6674317dee.exe"
1⤵
PID:5932
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gbxlLRJLa.exe"
  2⤵
  PID:7648
- - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
    C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\gbxlLRJLa.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5248
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gbxlLRJLa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA4.tmp"
  2⤵
  PID:7932
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\System32\schtasks.exe /Create /TN Updates\gbxlLRJLa /XML C:\Users\Admin\AppData\Local\Temp\tmpDA4.tmp
    3⤵
    PID:7096
- C:\Users\Admin\Desktop\fol\2023-09-04\ad7cbe9a265326ac497121d6421e3d2c7db8e6c0ed11aacee84f4b6674317dee.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\ad7cbe9a265326ac497121d6421e3d2c7db8e6c0ed11aacee84f4b6674317dee.exe"
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp25DF.tmp"
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:7668
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4B0B.tmp"
    3⤵
    - DcRat
    PID:6688

C:\Users\Admin\Desktop\fol\2023-09-04\9056f301f73f5efea589d3a9665a441405a6f5fc77f75c09d5d5c43acf030666.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\9056f301f73f5efea589d3a9665a441405a6f5fc77f75c09d5d5c43acf030666.exe"
1⤵
PID:6768

C:\Users\Admin\Desktop\fol\2023-09-04\6fc55b8d9f823b6551f50c9966e5a79a5d060f608b98ac334db1542b8730b80d.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\6fc55b8d9f823b6551f50c9966e5a79a5d060f608b98ac334db1542b8730b80d.exe"
1⤵
PID:6424

C:\Users\Admin\Desktop\fol\2023-09-04\4fd58eee13df4088972d38f3d82ee3fd55e2106e6fc080c1d07eb5e9ed3770d0.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\4fd58eee13df4088972d38f3d82ee3fd55e2106e6fc080c1d07eb5e9ed3770d0.exe"
1⤵
PID:2760

C:\Users\Admin\Desktop\fol\2023-09-04\308f90718012b047a2ee3b2ae76a16dddb657537dbd61e2a43ee2bb17725c6a0.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\308f90718012b047a2ee3b2ae76a16dddb657537dbd61e2a43ee2bb17725c6a0.exe"
1⤵
PID:7088

C:\Users\Admin\Desktop\fol\2023-09-04\6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d.exe"
1⤵
PID:5976
- C:\Users\Admin\Desktop\fol\2023-09-04\6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\6c2878ebe0b46fa1c53e17178c365200c86d74530cd80a278d8be8eee02a136d.exe"
  2⤵
  PID:8084

C:\Users\Admin\Desktop\fol\2023-09-04\9c641b87cd72d0e95757d12a7cc1f98fc4cb4fcfd1f8ec1feb8d442c9fb257f8.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\9c641b87cd72d0e95757d12a7cc1f98fc4cb4fcfd1f8ec1feb8d442c9fb257f8.exe"
1⤵
PID:6832

C:\Users\Admin\Desktop\fol\2023-09-04\3ae8e5fa3663e5a029211030180d17ed9e4b6f70bc2fd3cc54c7108b2b59c6a8.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\3ae8e5fa3663e5a029211030180d17ed9e4b6f70bc2fd3cc54c7108b2b59c6a8.exe"
1⤵
PID:5356
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nNYCqgKemvRU.exe"
  2⤵
  PID:7844
- - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
    C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\nNYCqgKemvRU.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7684
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNYCqgKemvRU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA0.tmp"
  2⤵
  PID:7620
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\System32\schtasks.exe /Create /TN Updates\nNYCqgKemvRU /XML C:\Users\Admin\AppData\Local\Temp\tmpBA0.tmp
    3⤵
    PID:7956
- C:\Users\Admin\Desktop\fol\2023-09-04\3ae8e5fa3663e5a029211030180d17ed9e4b6f70bc2fd3cc54c7108b2b59c6a8.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\3ae8e5fa3663e5a029211030180d17ed9e4b6f70bc2fd3cc54c7108b2b59c6a8.exe"
  2⤵
  PID:7728

C:\Users\Admin\Desktop\fol\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe"
1⤵
PID:928
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NzdSupOimejfx.exe"
  2⤵
  PID:6668
- - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
    C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\NzdSupOimejfx.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8172
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NzdSupOimejfx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF6B.tmp"
  2⤵
  PID:980
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\System32\schtasks.exe /Create /TN Updates\NzdSupOimejfx /XML C:\Users\Admin\AppData\Local\Temp\tmpFF6B.tmp
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2964
- C:\Users\Admin\Desktop\fol\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe"
  2⤵
  PID:7364
- C:\Users\Admin\Desktop\fol\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe"
  2⤵
  PID:3164

C:\Users\Admin\Desktop\fol\2023-09-04\c8846304960a451a7b25b41886c816e5b5f4decfece3de1e76f40765df9432b7.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\c8846304960a451a7b25b41886c816e5b5f4decfece3de1e76f40765df9432b7.exe"
1⤵
PID:1772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1956
  2⤵
  - Program crash
  PID:148

C:\Users\Admin\Desktop\fol\2023-09-04\f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\f14a1debdbef48eb1ff83ed840c1bd6785bcb2bb3ff8a752832bdaf259dfbc45.exe"
1⤵
PID:892
- C:\Program Files (x86)\Windows Mail\WinMail.exe
  "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:7668
- - C:\Program Files\Windows Mail\WinMail.exe
    "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
    3⤵
    PID:8020

C:\Users\Admin\Desktop\fol\2023-09-04\539a73b89c941089900d7a97da467fbc0b8a7aca89a94f488c278835583d1a5d.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\539a73b89c941089900d7a97da467fbc0b8a7aca89a94f488c278835583d1a5d.exe"
1⤵
PID:6632
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TmrcmQVVe.exe"
  2⤵
  PID:7808
- - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
    C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\TmrcmQVVe.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7544
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TmrcmQVVe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9CB.tmp"
  2⤵
  PID:5600
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\System32\schtasks.exe /Create /TN Updates\TmrcmQVVe /XML C:\Users\Admin\AppData\Local\Temp\tmp9CB.tmp
    3⤵
    - Creates scheduled task(s)
    PID:7828
- C:\Users\Admin\Desktop\fol\2023-09-04\539a73b89c941089900d7a97da467fbc0b8a7aca89a94f488c278835583d1a5d.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\539a73b89c941089900d7a97da467fbc0b8a7aca89a94f488c278835583d1a5d.exe"
  2⤵
  PID:8008

C:\Users\Admin\Desktop\fol\2023-09-04\aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc.exe"
1⤵
PID:384
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\fol\2023-09-04\aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc.exe"
  2⤵
  PID:6516
- - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
    C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\Desktop\fol\2023-09-04\aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7504
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AUAqafpj.exe"
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
    C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\AUAqafpj.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7216
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AUAqafpj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16CB.tmp"
  2⤵
  PID:7232
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\System32\schtasks.exe /Create /TN Updates\AUAqafpj /XML C:\Users\Admin\AppData\Local\Temp\tmp16CB.tmp
    3⤵
    - Creates scheduled task(s)
    PID:8084
- C:\Users\Admin\Desktop\fol\2023-09-04\aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc.exe"
  2⤵
  PID:7744

C:\Users\Admin\Desktop\fol\2023-09-04\052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1.exe"
1⤵
PID:5192
- C:\Users\Admin\Desktop\fol\2023-09-04\052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1.exe
  "C:\Users\Admin\Desktop\fol\2023-09-04\052268101b875a7f7d0cdac6f63127b5a4cb39d98b3aab856874b0ffed500ab1.exe"
  2⤵
  PID:8784

C:\Users\Admin\Desktop\fol\2023-09-04\7336f458f1c01884b699338576756bf2461706b044eaa056a6302b7e842f63b3.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\7336f458f1c01884b699338576756bf2461706b044eaa056a6302b7e842f63b3.exe"
1⤵
PID:6344
- C:\Users\Admin\AppData\Local\Temp\3582-490\7336f458f1c01884b699338576756bf2461706b044eaa056a6302b7e842f63b3.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7336f458f1c01884b699338576756bf2461706b044eaa056a6302b7e842f63b3.exe"
  2⤵
  PID:5860

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2388

C:\Users\Admin\Desktop\fol\2023-09-04\173de723e89647bc2b884ed7770fc259dcf9de641c7d3df99693811503d9cd8e.exe
"C:\Users\Admin\Desktop\fol\2023-09-04\173de723e89647bc2b884ed7770fc259dcf9de641c7d3df99693811503d9cd8e.exe"
1⤵
PID:5684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\82B8AF~1.EXE"
1⤵
PID:6560
- C:\Users\Admin\Desktop\fol\2023-0~1\82B8AF~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\82B8AF~1.EXE
  2⤵
  PID:6412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\3FC32A~1.EXE"
1⤵
PID:4312
- C:\Users\Admin\Desktop\fol\2023-0~1\3FC32A~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\3FC32A~1.EXE
  2⤵
  PID:6684
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SPhYAl.exe"
    3⤵
    PID:7452
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\SPhYAl.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6208
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SPhYAl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39F3.tmp"
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\SPhYAl /XML C:\Users\Admin\AppData\Local\Temp\tmp39F3.tmp
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:5376
- - C:\Users\Admin\Desktop\fol\2023-0~1\3FC32A~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\3FC32A~1.EXE"
    3⤵
    PID:6404
- - C:\Users\Admin\Desktop\fol\2023-0~1\3FC32A~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\3FC32A~1.EXE"
    3⤵
    PID:4904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1488
  - - C:\Users\Admin\Documents\images.exe
      "C:\Users\Admin\Documents\images.exe"
      4⤵
      PID:2172
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SPhYAl.exe"
        5⤵
        
        PID:10188
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\SPhYAl.exe
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8672
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SPhYAl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4DC5.tmp"
        5⤵
        
        PID:7512
      - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\SPhYAl /XML C:\Users\Admin\AppData\Local\Temp\tmp4DC5.tmp
        6⤵
        Creates scheduled task(s)
        
        PID:9076
    - - C:\Users\Admin\Documents\images.exe
        
        "C:\Users\Admin\Documents\images.exe"
        5⤵
        
        PID:5560
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\BAB5AA~1.EXE"
1⤵
PID:7060
- C:\Users\Admin\Desktop\fol\2023-0~1\BAB5AA~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\BAB5AA~1.EXE
  2⤵
  PID:7136

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\77939B~1.EXE"
1⤵
PID:5320
- C:\Users\Admin\Desktop\fol\2023-0~1\77939B~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\77939B~1.EXE
  2⤵
  PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\6FC55B~1.EXE"
1⤵
PID:6744
- C:\Users\Admin\Desktop\fol\2023-0~1\6FC55B~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\6FC55B~1.EXE
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 348
    3⤵
    - Program crash
    PID:3104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\709F3E~1.EXE"
1⤵
PID:7124
- C:\Users\Admin\Desktop\fol\2023-0~1\709F3E~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\709F3E~1.EXE
  2⤵
  PID:6896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\9056F3~1.EXE"
1⤵
PID:3496
- C:\Users\Admin\Desktop\fol\2023-0~1\9056F3~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\9056F3~1.EXE
  2⤵
  PID:5024

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\8D1435~1.EXE"
1⤵
PID:5324
- C:\Users\Admin\Desktop\fol\2023-0~1\8D1435~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\8D1435~1.EXE
  2⤵
  PID:5692
- - C:\Users\Admin\Desktop\fol\2023-0~1\8D1435~1.EXE
    C:\Users\Admin\Desktop\fol\2023-0~1\8D1435~1.EXE
    3⤵
    PID:7356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:7924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:6608
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:6436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\A19C21~1.EXE"
1⤵
PID:6592
- C:\Users\Admin\Desktop\fol\2023-0~1\A19C21~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\A19C21~1.EXE
  2⤵
  PID:6508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
    3⤵
    PID:7192

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\133C1A~1.EXE"
1⤵
PID:7584
- C:\Users\Admin\Desktop\fol\2023-0~1\133C1A~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\133C1A~1.EXE
  2⤵
  PID:7712
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4021090.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4021090.exe
    3⤵
    PID:7960
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4144974.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4144974.exe
      4⤵
      PID:8072
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6310104.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6310104.exe
        5⤵
        
        PID:8180
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0034876.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0034876.exe
        6⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5123201.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5123201.exe
        7⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8379606.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8379606.exe
        7⤵
        
        PID:5564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\B40D11~1\saves.exe"
        8⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\B40D11~1\saves.exe
        
        C:\Users\Admin\AppData\Local\Temp\B40D11~1\saves.exe
        9⤵
        
        PID:7384
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3498677.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3498677.exe
        6⤵
        
        PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1708714.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1708714.exe
        5⤵
        
        PID:6728

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\D53E85~1.EXE"
1⤵
PID:5492
- C:\Users\Admin\Desktop\fol\2023-0~1\D53E85~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\D53E85~1.EXE
  2⤵
  PID:4472
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    PID:9460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c ipconfig /release
      4⤵
      PID:7452
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5696
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    PID:7524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c ipconfig /renew
      4⤵
      PID:3080
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:5776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:8260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\7C2499~1.EXE"
1⤵
PID:3032
- C:\Users\Admin\Desktop\fol\2023-0~1\7C2499~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\7C2499~1.EXE
  2⤵
  PID:7080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 1296
    3⤵
    - Program crash
    PID:9956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\9EE420~1.EXE"
1⤵
PID:8728
- C:\Users\Admin\Desktop\fol\2023-0~1\9EE420~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\9EE420~1.EXE
  2⤵
  PID:8924
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\fol\2023-0~1\9EE420~1.EXE"
    3⤵
    PID:9732
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\Desktop\fol\2023-0~1\9EE420~1.EXE
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:9236
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Fhebjt.exe"
    3⤵
    PID:8972
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Fhebjt.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5756
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fhebjt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B1A.tmp"
    3⤵
    PID:7392
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\Fhebjt /XML C:\Users\Admin\AppData\Local\Temp\tmp9B1A.tmp
      4⤵
      PID:6160
- - C:\Users\Admin\Desktop\fol\2023-0~1\9EE420~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\9EE420~1.EXE"
    3⤵
    PID:3088

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\EF50A9~1.EXE"
1⤵
PID:8756
- C:\Users\Admin\Desktop\fol\2023-0~1\EF50A9~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\EF50A9~1.EXE
  2⤵
  PID:8852
- - C:\Users\Admin\Desktop\fol\2023-0~1\EF50A9~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\EF50A9~1.EXE"
    3⤵
    PID:9696

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE"
1⤵
PID:9364
- C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE
  2⤵
  PID:9568
- - C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE"
    3⤵
    PID:8280
- - C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE"
    3⤵
    PID:10204
- - C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE"
    3⤵
    PID:5704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE"
1⤵
PID:9404
- C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\462181~1.EXE
  2⤵
  PID:9084

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\655AB6~1.EXE"
1⤵
PID:8992
- C:\Users\Admin\Desktop\fol\2023-0~1\655AB6~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\655AB6~1.EXE
  2⤵
  PID:9048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\4402C1~1.EXE"
1⤵
PID:4948
- C:\Users\Admin\Desktop\fol\2023-0~1\4402C1~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\4402C1~1.EXE
  2⤵
  PID:5544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:8060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\74BBF5~1.EXE"
1⤵
PID:10004
- C:\Users\Admin\Desktop\fol\2023-0~1\74BBF5~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\74BBF5~1.EXE
  2⤵
  PID:8304
- - C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe
    "C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"
    3⤵
    PID:8644
  - - C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe
      "C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"
      4⤵
      PID:5280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8644 -s 364
      4⤵
      Program crash
      PID:7100

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\9506CD~1.EXE"
1⤵
PID:8828
- C:\Users\Admin\Desktop\fol\2023-0~1\9506CD~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\9506CD~1.EXE
  2⤵
  PID:7484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\CC2556~1.EXE"
1⤵
PID:7852
- C:\Users\Admin\Desktop\fol\2023-0~1\CC2556~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\CC2556~1.EXE
  2⤵
  PID:8620
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RDYHjw.exe"
    3⤵
    PID:6812
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\RDYHjw.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2932
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RDYHjw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF97.tmp"
    3⤵
    PID:9824
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\RDYHjw /XML C:\Users\Admin\AppData\Local\Temp\tmpCF97.tmp
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:9512
- - C:\Users\Admin\Desktop\fol\2023-0~1\CC2556~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\CC2556~1.EXE"
    3⤵
    PID:4136

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
1⤵
PID:9436
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"
  2⤵
  PID:6064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\901284~1.EXE"
1⤵
PID:5244
- C:\Users\Admin\Desktop\fol\2023-0~1\901284~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\901284~1.EXE
  2⤵
  PID:3576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\A71AB9~1.EXE"
1⤵
PID:8272
- C:\Users\Admin\Desktop\fol\2023-0~1\A71AB9~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\A71AB9~1.EXE
  2⤵
  PID:4624
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\fol\2023-0~1\A71AB9~1.EXE"
    3⤵
    PID:6360
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\Desktop\fol\2023-0~1\A71AB9~1.EXE
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:9748
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VpfPpsKULlYyB.exe"
    3⤵
    PID:6248
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\VpfPpsKULlYyB.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6960
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VpfPpsKULlYyB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4FF.tmp"
    3⤵
    PID:8124
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\VpfPpsKULlYyB /XML C:\Users\Admin\AppData\Local\Temp\tmp4FF.tmp
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:4052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:8484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\CBA586~1.EXE"
1⤵
PID:8220
- C:\Users\Admin\Desktop\fol\2023-0~1\CBA586~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\CBA586~1.EXE
  2⤵
  PID:7240
- - C:\Users\Admin\Desktop\fol\2023-0~1\CBA586~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\CBA586~1.EXE"
    3⤵
    PID:8976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\96BB6F~1.EXE"
1⤵
PID:8424
- C:\Users\Admin\Desktop\fol\2023-0~1\96BB6F~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\96BB6F~1.EXE
  2⤵
  PID:9328

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\3F04BD~1.EXE"
1⤵
PID:8524
- C:\Users\Admin\Desktop\fol\2023-0~1\3F04BD~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\3F04BD~1.EXE
  2⤵
  PID:8908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\E5370D~1.EXE"
1⤵
PID:3224
- C:\Users\Admin\Desktop\fol\2023-0~1\E5370D~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\E5370D~1.EXE
  2⤵
  PID:5604
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\fol\2023-0~1\E5370D~1.EXE"
    3⤵
    PID:8336
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\Desktop\fol\2023-0~1\E5370D~1.EXE
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7264
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YxTQbd.exe"
    3⤵
    PID:148
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\YxTQbd.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:9724
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YxTQbd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp647.tmp"
    3⤵
    PID:8448
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\YxTQbd /XML C:\Users\Admin\AppData\Local\Temp\tmp647.tmp
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:8356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5288
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:6512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\A41AF9~1.EXE"
1⤵
PID:9512
- C:\Users\Admin\Desktop\fol\2023-0~1\A41AF9~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\A41AF9~1.EXE
  2⤵
  PID:5932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\3D935F~1.EXE"
1⤵
PID:7652
- C:\Users\Admin\Desktop\fol\2023-0~1\3D935F~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\3D935F~1.EXE
  2⤵
  PID:9260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\98E2DD~1.EXE"
1⤵
PID:7528
- C:\Users\Admin\Desktop\fol\2023-0~1\98E2DD~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\98E2DD~1.EXE
  2⤵
  PID:7668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\D1E98D~1.EXE"
1⤵
PID:8376
- C:\Users\Admin\Desktop\fol\2023-0~1\D1E98D~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\D1E98D~1.EXE
  2⤵
  PID:9156
- - C:\Users\Admin\AppData\Local\Temp\qaxruk.exe
    "C:\Users\Admin\AppData\Local\Temp\qaxruk.exe"
    3⤵
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\qaxruk.exe
      "C:\Users\Admin\AppData\Local\Temp\qaxruk.exe"
      4⤵
      PID:9476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\B54441~1.EXE"
1⤵
PID:8716
- C:\Users\Admin\Desktop\fol\2023-0~1\B54441~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\B54441~1.EXE
  2⤵
  PID:6736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\6145A4~1.EXE"
1⤵
PID:8228
- C:\Users\Admin\Desktop\fol\2023-0~1\6145A4~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\6145A4~1.EXE
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\uqcea.exe
    "C:\Users\Admin\AppData\Local\Temp\uqcea.exe"
    3⤵
    PID:6344
  - - C:\Users\Admin\AppData\Local\Temp\uqcea.exe
      "C:\Users\Admin\AppData\Local\Temp\uqcea.exe"
      4⤵
      PID:7800

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
1⤵
- Gathers network information
PID:2268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\D1E98D~1.EXE"
1⤵
PID:5580
- C:\Users\Admin\Desktop\fol\2023-0~1\D1E98D~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\D1E98D~1.EXE
  2⤵
  PID:9840
- - C:\Users\Admin\AppData\Local\Temp\qaxruk.exe
    "C:\Users\Admin\AppData\Local\Temp\qaxruk.exe"
    3⤵
    PID:9016
  - - C:\Users\Admin\AppData\Local\Temp\qaxruk.exe
      "C:\Users\Admin\AppData\Local\Temp\qaxruk.exe"
      4⤵
      PID:9836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\95B410~1.EXE"
1⤵
PID:10164
- C:\Users\Admin\Desktop\fol\2023-0~1\95B410~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\95B410~1.EXE
  2⤵
  PID:8796
- - C:\Users\Admin\Desktop\fol\2023-0~1\95B410~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\95B410~1.EXE"
    3⤵
    PID:5824
- - C:\Users\Admin\Desktop\fol\2023-0~1\95B410~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\95B410~1.EXE"
    3⤵
    PID:9200
- - C:\Users\Admin\Desktop\fol\2023-0~1\95B410~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\95B410~1.EXE"
    3⤵
    PID:7876

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\B391E7~1.EXE"
1⤵
PID:8704
- C:\Users\Admin\Desktop\fol\2023-0~1\B391E7~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\B391E7~1.EXE
  2⤵
  PID:4940

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
1⤵
- Gathers network information
PID:5944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\14EB5C~1.EXE"
1⤵
PID:8156
- C:\Users\Admin\Desktop\fol\2023-0~1\14EB5C~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\14EB5C~1.EXE
  2⤵
  PID:8056
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    PID:8300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn svchost /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      4⤵
      PID:9736
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn svchost /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:5360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA9A.tmp.bat""
    3⤵
    PID:9480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\3AE8E5~1.EXE"
1⤵
PID:10116
- C:\Users\Admin\Desktop\fol\2023-0~1\3AE8E5~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\3AE8E5~1.EXE
  2⤵
  PID:9684
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nNYCqgKemvRU.exe"
    3⤵
    PID:7536
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\nNYCqgKemvRU.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7872
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nNYCqgKemvRU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AC7.tmp"
    3⤵
    PID:8112
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\nNYCqgKemvRU /XML C:\Users\Admin\AppData\Local\Temp\tmp2AC7.tmp
      4⤵
      Creates scheduled task(s)
      PID:5716
- - C:\Users\Admin\Desktop\fol\2023-0~1\3AE8E5~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\3AE8E5~1.EXE"
    3⤵
    PID:9348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\A163AF~1.EXE"
1⤵
PID:9236
- C:\Users\Admin\Desktop\fol\2023-0~1\A163AF~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\A163AF~1.EXE
  2⤵
  PID:9244
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NzdSupOimejfx.exe"
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\NzdSupOimejfx.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:9064
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NzdSupOimejfx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2170.tmp"
    3⤵
    PID:7580
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\NzdSupOimejfx /XML C:\Users\Admin\AppData\Local\Temp\tmp2170.tmp
      4⤵
      DcRat
      PID:7056
- - C:\Users\Admin\Desktop\fol\2023-0~1\A163AF~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\A163AF~1.EXE"
    3⤵
    PID:1772

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\C88463~1.EXE"
1⤵
PID:9356
- C:\Users\Admin\Desktop\fol\2023-0~1\C88463~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\C88463~1.EXE
  2⤵
  PID:9800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9800 -s 1920
    3⤵
    - Program crash
    PID:8204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\9056F3~1.EXE"
1⤵
PID:8892
- C:\Users\Admin\Desktop\fol\2023-0~1\9056F3~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\9056F3~1.EXE
  2⤵
  PID:8732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\6FC55B~1.EXE"
1⤵
PID:8292
- C:\Users\Admin\Desktop\fol\2023-0~1\6FC55B~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\6FC55B~1.EXE
  2⤵
  PID:8936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8936 -s 632
    3⤵
    - Program crash
    PID:4624

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\8D1435~1.EXE"
1⤵
PID:6828
- C:\Users\Admin\Desktop\fol\2023-0~1\8D1435~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\8D1435~1.EXE
  2⤵
  PID:8040
- - C:\Users\Admin\Desktop\fol\2023-0~1\8D1435~1.EXE
    C:\Users\Admin\Desktop\fol\2023-0~1\8D1435~1.EXE
    3⤵
    PID:9072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:10168
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:9044

