Malware Analysis Report

2024-10-10 13:04

Sample ID 240618-w7fzzsyclq
Target PornHub.exe
SHA256 9d91cb90ecc7461de1fc59118a06ebc4adabe2d3e31c918b229a6f49e3c8c87b
Tags
dcrat njrat lox infostealer persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d91cb90ecc7461de1fc59118a06ebc4adabe2d3e31c918b229a6f49e3c8c87b

Threat Level: Known bad

The file PornHub.exe was found to be: Known bad.

Malicious Activity Summary

dcrat njrat lox infostealer persistence rat trojan upx

njRAT/Bladabindi

DcRat

Process spawned unexpected child process

DCRat payload

Drops startup file

Executes dropped EXE

Checks computer location settings

UPX packed file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 18:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 18:33

Reported

2024-06-18 19:04

Platform

win10-20240404-en

Max time kernel

1800s

Max time network

1579s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PornHub.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\PornHub.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

njRAT/Bladabindi

trojan njrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Windows\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Windows\\svchost.exe\" .." C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Windows\\svchost.exe\" .." C:\Windows\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 7.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A
N/A 7.tcp.eu.ngrok.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\fr-FR\conhost.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\088424020bedd6 C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\conhost.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\088424020bedd6 C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\PornHub.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\svchost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
Token: SeDebugPrivilege N/A C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Media Player\fr-FR\conhost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeCreateGlobalPrivilege N/A N/A N/A
Token: SeChangeNotifyPrivilege N/A N/A N/A
Token: 33 N/A N/A N/A
Token: SeIncBasePriorityPrivilege N/A N/A N/A
Token: SeCreateGlobalPrivilege N/A N/A N/A
Token: SeChangeNotifyPrivilege N/A N/A N/A
Token: 33 N/A N/A N/A
Token: SeIncBasePriorityPrivilege N/A N/A N/A
Token: SeCreateGlobalPrivilege N/A N/A N/A
Token: SeChangeNotifyPrivilege N/A N/A N/A
Token: 33 N/A N/A N/A
Token: SeIncBasePriorityPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\PornHub.exe C:\Windows\svchost.exe
PID 2828 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\PornHub.exe C:\Windows\svchost.exe
PID 2828 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\PornHub.exe C:\Windows\System32\cmd.exe
PID 2828 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\PornHub.exe C:\Windows\System32\cmd.exe
PID 196 wrote to memory of 2628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 196 wrote to memory of 2628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 164 wrote to memory of 2324 N/A C:\Windows\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 164 wrote to memory of 2324 N/A C:\Windows\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 164 wrote to memory of 1536 N/A C:\Windows\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 164 wrote to memory of 1536 N/A C:\Windows\svchost.exe C:\Windows\SYSTEM32\schtasks.exe
PID 164 wrote to memory of 1144 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe
PID 164 wrote to memory of 1144 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe
PID 1144 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
PID 1144 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
PID 1144 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
PID 1144 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe C:\Users\Admin\AppData\Local\Temp\BOMBER-CMD.exe
PID 1144 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe C:\Users\Admin\AppData\Local\Temp\BOMBER-CMD.exe
PID 1144 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe C:\Users\Admin\AppData\Local\Temp\BOMBER-CMD.exe
PID 784 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\BOMBER-CMD.exe C:\Windows\System32\cmd.exe
PID 784 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\BOMBER-CMD.exe C:\Windows\System32\cmd.exe
PID 820 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe C:\Windows\SysWOW64\WScript.exe
PID 820 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe C:\Windows\SysWOW64\WScript.exe
PID 820 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe C:\Windows\SysWOW64\WScript.exe
PID 4584 wrote to memory of 2056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 2056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 2208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 2208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 68 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 68 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 5020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 5020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 3800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 5076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 5076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 4468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 5008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\PornHub.exe

"C:\Users\Admin\AppData\Local\Temp\PornHub.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\PornHub.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 5

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe

"C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe"

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe

"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"

C:\Users\Admin\AppData\Local\Temp\BOMBER-CMD.exe

"C:\Users\Admin\AppData\Local\Temp\BOMBER-CMD.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6095.tmp\6096.tmp\6097.bat C:\Users\Admin\AppData\Local\Temp\BOMBER-CMD.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe

"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\conhost.exe'" /f

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd.exe

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe

"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\fr-FR\conhost.exe'" /f

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\fr-FR\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\535.21\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\NVIDIA\DisplayDriver\535.21\cmd.exe'" /rl HIGHEST /f

C:\Program Files\Windows Media Player\fr-FR\conhost.exe

"C:\Program Files\Windows Media Player\fr-FR\conhost.exe"

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\svchost.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\svchost.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\svchost.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.125.188.168:17799 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 168.188.125.3.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 197.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 narzieo9.beget.tech udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.124.67.191:17799 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:17799 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:17799 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:17799 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
DE 3.124.67.191:17799 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:17799 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 35.157.111.131:17799 7.tcp.eu.ngrok.io tcp
DE 35.157.111.131:17799 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.124.67.191:17799 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:17799 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:17799 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:17799 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 220.166.122.92.in-addr.arpa udp