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\AD7CBE~1.EXE"
1⤵
PID:9148
- C:\Users\Admin\Desktop\fol\2023-0~1\AD7CBE~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\AD7CBE~1.EXE
  2⤵
  PID:8200
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gbxlLRJLa.exe"
    3⤵
    PID:9956
  - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
      C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\gbxlLRJLa.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:9360
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gbxlLRJLa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp654F.tmp"
    3⤵
    PID:4452
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\gbxlLRJLa /XML C:\Users\Admin\AppData\Local\Temp\tmp654F.tmp
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:3508
- - C:\Users\Admin\Desktop\fol\2023-0~1\AD7CBE~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\AD7CBE~1.EXE"
    3⤵
    PID:6612

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\BEA968~1.EXE"
1⤵
PID:9864
- C:\Users\Admin\Desktop\fol\2023-0~1\BEA968~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\BEA968~1.EXE
  2⤵
  PID:8896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mdoyifg.cmd" "
    3⤵
    PID:4424

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\D21D1A~1.EXE"
1⤵
PID:9948
- C:\Users\Admin\Desktop\fol\2023-0~1\D21D1A~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\D21D1A~1.EXE
  2⤵
  PID:9176
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\regsvr32.exe" BhZ~DUo7.52_ /s
    3⤵
    PID:7512
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe BhZ~DUo7.52_ /s
      4⤵
      PID:8000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\A4C3E9~1.EXE"
1⤵
PID:6948
- C:\Users\Admin\Desktop\fol\2023-0~1\A4C3E9~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\A4C3E9~1.EXE
  2⤵
  PID:8440
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\regsvr32.exe" /s 4dY5~.X
    3⤵
    PID:8156
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /s 4dY5~.X
      4⤵
      PID:8860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\BD03F2~1.EXE"
1⤵
PID:204
- C:\Users\Admin\Desktop\fol\2023-0~1\BD03F2~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\BD03F2~1.EXE
  2⤵
  PID:10104
- - C:\Users\Admin\Desktop\fol\2023-0~1\BD03F2~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\BD03F2~1.EXE"
    3⤵
    PID:6688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\D3BB09~1.EXE"
1⤵
PID:8884
- C:\Users\Admin\Desktop\fol\2023-0~1\D3BB09~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\D3BB09~1.EXE
  2⤵
  PID:8384
- - C:\Users\Admin\Desktop\fol\2023-0~1\D3BB09~1.EXE
    "C:\Users\Admin\Desktop\fol\2023-0~1\D3BB09~1.EXE"
    3⤵
    PID:8824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\fol\2023-0~1\A4C3E9~1.EXE"
1⤵
PID:10224
- C:\Users\Admin\Desktop\fol\2023-0~1\A4C3E9~1.EXE
  C:\Users\Admin\Desktop\fol\2023-0~1\A4C3E9~1.EXE
  2⤵
  PID:9660
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\regsvr32.exe" /s 4dY5~.X
    3⤵
    PID:5836
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\System32\regsvr32.exe /s 4dY5~.X
      4⤵
      PID:9864

C:\Windows\ModemLogs\wininit.exe
C:\Windows\ModemLogs\wininit.exe
1⤵
PID:2440

C:\Users\All Users\Adobe\Setup\dllhost.exe
"C:\Users\All Users\Adobe\Setup\dllhost.exe"
1⤵
PID:8836
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\dllhost.exe"
  2⤵
  PID:8368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe

Filesize
946KB

MD5
153bbcb1f4e7dc0682912461dc23a716

SHA1
34d821a6a40243ec9c2bc058c6c83cd25756e33c

SHA256
1585f8fcf9fcb6c0205456da7993f3d4c3cf0fb9af1ce935c1a37f5da867b05d

SHA512
ec589074b826df304eb2df25340a4659bf1908516092602940ffbaba54e3fa339e8ea08327265bc0a16b697ff90873636658a4cacb8addc10be2a719dee70130

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
610B

MD5
824a554c089e361f24515e4c63c8fc9e

SHA1
e8a5e006d5afe617393d95ebaab791fa388e5b94

SHA256
8c607d2eafc61b6029802d09d99d9580ae8d44227e6da4e57149a2b794d250c3

SHA512
338cc8c813f0556f214dcc3b4230fa3a508eae824f3f6202ce283516c1c3257a5cbbc3b41bc6d9a490a9ff13863cb02bced5fa39f6288318057292deea615d06

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
996B

MD5
6e54d57c108a062c2eda5b65e98d452e

SHA1
4d2b137d86ccdbdfadd7ebcd210801559610f874

SHA256
9195e6f7fe0fcb635d8db7bd26ebb33a1303e57ab4a73aa918330d06bdd9cb66

SHA512
ae6ea2c1913986ed1e502b4a99e1db797512af1857aa1da74012ce4efdb65cd57ea89b10df90523991745a34e69bb5494690f31c387658d46942b3735fa58ba1

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
816a91aa82849ece5e8ddb144a7ad7f8

SHA1
8799d6d71a648b2536996de9010fcc40fd43cb24

SHA256
3729cfd53f53a9a4cecb06154f3f2f1e0b26d9b61e4b585ef32222f3bce53b75

SHA512
5ec8971f611680731de54666e14607e6d111d6e7b607fc60b818b2b0ff1ab0450d29b08744d86e6d61dd6503d6400114499e89b5be119b882d7cbb787d857b7b

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
d1497ed17f896d2757cfbba2c0c4d77c

SHA1
4b602a178af12c925cbd1fb1594a8353ca3dcc60

SHA256
a94be21f188c39bead737d43ed92065d8a86935fb5ec4388526812f4fe3016e5

SHA512
349d14e332915b151b473989c55c9303de5a3f861112e484915db1ab3713dd8c4f9491f905eddb5c6e51bac59605694ec5e31427b647e8e4b535e594da3ea5a8

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
e54d97ea043524dfa395135881991bfd

SHA1
450ecddcf920cbfd21f35483825dbf0e2508e287

SHA256
61a822488b7db9d41dc23376b0f793771e9b2140071aa55beb7eec558a55f03e

SHA512
bfb38dc01639c9f6b742157972c2c7b096f5388e0e25c6846d9e1fc8cd15c1371b0817772c31680617d84df46d98904a84ea5bcdea936f44761177dd1c9d2de5

Download Submit
C:\Users\Admin\AppData\Local\Google\Media\2024-5-24_1.55.55_Administrator: Windows PowerShell.jpeg

Filesize
57KB

MD5
9f52af56b5292730b38c161f5cb3741e

SHA1
c491d45165cc86fe78f4fdc0d9a9e3a2ac3153f4

SHA256
95b66191447a805f28dd96771478829f4d2ab06bed376edbbaff41d953ce110f

SHA512
ccf84f3fe468321c5e2f5b9ee36012f707535199dd67191fb97515b65acbea94812500ed632598d727dae3c82ee1863cf4a1c016fe7fd2f7b66d5cb9f74ac061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b.exe.log

Filesize
1KB

MD5
430a3e587f99c7640a58a042ce63bdd6

SHA1
5d11d6b74e56cf622796971b8f57f57ca37592db

SHA256
a087c10187c77ec487d0dcce45d36d5b1ff44f063aba489a17937f041de70bf7

SHA512
0b2422fceade7f32cabf29cbb658663ec6f05c977435f66d1bd80c99ae0043e0d95f1bfafa4ec4fe84bc77a1a3b45bf38e84ce8737a6cf2b25bad4e37af0797d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\D53E85~1.EXE.log

Filesize
1KB

MD5
1d1ad81054ca4f7e1705e47dbbd38096

SHA1
f43f4579bd5c6d61d2e3559801e4b92d2b0274ec

SHA256
85774d8a9602cdd6dd90cf987551e9cc49a4d46610f071b8386706155dcaf079

SHA512
a37abc8304bb8ab453f465cd635ba04d0381d1a3471806af337a4cc7d85dd0a3deaebea3875fdaf7b6d2032c03f9d7a8777145d1b5b09caf80858cf9a0407e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fe9a3910b655d38c2aafa3512aedcdba96fd352d896fc68d8ed345a49c93ec6b.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
a3e13487a9a2f94eeca18833ac321927

SHA1
4644c348656095198082563b6e96ce57c323b588

SHA256
72ab937a9aec4c984aa303f46f513fe3535e1b7180d522906db08910e4ede377

SHA512
5058ec2144bf347bb2ebb81501014f6af3235303cb808d5a69387eef219889613408e66de45992ebed4f05c23e72d426cfe9ce7d73e0ef612db2cd2244e762b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
56KB

MD5
0fd6add767bbd166cfa40d7165680bd5

SHA1
4df49856c0c8c4af33070005cc3907a2a5db8f35

SHA256
a7c67e99add1eeb92266f630e9590edd62a6bf841e125d23e12d32692313f818

SHA512
68d31100a26dee3428917466f15870414fa989f7ab893961adb7e48964aaa4bc385c5e0784e2411f03dbfde35fa766b2171adfdbad77120756b0588ce78f2396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
e22ac5de842731b6a528ddd56dd66428

SHA1
c025cfcce9d0c1982dcaaee1138377fb5e787de0

SHA256
0010617e4d51aebe71709653cc9636c7f243b31a335c17edb93ab4f9606062ed

SHA512
991cc2b3b604a234ecafbc6db7aee6d1411c7c738501664f531cc4f81ceb1bef047bcb9cbf6fa31b80e009781195a7bfc35ff374a552908e5a5e6cc11faf996e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kompilator243\Tontine\Influenced\Geheimrat\battery-level-50-charging-symbolic.symbolic.png

Filesize
245B

MD5
67d67418e29b486a27b87cba4329d73c

SHA1
8e869401abbb8e1642fd5a0de31a12f138f50170

SHA256
938dbd300814c255b814bc025a3af876f96a5f01177066a62a30b74a53189a93

SHA512
cfdd25fb3e2d5c9871f414574339dd84b0239f6973ce289e50f89ef4c39e498bd9679294174e165540f8de0cda3b2f7dfc9fe8858f56404f0b79eac0de98b6d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kompilator243\Tontine\Minification.Sge

Filesize
295KB

MD5
e051e5883c70332def5df4eb691d214e

SHA1
cf3b65db07a018776579007ce5d0b335315c08f8

SHA256
fc09f41e517a983cd3a6d14fc909b9ea727a10e4d6ef3ddefd713aef214e8211

SHA512
5e7a8c8c2cefd44dda6b2367d29c6d5f595ca18b934d8ac85e29a8512c7607ce49f03d0f5187258115c407e9515a5080a616f907c058e6d62f17abdea5408e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kompilator243\Tontine\Optimales\mail-attachment.png

Filesize
495B

MD5
d3e1af9be162e4602ec498caaa8f4309

SHA1
1e6b226f05cbc0517f18695ad3365363c7c0e9ca

SHA256
e01793ce6ac58ad98d7500ed1ef1e525d8b07b11215a1fdcc939b7fd9f77381e

SHA512
321dd4c9172dc8e8ee568bcc379f929e33ca5af4088b011595d56a186f935ad24b2f5f306023f7027bacd422dadafb4e6b173a838a472b60e453740cbcf8d9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kompilator243\Tontine\Optimales\remember.c

Filesize
2KB

MD5
7967587ae63f62994753eaa6a3385a3f

SHA1
ab8a0326d6a4352552a0ea852a8669bb049b0d33

SHA256
9d66bfaddb35901308c2b0a422f65016ce6f565f2835c5c866991965df0c1e9d

SHA512
6971d6f07efc2b0bb04e2a61baf28b45e9d93570bf9865a050001655b4a017af763762a5c566c0759a0fb5ff5a6043fbe8cda88c17725e644a35d1a530225424

Download Submit
C:\Users\Admin\AppData\Local\Temp\28f8dD4oeg.bat

Filesize
193B

MD5
41d5a7e9771f7b2108063401d7386f0a

SHA1
05d1df5e4f203740d4fe1561939a7b71f7e5b10c

SHA256
3eb0b40fdecbc299115796d5275784e7808ecc4736dcd8da5135ca7fbe99efd9

SHA512
1e14be3982dff2eedb5f69301930c688a9979d43179d57b5a9c08c00b62308bc25bf8250bdb7757ba9f0414f31c6f71c63ec3ae65d3e77a8b6e298917d4b3762

Download Submit
C:\Users\Admin\AppData\Local\Temp\644d7a13-a751-47bf-95ab-df70ab1974f6.vbs

Filesize
509B

MD5
0b3b510b9869bf341f1c8146fab396b6

SHA1
f547a58bbacfa261db253652b957bfb74ad80829

SHA256
00aaac1c2f7c5b8ea0150977db52103363ceb3016dada373a76156f7e5949ba5

SHA512
0315ab3bccf0405a922b571f12b347ecb0b36cb28a11183194a9c2c16f91f046ef5de8d5834ec201c84719f0f1ad0b42070db98784f6d5151af29338171b78b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe

Filesize
5.6MB

MD5
7a3059b652dcbe5b578ec98a507dfb16

SHA1
9f6938dac4e567fedbf5d6baa5488bf17cff7873

SHA256
8eca6c037417729d3c44acffb290a49564ff244b82cf35f4415ec0615ede241c

SHA512
ed66233263745d80a72179744fa9c1b252c3674821e15f456cdc3e8de1843ed249fefb9102761251686ed75ec4b620fdd35a0f918748d98b2368c1472b24c1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRz41KVB.JxD

Filesize
2.1MB

MD5
c969eb4ab278b8b50fb7883c01480e39

SHA1
400d8637c209ec6bec0bcbe674d439d1bcac69a2

SHA256
d456847efc5d7e79bd959b22aadc08996cc9f6c05247426fe8223ac09aafb02b

SHA512
7e44a85edb33dcccd2f90d0ada358bbd62608b96d7bd6ae453cf872493bc1ccee6a21e1dff5da9b55ae5e0f61e9529cb3488f39f025f083daa415a88713dbe4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\J9SMW.NXS

Filesize
2.1MB

MD5
e53a4ae918b729caeeef26f1fb762c2c

SHA1
689e76a00d4d4957d63823b873f5277f6c8d0eb2

SHA256
0b18993e39094c2f85590ac4abcac3539bcf3f28d1e4c291567860992977459c

SHA512
919bd69b5eeb76e8a20b52d01b2df760a044610fafd336a22493cb707e28eab28308524dc9cc7e21ae5d3d0d08c68b9d13d5f5c8ad380e3648c27b3c9fd5c5c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSKioGbcuq.bat

Filesize
271B

MD5
812a202ee7ef5139147f2e637adf5554

SHA1
6df0cac6296fdb1d7bc4bc9c23a0aaf709da29c6

SHA256
76186a5ef026b09657576a6c86837a6a49f25167d782a273ab8d62875cf1e038

SHA512
8b6e9c73e269e84e3ef57552a9c2af44364839db8db3092ccd458327c7b7ef42fbc087c09e1468cc04f50dba95209ab7dc4b1347c0522eea3f0662b97bc90902

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tyejcx40.fn1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
334KB

MD5
1becedbe14ef560b3afe4ba28a2fa557

SHA1
3b67f1f9b74cc8084f8a90b1846e596b4cd68983

SHA256
27ae9b2f97163a11842883ae13e0190ea5217a242c559b08b9c1d94de6a86873

SHA512
1558aeae9b76153d93af3dae96da3988a3dde2d460df1a5359d6c2702c4c5c03b40ef9356dd35bc0c8a037d5d624b4ac460302180e60c2e97a7735ad63929f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jknzojxbhyc.pp

Filesize
205KB

MD5
fbe44376f8fda55210d2af21ce663135

SHA1
6cb0f1e1ff2664d751207cf0a7f819f673231146

SHA256
c43c4c1df2d51d26b59216893a27c0e5e144ed70b1027d405b64c13492bc53b7

SHA512
c048d2c9bbf5cf5d8cda3b2eaa04e3be6ede57524b5462724c23a1e25424984ce08e3da3f8c69d367b3a12cb7cdb0bb8d3fe0e854e1a8152b3c853fc7cf78399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4AF7.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaxruk.exe

Filesize
181KB

MD5
c2dae9b244388a0440d6cf19a367fed4

SHA1
5ab80320f6e365db0a8444aa94db3f2dd5ed3787

SHA256
b21695b2254d5be16a00a93b76ca2651f3da7c27c9ba347b65e768ccf2fdd6c5

SHA512
d2e018c2e73ea1738d6da6fe91ecf23cc2442fe5f204dfb1fecafc9d1221f1f0b645d755c9e531be9187057926e710c57ec62b833e7a5696279e0a9868059480

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe

Filesize
180KB

MD5
0cf1c234e21549b221bc4b2c81e28037

SHA1
06f7b2c8d262c7703ac8bbcc3038a6bbea1a4b67

SHA256
45ff6ee0df94a3cb333b709f521ca3818bc567bf34bfe7fd4533d3971789d539

SHA512
6c2423374598fcf7d782450363a2e871deb2909a436f0daafc193ff17ea3a4ab575b4bba73eed608416f62231cc28dcd953de07da6ad913707b52611ae98897c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzgsf.dl

Filesize
205KB

MD5
a626e878a12016674242642dfaf0c150

SHA1
abec6f393244a575cf08e6c38ebbf8d4b338e676

SHA256
f51e4f240e5029490d9b4623dc90ca4914dc99208664519b8d4b3695a1051451

SHA512
35428c35ad64335d0aa6c87c10b574fcf02d58e868cfe762b667018dbf0348f74ec99cda540833ee7b80ecb6ad6739cdecf369ff5c4d213a61b68eeb1b814a05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3699363923-1875576828-3287151903-1000\0f5007522459c86e95ffcc62f32308f1_98f325b1-1085-43b7-8e27-43d9cdb6ea3f

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F8ZZF0QBXSJML8CNBIKR.temp

Filesize
6KB

MD5
e60f19d95fe164593fbd7415fb1674b0

SHA1
65c98b651f870559dd4b247eedb055172f2f3481

SHA256
c096c7cb6f8c8ca03f579d139350546c4e30cb6352b6f614b50bb50e862b773b

SHA512
560a5925dc3800fd97c38c8cd5594fc64604a3b1f8c1603078f8f72d498eca710fc9c97d85b4d430344f5bf902634602760ec5d0be423209e96fc507c8bc1b03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VLCTL50VJHA3T5GL9DDB.temp

Filesize
6KB

MD5
329f110f82c1f07835ed759cb269f0c0

SHA1
8ef25cc8b82c4cd9965540e99356f8a75f7a2aac

SHA256
7d1de6b1a826ca831eaf07ad8dbd58cb98714ab01494fb53c60b6f8280a4af33

SHA512
5bdcb31953dd7f5f844cb8e357537a867eb11867e180c18232af365917e1dbbcedaadd873b721e7e5abcfc1c9254788f323da7acaa33e718fb46bfb837a4d6ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
d6f43d7ea5131a283a2b54ad0ab02585

SHA1
69a6be926b80c3a241ef8c7e4f4b1f324e038c00

SHA256
2a428f9ef818897951eafe3af1038fb6b417bca2e67d308cd6ca370f7afdb965

SHA512
cdb15bc123a6f486a43458f48c5c46839341a081211c5b7ae4a929e270e4083b4d5b1f47f5d45c297a0e3a102f7418443940028e7826084ea90ceee1063c6eab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
c9bf9ccc9c7a8e2fdb75d0761044a989

SHA1
4f60735536f989942e5504a51ddaded016253049

SHA256
4875dd83d506ed9b4d8b9f9c3e6851aee813b8f4d5f15f1d233a46dda56b79bf

SHA512
ac192814591def6f5ec9c2affd51532d6c2e6ddb9db5a55fc93039e2449e5ea78e21e31e5cf55adfbc8d6684370dd2ff555151b914faa33be615fbd1328a184a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
7e90fc808c92ae4b0c1021c6d144e7c6

SHA1
b01f2852b34c765548e8c6311d018d349333c0b7

SHA256
2c83c9a573e02d942d8fe60a92bff1c945e64e872c7dab7167228a631e10553a

SHA512
565a35bb0a01e3a32d7cacf06acaf33a09f42bd8f8bb8bba64dabbbe7ec26590613f7344b4a570ea4a1d98bc7884a56da0f606a354179e595ce231b1c70078ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
84ccbf994e62363103357029563a1d7e

SHA1
5c33d077eccb6b4bda10d90d142d2ef39fc6b5ef

SHA256
6a316b59e9344a197045156596cb247f2f5e7a23dfe00602e3651f53100ed20f

SHA512
d86657f9bc40f91c4d1102a8aae5bad112c531510ea8a00a217b16b9b11320d91f850c16e6e4a8c47bb31f48accd0b37ba5ee5e5a36410db157ae3836fa5a015

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
bf21120329105f180ce0b941286a7ea8

SHA1
c6e8343cba82d01a40a56a9514edf51f80267942

SHA256
e5df1241f7c6d71ce63b28dd59e029969659d2376399e450532867e5948cf28e

SHA512
a515e4e4228527e4d33ce69a1ddeebc2ea69c8b4dd4516f2fcbb15ec50cf8bb116543e0da15bb9f405366d8ff6a2a24357ba3cdd1988f6e60f20f232b8327a9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
39da831f81dcbdb2db8b1b621a0da5f8

SHA1
54bd886895eab3e1b17137ffc87b75c496250e12

SHA256
221686b498b6aae42ea9f1fd05a1c8d791d9392f4efeb3a8857fddcbccc2c582

SHA512
188cad066823468ea8a940b9b0aafe8970d66a1c7778f027d1d2c2b5393eb1aec8e188c02f11c92ede3b70225218fe5c308a99bc1cc53bcc1f91dbeb8c3644bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files.zip

Filesize
24B

MD5
98a833e15d18697e8e56cdafb0642647

SHA1
e5f94d969899646a3d4635f28a7cd9dd69705887

SHA256
ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

SHA512
c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files.zip

Filesize
4.2MB

MD5
e779c66a1499b17fd3f432b0b0cacfcf

SHA1
94e28d4b7e1404447be65fecd0d717fb2457d790

SHA256
8466f719200eb6741fd273530ece320076fadfd5740ce237d44e026ab5d050b2

SHA512
516c1fce89158196624db57419d946dae79c7f424ac485972479754377923da8f08731c47bfe7c074b9dcfb5ac100bc7b57a2ae3a643165ba0148d8359e484a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\ConfirmCompare.xlsx

Filesize
372KB

MD5
3108b40c731000e718cc66526ac21182

SHA1
139afeec58165a6046e6078a5c245094a55e395b

SHA256
e423bfbcbb95315c02c38d462f0dac4be9ef29316f38fcd18b8099b3cfc2e76f

SHA512
6cb6702d6460fecd22e11b696134ea46e377e52dca03541045942256fba40749d147b983698dc3713eefc579f8b822a59c497205467aa1dd4f8f3058fd6998e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\EnterUndo.pdf

Filesize
219KB

MD5
a45ee7d26800252e30a8a4d0ddcc977e

SHA1
2b45fee542088dea7bbaec03189d852ac00c6d85

SHA256
f63ac3353c5b11e7efbfa141749c4a201f3bd1529c583ac6dae8be1fae8e9110

SHA512
0804798730759a872d5594395cfd637cd336938dad04183f0cdfe7de74a914f12a61b8cef1d20c1b0d3a44c57cd14e772afbe227b22a280baa03b8bd9c75624d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\MoveSkip.pdf

Filesize
728KB

MD5
9581d7fd0e567f3acda09dec5d952906

SHA1
0148cb9e4cab43cd0c01b41cd88f83f754b755e6

SHA256
d116f192cecc129ae92aa066098b8f22f168aa3c3c85849b3c50b9f46fc990b8

SHA512
b830ee1263823298492b9608a9e08d496e98eaf21bf2be3635f85ff268d633184cdd33db8870aac80cb85457073adad899160e8524d25b6684eed01bfd5c58ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\PingRegister.pdf

Filesize
184KB

MD5
02069a0f64e2ee98dde5c9e382d97373

SHA1
d151e45f4bb784be0cdb6242d2fabe1eb4b39e50

SHA256
a6c6e407f2b31d2a06152be78b57180fe59ff9cbf2d2aacc446245a99f94665b

SHA512
090158b01fac2d7b816726f80984ff0e241a9687ce8037561594462ab6f5820e4f38cf9adab6638a5780fad970d739563817b080a146d2b51c846b9124dd0f1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\PingStop.docm

Filesize
404KB

MD5
01fce05db1cc09a2a627ea814a790f30

SHA1
1e3f5cbfc49f4304ebdc7ae39b8d7582f6ca5c99

SHA256
f8f86fcb645c312d40223c52c5ccd85a75b66fc7736fe3a015abf3d33918c849

SHA512
91535c14f9b4d6d06aa49c3b43a6cf8d4457531545de3db92e8944fddc7b8d195cce7f797b222799899264d78c6f1c28ac13897bc1d90ae6cd5f96b9ae208605

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\ProtectUpdate.txt

Filesize
390KB

MD5
182c3902159f6f6df21e029ddb4ee90c

SHA1
98555fe366a0edd58aa38204d9f68b8971f201b8

SHA256
9704a1da9128f298a836f7c25f914a5ae6d3d19e6a9c8c796fccc8d855ce3717

SHA512
f7c7449a7e1c0ebacc2fa4abb006e2152460c5c7ccfbccd44b278cba3a470452d0247ca802b1f79f2c8e87c9a5ce01bab50a53c92db53655bfcfc3231423c3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\ResizeConfirm.doc

Filesize
462KB

MD5
a758a662a59d20ce745cc69cdd3c0548

SHA1
7389020e58186614d4f941c4115b7603a433259a

SHA256
8b2c50e4d34cf9ebc8b891ddb4d4e6bc9265c96a3fb0df2fee0369368a4df629

SHA512
5d79e6964213097ae5f7b9fc8980546585d516c685556f154c0277321d1ea81f88aaf86732b24fa2d2bf546dfc46a629e72b70b3bad09615f9819d102ba9b951

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\SaveDisable.pdf

Filesize
636KB

MD5
cfa9be9a2c7b0d5aa85b55886769c08e

SHA1
96e73fc3aa058562e19ce03709ef2a1ba4a5ad01

SHA256
ff1f096a06ec85bb61fc748467a8b8fc85459b247c03f08a4758c693f4b43404

SHA512
85f29d732642059ed6b9505d97bbba72bade792d0120a586aada62fb6d00b12d0d2c17f995a12adb08ea09feb533a606a0ad427a89736e41a4996e7f30588489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\SearchUnblock.docm

Filesize
435KB

MD5
72116e0e48bcce3c7b71a8003e8576db

SHA1
c8cfdf8da1e3a0801e5c6922782926e862bb539e

SHA256
05f4f256e87d23d57e3acd044ae189fe9bb7b063596e79888bce3330c428e3e6

SHA512
8ab4969f8e633b66f64a1d82824f248cb640d5ac662a988e1c4cd3930731df3399ad0468239f5f2c59e75ee5d1bba74f64555d012bb484bfb7f4368d982e840b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\Files\WatchSkip.docm

Filesize
453KB

MD5
e24874dfc6ead9077557c4b860974834

SHA1
fcca1ef268f4dcd8fc1b0987239d255cc3ba9eae

SHA256
b82906fc717d77cf2c764c606b7ec69e3eb203c13652fcbd75567d5149a408d1

SHA512
df3e74b7af30e976fcde23402d7cb9cf93dffd360a3a00ad978a6f0c9c5923044d600f7f88bf5bfac4b8250abf8d4d3353619d02300fce98dc129261803db421

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\LogfirepinkemCdnQPoaISMopKeGDfuPfQgaloisian

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NDTNZVHN-Admin\WebData

Filesize
92KB

MD5
55d8864e58f075cbe2dbd43a1b2908a9

SHA1
0d7129d95fa2ddb7fde828b22441dc53dffc5594

SHA256
e4e07f45a83a87aff5e7f99528464abaad495499e9e2e3e0fcd5897819f88581

SHA512
89ce123d2685448826f76dce25292b2d2d525efd8b78fd9235d1e357ad7ae2d4b3461ef903e2994cd2b8e28f56b0cc50137dd90accdd3f281472e488f6c7cf2e

Download Submit
C:\Users\Admin\AppData\Roaming\RDYHjw.exe

Filesize
720KB

MD5
9e72d74d36027dc748aad84c04b910d2

SHA1
907dd71471ee0d5db7b9bc359146365f9e3fede4

SHA256
cc2556dc4dd2e1f164c1919338bd557f16b157a1ec0cce9d27f16698f64c6ec0

SHA512
553788f918baeed47c179a18325b66dc922e257abac7b20567cf82282c19ecdc884ba2471110c114145d6f0eba98831143b8a5f7df6ca1e4802e49133508cea4

Download Submit
C:\Users\Admin\AppData\Roaming\VpfPpsKULlYyB.exe

Filesize
647KB

MD5
022b804985fc3bc1857b8587e4330a74

SHA1
afdad4b0d85fbadd0cfc214ed13cb85640805756

SHA256
a71ab993f1473361fb74e378e0a2983d904b3fede85849ded23426c4b9e80339

SHA512
7fa44183354bf99678215e552bb539918d7b55a4c1fbb0646828980c40a5330c81ad075e983daccb04fe3abd28de256b2dc4a97a5c4e4647e3ae54f826873155

Download Submit
C:\Users\Admin\AppData\Roaming\YxTQbd.exe

Filesize
648KB

MD5
904d9a8a5b31139b3c895ef48806c646

SHA1
23305c7323f220e8eb6b87f12244ca9419fda48f

SHA256
e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0

SHA512
71dbc2495b7b3e4e724340059b8cc8a74d3fde9a4367b008f74e3f63a987c34d61feeb8a4daf007712981fbf72d6f0268a4e9622e3cf87a89c3487669e415bda

Download Submit
C:\Users\Admin\AppData\Roaming\mAFTl\mAFTl.exe

Filesize
780KB

MD5
e69c86e2bf6fcc2d11e084b00c9232cb

SHA1
872221c248ec38e900368fc4043675491a727b42

SHA256
9ee420b781fdb315ed430a7be919d357b79a0505db735d36b3080e1ae6091566

SHA512
a55de13537f177cb782efb2c39e6347412d040c0d14c9544df9d896990b0355432a1933163b3568ddefe15528a8bd020fc526e85b099bf57ea7f8c0011e11e9e

Download Submit
C:\Users\Admin\Desktop\fol\2023-0~1\D1E98D~1.EXE

Filesize
314KB

MD5
733c1f4d4d369abba739caf23bbb0b81

SHA1
06caf773c278ec16792bfcb3261cfdb08a2e13d4

SHA256
d1e98d098f45c722026716f6b574a056d535813805d00a8cc2f1943efc271fa9

SHA512
d1583b0e45df2e24731c998d5646999cbe726730fd2a9a6a4747385eb42ea2ca341b9b80fcf6ea9cb65555e182dc9dbc0152c1bfb7db4860d2b2ff40f4737f32

Download Submit
C:\Users\Admin\Documents\images.exe

Filesize
620KB

MD5
694164fe134ff6ceb763adae6a0c7947

SHA1
457595b4d760e4008b7af5bb43bb6fd9a82f74b6

SHA256
3fc32a17e44244ca407e4f217e71f433abc587fbec3185a56a9893bc28d9a22e

SHA512
ef9f684cae9c447b9d791ee28fc035ec9f750d4ab0931ce46e9144f1191374eb9aec8384b28ddd5d15338a79e97ec5f550dd54163bf1bc97745b3ee7a21fd4c5

Download Submit
C:\Users\Admin\csrss.exe

Filesize
844KB

MD5
082db4007f97530f2a58c598ba34c777

SHA1
ec4c6c7f632c243b775ce266b25691e79dfe8bc4

SHA256
49c73b052a2cc5cbf609b2481c7ad293f28235110165064b54f498eb6d45526b

SHA512
acc430f305acb8554a2e5bfea8a3e3853d3172d7968de392b2bdfd6025f9f4e888ca2d8f28485431fac479bddd8e3bd5d2afa77daa9723072cadf454b637f57e

Download Submit
C:\Windows\directx.sys

Filesize
201B

MD5
2761d99dea096e65d4618c35a6d65a7c

SHA1
ac9048f6d356f7240892cebc82ffbfbee0f8d43d

SHA256
83b47313d3f2a802a379d4ae23a2e64f99c5bb5b80c98968ea43cc9b90c2a786

SHA512
eb1e426f9e996aad021ba51cae470d2e40ac2a9aea1db349e3ea3902aa61eb58dfbedde8b830d69d3fc3a034f58968f6a4bcd527e1d80cd7f839371e76aab92d

Download Submit
C:\Windows\directx.sys

Filesize
185B

MD5
d123c919732322fb99c8084d2be75b78

SHA1
50727c831715f3f63c17d9822066a9bfc3aa4c4a

SHA256
8e0bf2150cbda42dbe8a9111cd2d70908253238a4023a439d5546a1384766a75

SHA512
f0b963cd148a83bee92b54b0511e3bbefa2ad4102611889d666ced6b782d8b7510975ce6b404fce9823aa0f87d999109e5edc758c64ec5d7838e02f1f847364f

Download Submit
C:\Windows\directx.sys

Filesize
201B

MD5
244f8e4371e18bf01fd442434c772084

SHA1
93137d245db7cafa334a3f3fcb081b6dd804d1d8

SHA256
ec8cd2fcbac726ad0e786087dd7743ad145c339a2d25dade113075b49e879e23

SHA512
595ebc010c6d363fafbb69c750a1b6575caab94a9a9105fc166691da8310a4919f830228be46fc8a2e8ad86618f7d2185393e33e3968b4925622497cc4b31e77

Download Submit
C:\Windows\directx.sys

Filesize
251B

MD5
4f90407dc7300e4b688268756d5e04de

SHA1
1e77100cbae74eb41b03fecdacb6f885371c74a2

SHA256
6ca961a23e542d62fbe749ad1d09d7909fe3c9082801bb055c6478ee6edd3d35

SHA512
2ef1b40bc6e5f65694ec1d35b78791fd9d4d2b48240404da7344d287045a08a7dc57f52da6b0f95204036221188e3e12d6b1951d728292de33b71fa86bb22979

Download Submit
C:\Windows\directx.sys

Filesize
301B

MD5
552ae0f8f5afafeccefb8062e02d2a18

SHA1
ffc59fcb74be707af45ea02c14f581527b77e6e5

SHA256
345170651e57b98b3996ab43733aeb0dd88b08a8855b1e38c004f39d82b8f08d

SHA512
8e00cc89ec2f8187a199d5d8d813f17390c6a6ec9ddc6ad8eb6e4d0fd1a7ad09f69a99f5817c15e0b1f3266d2529e649630b489606f917a6b5e2073d7567e659

Download Submit
C:\Windows\directx.sys

Filesize
351B

MD5
1e3c719d91dc2e824b2502a9f1be8733

SHA1
0c7c41d726c0093e98556132ef30c1406b286df8

SHA256
24339db99616b795afc54761d9208d2fd688b321903dd85c7444f7c7fea78188

SHA512
4d7c00d0372592a0923ebe7ead6a060f0336ed2235044e24c8da01b3b1e3f151a8b0cb7427db9941aafa66184ca48b96d293172b07c096796ac491e60bdd82e3

Download Submit
C:\Windows\directx.sys

Filesize
478B

MD5
19dbcb295ae0530ce29d9462e062243e

SHA1
b66eb6cf766f13ce118096c20214df6f14c88e15

SHA256
132dc83a1917fa63332012f36f12224674b2947a05a29be100be876e27c49289

SHA512
0bf2e7874b518685925248dfc592ae417f45a09c04d8dce5504ad0452c0afeadfbf6b680774acda6662c2dc175e3c291bc6003cd2f295eeccd1b391083d4f9bc

Download Submit
C:\Windows\directx.sys

Filesize
494B

MD5
ef775e5c46702bf54c4f8e0dd951c69d

SHA1
31c308caa8485e032bdf05f1640ff1c78dbcdb54

SHA256
875acb038529658893006922834b081bf12dc67b94f1074f889cfa2d29891afc

SHA512
f256db6bd18f46fbd054efc92ba8ad7f06399e18612fa5e83dcef7490e5d02464d15d2cd0b0a58b0ae2cc744cd4d6d1b3411bd6186b8c795043dd8eba8474789

Download Submit
C:\Windows\directx.sys

Filesize
494B

MD5
7fd869e38790073eb0df5e69009fb5a7

SHA1
4983d8f4dd6a1fe0152fd3250e918766d3f7d21b

SHA256
8abeed0b9763dc15c71e1f800e4b5dabab000308047aa0c31583e714ae96e341

SHA512
767df8b958733cc703777a32518b4e94849a1d901869fb77ff699e404bbbca1ae815381c101107da51b36df5c74adb774da39182e839f87086406a41a0c4007c

Download Submit
C:\Windows\directx.sys

Filesize
544B

MD5
9d4a98ed223d0ce4a5c232099d3fe63c

SHA1
291d922c8bc7e4a24da3e571d0ccebf46b5bd4aa

SHA256
c2468d529f0b6981a0f0fd0a307aecc06f2fb902993b8b58c4fae511c64ab8f4

SHA512
add5ac1413aca52111a64dc8dd6c27ba8ea05503a90adc57c4b1eab15262ebd5de20f87a981c34fe5e6c0327f0f8ff12fdb14d4633ae85e28bbfcaa70daec1be

Download Submit
C:\Windows\directx.sys

Filesize
528B

MD5
a4bffddadc3ff2427bf4b5272f02c4f0

SHA1
2cc07955e418e39173b03f5fc85963d7dfe730dc

SHA256
23b8844f3c10b1d03057d297b757c9e33b79d4cc367cc07309ffafa071761228

SHA512
0cb2dc7369ee55a386a06e279c95683e9ce686ad4805d7f8fdb2fce87ebeb1c02d39816d4db38caa0aa495a5c451f6dcfb195ae041cce3b7c293daead8957ae7

Download Submit
C:\Windows\directx.sys

Filesize
685B

MD5
9825c1d7595f6825473b67b22479c0a7

SHA1
ca63b9ca6605a48e8baab503119319f53e5d3c98

SHA256
e42e2f8ec8f9124d6695a1cec39a21c4f9de606d173c4370ac848e95747c12bf

SHA512
d41755dc79fdd7b3f1b0f80818c545e31a0cbccdd879ac279bd7a18d5297b6a56275fda7b4e24828a159b582d946e8514e5c6d13c7aec76c57afaac85124f0dc

Download Submit
C:\Windows\directx.sys

Filesize
669B

MD5
6f1955b09a906cae3dd5f63d0b1b0140

SHA1
128be2adeaaa5c38b85dcb211940b0320489056b

SHA256
7e11952b798f9e9e01633b2d28a2839953f3fc01ce330638987c35c2552a6d71

SHA512
e082616a9a9239a9529a97575f3ac8ffa7abe6975ca186020bf7b2f2998c2653fd387fd1397c667366ad6cf89423948d0da88fa4c7dfa712230e2efc523de222

Download Submit
C:\Windows\directx.sys

Filesize
685B

MD5
393fa9b1b9541c9de50a7a42fad72cbc

SHA1
8ee464f1670a7bd3df86d7b594c4c3e2255d842a

SHA256
f3c894d41c5f928851c8670ae082bf1cf0867fae9fffbb853e3cebc7d7a9b8e5

SHA512
42d89fc710cfaf13260ce0c30da4f796a6bb1abd9224164112462df55430cb4b2bd4a4c683573eacb24b18d19f4c51610b8f7c244b688db371c73bd85b25887e

Download Submit
C:\Windows\directx.sys

Filesize
793B

MD5
918bc6e2bf7d73e36efb7123561b4548

SHA1
47b297d07752f80bfdfe6beef019e9977f828285

SHA256
726bd3aa5bf3716ecc31be6a2c885acb2c7876d29de932aa9d5bcceea591edc8

SHA512
b036dc499841410f6f0caa3da519df48b3f79dcedc68429dc0c2e3d1bc3f77d37abc45132116735fb3611c8d80d166e5dd232cc33d92f7f63dd77bfda86bb4c7

Download Submit
C:\Windows\directx.sys

Filesize
838B

MD5
7824759fafc0947d9393d5b3a8520450

SHA1
a719b22d473450526a353db44b43df8ed063957d

SHA256
59c4946aa8b000a19e72b5b26630a8ae52cc55f67a32aa674e7b34ecb57799d1

SHA512
28d337a2651085985af30511e0803f0e3ede9d350058af396931d4733dbf7db17cba7c86be7c2104779d52449f30d6ebc952401b3ee81f124162e7d706622ce4

Download Submit
C:\Windows\directx.sys

Filesize
822B

MD5
125142bfe820f417edf851b41dd429fb

SHA1
830bca34e614ab7fbeecf6e061fb355f2c3694d3

SHA256
c131dd223e74d3f3752e706f80fd936ba4f8c23efb3cc6ccdbd2c81b253e238d

SHA512
32f59620b04c473c8ac6ae00d064ab3e19218f5f4c291062b11b1bbfaa3dc615600b2a3bcaef415f74a7baddb0790b7fd24b9bad91ee8db18e201c9d8e38e9d3

Download Submit
C:\Windows\directx.sys

Filesize
831B

MD5
b853229a8829345fd8c02f2b299af767

SHA1
dcbde31220a3bf271782c9189f350a667f333b53

SHA256
f0f004ebb88a705c20ca22bb69696edfb3f9b7e641538779176a4603612bef95

SHA512
2d35ef207d84cb5ce8052799125b428d452f7b5579799fabf94d4e1dfc7f4ef71f5658b8668fcd5a20b7e9c1094ca27b0245f8a17cd5fa785bdff9ae51525974

Download Submit
C:\Windows\directx.sys

Filesize
835B

MD5
17b87334cb68caa3bedb9e1d4606bb28

SHA1
cade974bce729bf42cff41eeb4791508981ce0fc

SHA256
b72e09c483e81b1c7aad062c27d33142caab8a9c7aa69f3396e2694c54916d3f

SHA512
cf13a9559e84419ea1a494cdf3a2bcdfae79f1c8ff51fe51a1a689d7599f7b827825f0143f40d6b1ff39820b5bd6836c0f983a339d6473cea700513d4018036d

Download Submit
C:\Windows\directx.sys

Filesize
673B

MD5
9a26412e06a3d310d238103f9634f1d0

SHA1
5ab75748bab45bec7f3a92037a9db65fabddd8bc

SHA256
930557763f8fef442488cb55e7ec921c8d02f668d31c24c51affeb365012e855

SHA512
c5d786b2f441017821ab209178b9fa36693450b1ebd11227872662b2c49195d285b5f6fcf2475c7ef9b29f6609a136636e2b9d4db83271e53f5ed2bb208eedd4

Download Submit
C:\Windows\directx.sys

Filesize
723B

MD5
a4462b7ba1c302848d37ff761d7c9545

SHA1
862f63a62fb68ae71a4c5fb29338909ad0dc0b6c

SHA256
2aeed86d8a67863cdbcf28d9de832db353c8c4890e5d41334a18558af9321bab

SHA512
59f2977ada10dc86de74456c37c6165070f04db07f75fb4ab90cc3f6fb515a4ac0dca7c45ebe134b36c275df2b38815129f027571fec5017846387ba7d37540b

Download Submit
C:\Windows\directx.sys

Filesize
823B

MD5
7a620abf5ec21caef350da9a75f8fba6

SHA1
2a3a0c49ec1e23101721c544e6ea2197306aa3d9

SHA256
6c9635db2e12cd0565795d49acdbe74eb0e0f62ef69dc543842dfb1b9684fef3

SHA512
bb057906ed32d826a25eb69b25f6265e422f7903f4de6ea9facf746069bc2e7b7153e7c0bc50e21708ed07e20dbdb128b24e52df75b6cad387a11649f23a9348

Download Submit
C:\Windows\directx.sys

Filesize
902B

MD5
729c6108ff3637415c46430e27db8086

SHA1
395424e637ae69676b1fbb8412c9a05031d25ad2

SHA256
23e0ca41e3c4a13d9a155de232b734d0c4fba538cdb574d1e98f4fb97f46687f

SHA512
068f129e80e8dfec86fdd27d39e7ef65b7e6a30d21ba63dae56c72d1bac1b0cc5649f570535a74b742aa203d3ff02ff441aec309357295030ed234673f98a887

Download Submit
C:\Windows\directx.sys

Filesize
923B

MD5
78a228cb02b9e8959fcabaf178c9274c

SHA1
73231cd5d12d4c4bfebc06df7606feaaee2775dd

SHA256
8dba03427dcb72d9011dc81f46a1d3bee318dbee751ed27ca4af67df3d6a4018

SHA512
543a0f609b6f3a453108d0064b5935fc397f096dc37ad2a8770e884f684ea4626adb914d12fbefcd0f029f3c447e8fc481c4e47a375e639080eea89e4bd608ec

Download Submit
C:\Windows\directx.sys

Filesize
973B

MD5
76d89e8691e51779c5cfbb7f1d897900

SHA1
eaf0accb87b19687d04ba8dad2e4819badc358bd

SHA256
783b2ed403cbded2751bc78150c9c2e2b74d8120c04d6b82a3e37bc9e29b8987

SHA512
c5c435d9446c16ed5b380dcd10389c8bf9e207acedd7c0e38da0f3d9124bb4bf3320d63040007a45492b98c0dc1f58f93345d55188127f1ce88646ea5ddda47c

Download Submit
C:\Windows\directx.sys

Filesize
1023B

MD5
4e788a1e2022b9d6c62db5cd0cf53db0

SHA1
3f615b3cdbc6db3a7100e021d401e8c560ed03ed

SHA256
c01164e3231e285e58d1ca607c2512eed3e7fb92192d77488fb17a3e8dfc7c10

SHA512
a0aef01eaf4e0a22deb497d0101c1bc8059a51bb30c9b3746f53e321ed8a376e752bce4d5b67d064ceb49f6ee09254298336897406600dbf8ff12a2e2dcb72db

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
bac7cf28b9eaaebd8ca49df2c66c67a8

SHA1
d97927e92b157f86751bc870e0f70138c72e8c31

SHA256
fcec28db7d8bbfc9c89ef83992997a7321d2a1d5dbae689c4550e187c7d02f7d

SHA512
a6c1182c9a6c9cc0fe949de707413eb0b95e2d78c231abd68c8739c3624be2a4b72b8de616e44be6e5aeb862e989e7ed1e9d8058df42c63569f01e5fd531465a

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
992caecaca0b0c8c4766237828e40837

SHA1
a76831f09fb7c66be69ddbb979dd4b7d26139637

SHA256
9003675a35d1da6edf4949615496ee0fcdc367b4446c6ec2a9e4d05578557bc9

SHA512
f32024330bf6647b31950e1925281cc33c4d1b831b0deb4639badc983365c977da32d42322582d1971f3addf693546f523a0cb6550b15bb10c003d7c47c0a254

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
8512615d3bab4a861728b6b59836e7aa

SHA1
4ae66243559ed37921d84e28a41ed0a9b15d8f4f

SHA256
3c3146cfaf24111ef940dddea9d4da181ff60cb07df0247614624ba7d3474032

SHA512
8b9dc022f08029656f38381ec6c52bc3912340e16243f455566a2595a2d077a77d6e50b27ea2eb7aa5a7ff655f192fc3910243a64b836030dcf057eabe48bf83

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
a443ddf134f4f0577618f90c863eb7bf

SHA1
10e76a36ed13decf9e1a946073e57e685b1cb392

SHA256
1fb57df080281b91a6ddd0524a362c8e1548e7b8f6021d044fb67dc80913d468

SHA512
29caa1d48f253eb633be2c4cd557c48883348018dc157d00d7fcbfd2494b7a3508ddba854ec12641d9854ec6c8e6764626fb54bed79f49c1877d9fbad9a2ee08

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
afe7afd8fc7f3f0bcaaa9d3781b4c642

SHA1
503b7b70d4722e068e5ed77196e4169bbbcad50c

SHA256
115868ebf9e9f392d1a74f558e2368e89025ba7483a9604bbfa0a113d9a6b5aa

SHA512
3bae76c5384af67f01f27afeb8a4e06acd0ab795e323b6dbf01470c3154097dabf0365c8d613668453826040b0859da72664c2e05f94dcd93aae43651199b1bf

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
7b71aefce9fed9fc0d2e3bab06fce6dd

SHA1
3c712a73fb841747fa878cb88bdb33c7af758ea9

SHA256
e219454eceb13aaa8d5ef7fed881051d025d22e2ef8b25b572280f48ae4ad04b

SHA512
44f3b8b0b06c97d5d541a1261ea7b7902eb81090cfcce049a78b27e28c692759cec7ca05db2f13936b0bf88b43677afa4280915c4af4329eb92d0e2df1ad75df

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
18059cf86fbeb924eb6c4722bf2f983a

SHA1
f02d85367d4d3220571b5e56f144fc884c8b78d1

SHA256
08bc863c91ae1e0bd87157690a9e22a61620905b433467f23293dd6a99732edb

SHA512
a2618b6e3c89d8efd37c5825ba57dccd6bc761f7104d216f9a96c4dae4c78b354ef9368564957ed2729815be8b9645abab07760313269640f6fda92e3e55a969

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
9fa5d57afcc409e0a78d55919dab0708

SHA1
653b6e2230d5d84562339f4871dae6365ada9ab2

SHA256
eb9d9ae7e483e8a3edd4d7a43dad1ba4ece1336c47ec5671eac16c8abc900837

SHA512
5032e63535d474b2b8dbf768a58e8bb175e9f1fe47357298d37c3019ef0263eaf6f2fa7557e51742095b311175ab9dee7669d3836305f83e01a7a300a4bd678d

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
0bdb52ecebffb0d389f82bb4a03a0564

SHA1
c5ef9efaeb128e7cb417bcd24f810d6929f4fcbc

SHA256
3d6d7fe916aa3747e504e917728a388a1181241976373ed13546a686b5fc1a7f

SHA512
cef72b6d32479d44d661b4fa97bcee5a3aa2ccc2b0e7a47b21838d8537bae31bed3074e27f5c325e5f43b903c682c8b6822e395743d54f3cffb34d16f62dc3f9

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
e853ca6bda11a8affe67c071f5b69fb8

SHA1
8c1bff43777e527c9799f77fe12ee9fbdb5d3a98

SHA256
f278256e5402c06dd12308211751351a242f7f8d69cbe4b2ea9dc4b6bbf32eb4

SHA512
bb5047ac2c527da41653e3a3212da01ed3cac65b42cd3b775fc7323a135c6774522cb7e2a5c76b7f13e87c89a4914f6652a9eb95ad06b3e6a31e53c1867e3256

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
a84db7e6778627ab8dc2786464c655d2

SHA1
0394808a02773c1a0a7246359f6105b1d89a7c28

SHA256
60511ff98b996330fa391799e3fa0e9c5ba88f23a18554db557b945337b3d07d

SHA512
8e63cd52c4af092455fb9e57a12c2e82da9bb903ecbc2c38553ecd290cb8c82a30e90b3c54d95f663b54145736acd654337ff06574cb2f31e1055b060125c05f

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
0cc023266437674e8f5a3e6c8c05c459

SHA1
74681ea482d871a1e8c2255f609a2ca6f7980845

SHA256
843140cf4544ca9992aa96a4e8b80219b73ff0327680e519f73e6459800f5bea

SHA512
3580fd2b976a4268125f6fc46e7334211e365d40769403f95adfc2531effb31a48b4f23a4be911186422717cd92533f5f7f58ec923ee40b017205af87b97d287

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
2bd9e9380f9f696297fe2452495a5b48

SHA1
6e9888cb605ab7a06ff6fcb6764a4550eb5cb81b

SHA256
0c7132b487f695f0602ddbbf37246c470b07e384a815a9d6938ad7b7389fb7e7

SHA512
f15ede6b75976a3cf7651db4c5349a52ae4af01a2503f3f9eef7deb497e4d831445645f81602721350266b22f637335501f75b3a8dea0c8249d8aa8f66bdc4e7

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
9c41d543cda45b59a9e38cad2dfb853a

SHA1
cd00dd7f24d6296f3b00c4f53421f1bc635d76e5

SHA256
34d10f203a43c71dc48aaf4159729354bea12706d005b8dcf3cc6f04fe99ce7d

SHA512
c9a6b8facbd105c5a0ebafa5bba01ec5d43afc85fbbf7924216f3e5f0a072fdd9f98ca54418a285fb6a36d75d478c9b5aa6227a099ffc1da32c3654977fe47a0

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
911608c7722003436213a231d321dd54

SHA1
dececfd047dbb11265671c792e503277eb496040

SHA256
7025a980f545bb954854500d8af0a23b68a09e709fd134faff0fa04595efba07

SHA512
116da54b8b16272b38833f01e376680d9010fb10ddb98823e41c0278f753cf5f1e66db36707dedef951fca39fceae85d9e29c0a1f365c75a70bbba409dc41701

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
877e8a54bcbf429ddd5cd5d0553f64da

SHA1
863523096f5ec7f83955035120c3e80548795650

SHA256
289212f76f9ddf277a1aaae53314999578adbe60448366a4701a99df0eb99ed7

SHA512
87b5e85183ed08cc1b52a58e23663565febf6a8f3531b702ee3f22dea410faebdda49712b52f4641bf6734c8391f44b3751a562d24c7d2975f5420d61cedd093

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
7e7939cdb0eefbd13bdb37ed2eb4e693

SHA1
bfa6ce5ed61c779ad8b8216b97c2e126d6812551

SHA256
3fd5031c199de04b0490df63cc7aefe52966857317b3d1a1a923ed25be615069

SHA512
f4ea49d12edf7bd10f5a199a049f321bcdd308d5bb85ec9823c6bcb73a6d9b0033045b257c8e088b36c217629f5db6af5331dfb86f334b8ade83b843e18ff3ac

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
e216c6a3075413026f51ef42c02f8c98

SHA1
07e84ce66179d36d61ab1f8f6af65f2da8c72d9c

SHA256
9b4483e18c3020de762538aefffb2dcd39d6e5bd7125541f839a2f07766a9ae8

SHA512
372aa0dc96afddce6c91958353e61cc5027a55d2b7e62db492ccacca1ec26e60f8ca25923a174cc53704a63b179ad917991e1b9ddefdcc188df3dce8248c7370

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
457ebd92e951e0c065240998223e8c0e

SHA1
76707b382fbb97daed80cf8516ae38fcdaef11b4

SHA256
cd48ad63d2b5886bc4210312db03bc0a6d0e5c09c9fe675b9edf28dce783cc3e

SHA512
4193ef51a8037ffafba127215b8e293aab488c1f7fc16ffe9d876c6d7df31c196531dfd97b96fa30792ed1dbb0f09e61d1eeede68420966c4ce8bfb3c6f57da9

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
e5e8ada90c1351378ec3d87cc2c8c068

SHA1
abe0ac0b45f453cf2a904ff2485ad48b32e04ce7

SHA256
5efc73123daa649f54b9707be885533f2e88f44cbec3f4ee95fc0cb36c55b09f

SHA512
dece975672177bffa929cf9d1fdba4f5f9ce5ffcfa8db664265b2294bc4c2cc4f7860e13e60262976172f48cfe13a88472e704b775a83376f499b9831972654f

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
b1930d852d81b838f338be7cc443cef7

SHA1
0dd3b7490e96adf1fff8938c15329e318884b44c

SHA256
05a4dc21a94cda916ba08474f8a87169de718c6c6b7da68fdc079e1c2a5c61cf

SHA512
3564df0420fee41d8130435e608fa5a9045df66467166cd0df6854576b35da1899fc33c2e20a5c0345036b199bd92a47315547b96e9a3bc738fa47fe3fbbc86f

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
c4f154e1e6a90e39add5fec4ad31cd84

SHA1
46012b66cb7b3176ab07c798ed66c95d49429525

SHA256
da9c5d034244c60aeabae97dce383e857d7bdc6a8b7083cfe8bd29ad9dc4c628

SHA512
7656cb6484fcd291182665c8d7a8761c74a076e3e2b6960ee1c0c451f61901ed31aabe2686d9d58c2ce5f9cd8e4ded897bb153797bbb9c180eb8f6cc6c83c925

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
1f5dab82254bce896d360a4cecbf197e

SHA1
febfb2fd93c05f8d30036fc558c005340083ffdb

SHA256
fda15ef7d21ddd1fa842e9dcd461c248298b6bd25b21e906bd36ac85d46ecc10

SHA512
852fb7defee973ef1bc5f02b235254d53be05a529a673f3e05b1128213148afce33bcc2dcb63a1d6120d36e61dc953f4c05024d9cffa2c76551da29484e56cff

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
91247ea83dff7811affc12629af489b5

SHA1
dfd8659ddf8271fa503352b83e0427209c365e43

SHA256
aca7906f275fcfc67fef22169fc6b552a9729db5b8cf79d635c2a2e0ad0dc3c0

SHA512
679fc3a57957748655154480d71ec57b56290efc9991f1d1828b9f9527a67be177e31c750e675e3a3fbe34cdf8df8683b2928018087f1511fd38b46fad7c363c

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
0d34ea604a1743433c92ab69c32d34a3

SHA1
45ce3b5af79406815e51e287c2cb40b0de10490d

SHA256
753d380048f67673debe583b0608cc5188f350890f24f3b1de22f338e026a218

SHA512
696bd689ce39f9f4cbd45d4ddf8bdbdea817ca624761d6ded39d8ff315afbaf6662092a5b37efd12015aff53cafcc15b5919fa1dea49885a84cab964bb4516ee

Download Submit
C:\Windows\directx.sys

Filesize
1KB

MD5
46902d314f5f2d6fa0ef2fa5cf5afd3b

SHA1
a2c9dafb3f8dade63e9582bafef0713440a9b2a2

SHA256
08850adafb815a3bc7a66c491f8ddb395358df0d8363931a08cbd095c28ec8be

SHA512
7d5cd450a9bd3dd337043d85e6b34df168876939a57450da1792e89d0c45b15530f3d6c85c3cdae4d2fc18a35ef80363b01eecebf9d738d614b882d88ed42098

Download Submit
C:\Windows\directx.sys

Filesize
84B

MD5
67dd18439a77cc25807c0c81197ad008

SHA1
0647001d253af2933ec7c66e8e1de6784d117c50

SHA256
d32bfe1b6fbb3dce0ee7bf6653d9fbac774871c18122f2038075ae814182174f

SHA512
5857ab1d1f81ae2f31af722816b1837926cb3765e5899bd541afda47ebc0db383ea24ae802e6219c95f54390f16410790878f68ced6ada6992ec919c832822fa

Download Submit
C:\Windows\directx.sys

Filesize
150B

MD5
162b8b2bd10d755441a18a78d37950ec

SHA1
276915fe8834c7aa2b30e8015a7ef3d38131e988

SHA256
0d25bc766b62e6e1c816de8641207219816f08b85825a3af588d7cdd72315a65

SHA512
64ad3299260524976abae3b3b82049a556c9248b4d78f70919cdc9baa54e08805d4391de488479520a535ffb8404f333645136ed63f2c145827b0c9bc0560f7e

Download Submit
C:\Windows\directx.sys

Filesize
134B

MD5
b3c06581858575b5d88eb63d03f23be3

SHA1
f2940c61ec39fb920d3dcf225c5becc0e18ae081

SHA256
a114c9b1a7e9e88311c64154314aac3d0ccb9f1dd4b9511ba47dcdeba2734f37

SHA512
5959c3d8ef3b28fb454acbfc9c91f0c73b0145949593edbc2dd3965e59052aff392ee9ba00ec76da251d924fb19d3e2421f0380a0fa5d98721b1c535c554b086

Download Submit
C:\Windows\directx.sys

Filesize
183B

MD5
4c6d0931ccdff74d7c6f72a9599558c2

SHA1
29c487a695735253f193537853c6827012d5f039

SHA256
12a29c45bcb851f1657426923f289c42773d4e6dceac08e0c6a8653f0318a6e0

SHA512
c376934695dc41232b2dfa979a6d2013999840852880b724670ba02b63a5ab522677d58ad6f77dabb4e781ca9f40ce8d866567cef07ca52156fbb0bb4fb53dd2

Download Submit
C:\Windows\directx.sys

Filesize
229B

MD5
1db8457709e1d9523b1f7c3bee81ee85

SHA1
37a1e0ab81bcb689dd213a6f7154b0d50c8ebf2e

SHA256
ab4e9c0e284f972dab851505ee599ae3c998d5aab12dc320f7bfbfc4419db630

SHA512
030f21684964e4cb568390ebc76521b34ce5bb71fa73ea2929df1706b1539dcc846db782d49c8e196c70d785bef85bebf75af434c536ecfbd4081e66d1f8fc16

Download Submit
\Users\Admin\AppData\Local\Temp\BohvhBvo.fyn

Filesize
2.1MB

MD5
264e8dcef8c402a4725283374e3e70b7

SHA1
21d97163ba61e01b48912ca8e72e3173a3fd03f3

SHA256
05aec7ada3bd9384e58b70be7517a1492aefd3d37e27843678622acadd267bb6

SHA512
268de85154f7bf8484180052edc112d548f67583afb1b42d749f459c7f48aa3e3be7418a5cd6f1ffb14a2ed02cfe7350eb67c832a85ba31202e2be339a04e3f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsn3C30.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
\Users\Admin\AppData\Local\Temp\nsw1F13.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
memory/204-590-0x0000000000640000-0x00000000006FA000-memory.dmp

Filesize
744KB

Download
memory/316-404-0x0000000005B70000-0x0000000005B93000-memory.dmp

Filesize
140KB

Download
memory/316-394-0x0000000004F90000-0x000000000501A000-memory.dmp

Filesize
552KB

Download
memory/316-408-0x0000000005B70000-0x0000000005B93000-memory.dmp

Filesize
140KB

Download
memory/316-402-0x0000000005B70000-0x0000000005B93000-memory.dmp

Filesize
140KB

Download
memory/316-410-0x0000000005B70000-0x0000000005B93000-memory.dmp

Filesize
140KB

Download
memory/316-412-0x0000000005B70000-0x0000000005B93000-memory.dmp

Filesize
140KB

Download
memory/316-414-0x0000000005B70000-0x0000000005B93000-memory.dmp

Filesize
140KB

Download
memory/316-399-0x0000000005B70000-0x0000000005B9A000-memory.dmp

Filesize
168KB

Download
memory/316-398-0x00000000050C0000-0x00000000050D2000-memory.dmp

Filesize
72KB

Download
memory/316-397-0x0000000005310000-0x0000000005660000-memory.dmp

Filesize
3.3MB

Download
memory/316-406-0x0000000005B70000-0x0000000005B93000-memory.dmp

Filesize
140KB

Download
memory/316-401-0x0000000005B70000-0x0000000005B93000-memory.dmp

Filesize
140KB

Download
memory/316-393-0x0000000000840000-0x00000000008CC000-memory.dmp

Filesize
560KB

Download
memory/532-176-0x0000000005EF0000-0x0000000005F52000-memory.dmp

Filesize
392KB

Download
memory/532-174-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/532-342-0x0000000000400000-0x00000000013C3000-memory.dmp

Filesize
15.8MB

Download
memory/996-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-153-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/1288-129-0x0000000005C10000-0x0000000005C2A000-memory.dmp

Filesize
104KB

Download
memory/1288-120-0x00000000008A0000-0x0000000000950000-memory.dmp

Filesize
704KB

Download
memory/1288-341-0x0000000005C80000-0x0000000005C8C000-memory.dmp

Filesize
48KB

Download
memory/1288-346-0x00000000069D0000-0x0000000006A3E000-memory.dmp

Filesize
440KB

Download
memory/1308-173-0x0000000000660000-0x000000000073C000-memory.dmp

Filesize
880KB

Download
memory/1840-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1840-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-183-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1956-63-0x000000001AFE0000-0x000000001B030000-memory.dmp

Filesize
320KB

Download
memory/1956-68-0x00000000024A0000-0x00000000024AE000-memory.dmp

Filesize
56KB

Download
memory/1956-64-0x000000001AF90000-0x000000001AFA6000-memory.dmp

Filesize
88KB

Download
memory/1956-67-0x0000000002360000-0x000000000236A000-memory.dmp

Filesize
40KB

Download
memory/1956-65-0x0000000002300000-0x0000000002312000-memory.dmp

Filesize
72KB

Download
memory/1956-69-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

Filesize
32KB

Download
memory/1956-66-0x000000001BC30000-0x000000001C156000-memory.dmp

Filesize
5.1MB

Download
memory/1956-62-0x0000000002480000-0x000000000249C000-memory.dmp

Filesize
112KB

Download
memory/1956-61-0x0000000000290000-0x000000000036A000-memory.dmp

Filesize
872KB

Download
memory/2356-123-0x00000000001F0000-0x0000000000292000-memory.dmp

Filesize
648KB

Download
memory/2356-368-0x0000000006230000-0x00000000062AC000-memory.dmp

Filesize
496KB

Download
memory/2364-200-0x0000000000550000-0x0000000000598000-memory.dmp

Filesize
288KB

Download
memory/2372-336-0x0000000000400000-0x00000000013BA000-memory.dmp

Filesize
15.7MB

Download
memory/2388-94-0x0000000004C00000-0x0000000004CE3000-memory.dmp

Filesize
908KB

Download
memory/2388-126-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/2388-59-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/2388-91-0x0000000004C00000-0x0000000004CE3000-memory.dmp

Filesize
908KB

Download
memory/2388-90-0x0000000004AF0000-0x0000000004BEC000-memory.dmp

Filesize
1008KB

Download
memory/2780-96-0x0000000000720000-0x000000000075E000-memory.dmp

Filesize
248KB

Download
memory/2952-114-0x000002B99C1D0000-0x000002B99C22A000-memory.dmp

Filesize
360KB

Download
memory/3144-340-0x0000000006CE0000-0x0000000006CEE000-memory.dmp

Filesize
56KB

Download
memory/3144-128-0x0000000005A20000-0x0000000005A34000-memory.dmp

Filesize
80KB

Download
memory/3144-347-0x00000000083C0000-0x0000000008434000-memory.dmp

Filesize
464KB

Download
memory/3144-339-0x0000000005A40000-0x0000000005A4C000-memory.dmp

Filesize
48KB

Download
memory/3144-122-0x0000000000EE0000-0x0000000000F88000-memory.dmp

Filesize
672KB

Download
memory/3248-175-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/3248-338-0x0000000000400000-0x00000000013C3000-memory.dmp

Filesize
15.8MB

Download
memory/3696-110-0x00000000050E0000-0x00000000051C3000-memory.dmp

Filesize
908KB

Download
memory/3696-113-0x00000000050E0000-0x00000000051C3000-memory.dmp

Filesize
908KB

Download
memory/3696-97-0x0000000004FE0000-0x00000000050DC000-memory.dmp

Filesize
1008KB

Download
memory/3696-335-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/3696-88-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/3812-109-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/3812-10-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/3812-7-0x00000000002A0000-0x0000000000350000-memory.dmp

Filesize
704KB

Download
memory/3812-8-0x0000000004B90000-0x0000000004C2C000-memory.dmp

Filesize
624KB

Download
memory/3812-9-0x0000000005390000-0x000000000588E000-memory.dmp

Filesize
5.0MB

Download
memory/3812-14-0x0000000005340000-0x000000000534C000-memory.dmp

Filesize
48KB

Download
memory/3812-13-0x0000000004E10000-0x0000000004E5A000-memory.dmp

Filesize
296KB

Download
memory/3812-12-0x0000000004CD0000-0x0000000004D26000-memory.dmp

Filesize
344KB

Download
memory/3812-11-0x0000000002820000-0x000000000282A000-memory.dmp

Filesize
40KB

Download
memory/4412-17-0x0000000002E90000-0x0000000002E9C000-memory.dmp

Filesize
48KB

Download
memory/4412-16-0x0000000002E80000-0x0000000002E8E000-memory.dmp

Filesize
56KB

Download
memory/4412-15-0x0000000000D30000-0x0000000000E24000-memory.dmp

Filesize
976KB

Download
memory/4420-357-0x00000000061F0000-0x000000000623C000-memory.dmp

Filesize
304KB

Download
memory/4420-118-0x00000000001C0000-0x0000000000246000-memory.dmp

Filesize
536KB

Download
memory/4444-152-0x0000000000880000-0x00000000008C4000-memory.dmp

Filesize
272KB

Download
memory/4564-157-0x0000000009540000-0x0000000009552000-memory.dmp

Filesize
72KB

Download
memory/4564-158-0x00000000096E0000-0x000000000971E000-memory.dmp

Filesize
248KB

Download
memory/4564-150-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4564-151-0x0000000006F60000-0x0000000006F66000-memory.dmp

Filesize
24KB

Download
memory/4564-155-0x0000000009CB0000-0x000000000A2B6000-memory.dmp

Filesize
6.0MB

Download
memory/4564-156-0x00000000097B0000-0x00000000098BA000-memory.dmp

Filesize
1.0MB

Download
memory/4564-164-0x0000000009720000-0x000000000976B000-memory.dmp

Filesize
300KB

Download
memory/4856-105-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/4888-337-0x0000000000400000-0x00000000013C3000-memory.dmp

Filesize
15.8MB

Download
memory/4888-124-0x00000000034F0000-0x0000000003556000-memory.dmp

Filesize
408KB

Download
memory/4888-125-0x00000000059B0000-0x0000000005A12000-memory.dmp

Filesize
392KB

Download
memory/4908-52-0x00000000051C0000-0x00000000051DA000-memory.dmp

Filesize
104KB

Download
memory/4908-48-0x0000000000750000-0x00000000007F6000-memory.dmp

Filesize
664KB

Download
memory/4908-303-0x00000000067D0000-0x000000000683A000-memory.dmp

Filesize
424KB

Download
memory/4908-302-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/4940-95-0x000001665A3D0000-0x000001665A3EE000-memory.dmp

Filesize
120KB

Download
memory/5316-388-0x00000000053E0000-0x00000000053F4000-memory.dmp

Filesize
80KB

Download
memory/5316-375-0x0000000000710000-0x00000000007B6000-memory.dmp

Filesize
664KB

Download
memory/5432-287-0x0000000005160000-0x0000000005245000-memory.dmp

Filesize
916KB

Download
memory/5432-282-0x0000000005160000-0x0000000005245000-memory.dmp

Filesize
916KB

Download
memory/5432-278-0x0000000004D30000-0x0000000004E2D000-memory.dmp

Filesize
1012KB

Download
memory/5432-243-0x0000000000400000-0x0000000000624000-memory.dmp

Filesize
2.1MB

Download
memory/5484-530-0x0000000005EC0000-0x0000000005F10000-memory.dmp

Filesize
320KB

Download
memory/5484-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5540-548-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5544-625-0x000000006BFD0000-0x000000006C01B000-memory.dmp

Filesize
300KB

Download
memory/5544-636-0x0000000008EA0000-0x0000000008F45000-memory.dmp

Filesize
660KB

Download
memory/5544-454-0x0000000006C70000-0x0000000007298000-memory.dmp

Filesize
6.2MB

Download
memory/5544-486-0x0000000006BA0000-0x0000000006BC2000-memory.dmp

Filesize
136KB

Download
memory/5544-487-0x00000000072A0000-0x0000000007306000-memory.dmp

Filesize
408KB

Download
memory/5544-624-0x0000000008D70000-0x0000000008DA3000-memory.dmp

Filesize
204KB

Download
memory/5544-453-0x00000000064A0000-0x00000000064D6000-memory.dmp

Filesize
216KB

Download
memory/5544-645-0x0000000009020000-0x00000000090B4000-memory.dmp

Filesize
592KB

Download
memory/5544-569-0x0000000007C10000-0x0000000007C86000-memory.dmp

Filesize
472KB

Download
memory/5544-488-0x0000000007560000-0x00000000078B0000-memory.dmp

Filesize
3.3MB

Download
memory/5544-626-0x00000000089F0000-0x0000000008A0E000-memory.dmp

Filesize
120KB

Download
memory/5544-558-0x00000000074E0000-0x00000000074FC000-memory.dmp

Filesize
112KB

Download
memory/5568-396-0x00000000003D0000-0x00000000004AC000-memory.dmp

Filesize
880KB

Download
memory/5624-391-0x0000000000F90000-0x0000000000FA6000-memory.dmp

Filesize
88KB

Download
memory/5624-390-0x0000000000F90000-0x0000000000FA6000-memory.dmp

Filesize
88KB

Download
memory/5676-457-0x00000000056D0000-0x00000000056E6000-memory.dmp

Filesize
88KB

Download
memory/5676-400-0x0000000000910000-0x00000000009D2000-memory.dmp

Filesize
776KB

Download
memory/5732-251-0x0000000000C80000-0x0000000000D5C000-memory.dmp

Filesize
880KB

Download
memory/5832-332-0x0000000001330000-0x0000000001357000-memory.dmp

Filesize
156KB

Download
memory/5832-331-0x0000000001330000-0x0000000001357000-memory.dmp

Filesize
156KB

Download
memory/5844-520-0x00000000001B0000-0x000000000080A000-memory.dmp

Filesize
6.4MB

Download
memory/5932-631-0x00000000009C0000-0x0000000000A74000-memory.dmp

Filesize
720KB

Download
memory/5964-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6048-263-0x00000000008A0000-0x00000000009A8000-memory.dmp

Filesize
1.0MB

Download
memory/6060-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6184-489-0x0000000000190000-0x00000000001EA000-memory.dmp

Filesize
360KB

Download
memory/6404-591-0x00000000004F0000-0x0000000000590000-memory.dmp

Filesize
640KB

Download
memory/6580-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6636-511-0x00000000005A0000-0x0000000000B3E000-memory.dmp

Filesize
5.6MB

Download
memory/6764-471-0x0000000000380000-0x0000000000A02000-memory.dmp

Filesize
6.5MB

Download
memory/7080-477-0x0000000000630000-0x000000000157C000-memory.dmp

Filesize
15.3MB

Download
memory/7084-549-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/7124-519-0x00000000007E0000-0x0000000000E34000-memory.dmp

Filesize
6.3MB

Download