Files

memory/2828-0-0x00007FFA7EFD5000-0x00007FFA7EFD6000-memory.dmp

memory/2828-1-0x000000001B6E0000-0x000000001BBAE000-memory.dmp

memory/2828-2-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

memory/2828-3-0x000000001B120000-0x000000001B178000-memory.dmp

memory/2828-4-0x000000001BC60000-0x000000001BD06000-memory.dmp

memory/2828-5-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

C:\Windows\svchost.exe

MD5 9b95850ba61105402a304d85c4b2fb63
SHA1 82b7de9e072659cb44c4dce2b8fef57ea2824b2f
SHA256 9d91cb90ecc7461de1fc59118a06ebc4adabe2d3e31c918b229a6f49e3c8c87b
SHA512 87828c6af036b083c0ca9bd4781b79a5be137e6a8b333b6aa81f44fba03568f743a327bf16c4b2995d42f4408f956a8846a7a2e2dd6d60ccf13418a7ff505f8c

memory/164-12-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

memory/2828-13-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

memory/164-14-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

memory/164-15-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

memory/164-19-0x000000001D500000-0x000000001D59C000-memory.dmp

memory/164-20-0x00000000012B0000-0x00000000012B8000-memory.dmp

memory/164-21-0x000000001E420000-0x000000001E482000-memory.dmp

memory/164-22-0x00000000031D0000-0x00000000031E9000-memory.dmp

memory/164-23-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

MD5 7f671d6d2e4532b72089ef8937aa0e3e
SHA1 469a4a15b5ea3f59e0d0daa03d3dc10d2959b234
SHA256 cd856e5705876d46f5e5a80f5ddbdba6b253232b5104302e5ee503fb6601d402
SHA512 185f20728f2ab206866930d532cea568c07514eb8cedd33c77a84815e3148be7af75ab8a6f46b5d45324234c758bd4ffaf7a5174c8c6e5b00970aab7a78f43df

C:\Users\Admin\AppData\Local\Temp\e76835128eb64e2394879de5c78c5bf1.exe

MD5 9e031df31b43125c84247a1f793d1dfa
SHA1 37aa1ae715fa24d77c767c2da0de773938c33852
SHA256 8baa474ad56ae8805f17ba2fe911c3fda01c65eb7d919a3b8b779a03e33ce3d7
SHA512 037496a1693edd7d9acc792090f2c947c2f40112813a5f869beb04c45db37605c5a0ca996b05d57555e32943ab47358800514dfee4cf79aa007cff5dbc5bf4d0

memory/1144-33-0x0000000000140000-0x000000000027C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe

MD5 531bf67134a7c1fb4096113ca58cc648
SHA1 99e0fc1fb7a07c0685e426b327921d3e6c34498c
SHA256 67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a
SHA512 8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

C:\Users\Admin\AppData\Local\Temp\BOMBER-CMD.exe

MD5 26eacb0c38f1dcea74aad8f8b4fc3800
SHA1 947224d73036008dcb6593811e6211c2a2c82f55
SHA256 4ff6abcd8168f723111c09b863ead5dc9b7f3980555ead7d2a90784cbbaf348c
SHA512 672c5a6d76177fd24e36153261396bd0535e13beb811e6fb825678eb0fea751edf346639efdc0ccc98ea1c0bc24269a6c194743f1cedaf8532784116bf667f4b

memory/784-46-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6095.tmp\6096.tmp\6097.bat

MD5 ffd56af09cccdfcd1ec0af66e795cadc
SHA1 c4895604d04e4a15cd09c15fce732cdeaf87cb7e
SHA256 ddbcc794f000d1ffe0cfa36e9b3f87edfb3a5adb477b1597f35f4d786d7ef787
SHA512 a03509f07b714647acb7f66909ac96fb4a3927d3f4927343ab65e3735ba7824b410f13306e8430b0a85e53598517d54ccb7f0dddeba6460528d7faa45a48ff7b

C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe

MD5 d7df2670ad0c6c7b9cc48122f20f086c
SHA1 e69bf8c214d8c4b768125ca03e402e1c871cc233
SHA256 d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b
SHA512 05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03

C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat

MD5 7784d810f5ff3afa8df50e360eb90e7d
SHA1 f04802a991ff6461aa1c35b7c0f68e43d5a114c6
SHA256 0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0
SHA512 80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe

MD5 4a591f46c87b49a7de93f5ac771cd4ab
SHA1 e0992350818e5c56d3f2e3a6db340d1f5b8f3314
SHA256 b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd
SHA512 b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

memory/10760-64-0x0000000000950000-0x0000000000ABA000-memory.dmp

memory/10760-65-0x00000000012C0000-0x00000000012DC000-memory.dmp

memory/10760-68-0x0000000001260000-0x0000000001270000-memory.dmp

memory/10760-67-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

memory/10760-70-0x0000000002B30000-0x0000000002B3E000-memory.dmp

memory/10760-71-0x0000000002AF0000-0x0000000002AFC000-memory.dmp

memory/10760-69-0x0000000002B20000-0x0000000002B2E000-memory.dmp

memory/10760-66-0x0000000002C70000-0x0000000002CC0000-memory.dmp

memory/784-82-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Recovery\WindowsRE\ebf1f9fa8afd6d

MD5 e42c62a1204133ed5f38435bd8065e67
SHA1 e14365560e1d18c1d8366692650bd9920602e42f
SHA256 033e4e44ff6d1981ee05dd6a9a259f1e1e95fd90080d0c444208a9d77c3fe9d4
SHA512 ebd94019bca5ce802a1f45c07b1e939e79d049ff172a28f1842c9dfe5f54acf73e6d75f4986ee2ab8fe0a5127756f7e1117a629801fcea1368ec2b5470f224bc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NVIDIA Container.exe.log

MD5 dc165da52c9ab2920b0130ff15992d1b
SHA1 9adc2325af7c2a2c4142d9dfdd62becb948882b6
SHA256 03027449eb7537e6e3bd1b435dd699ad8ced7b036cac426f5e87a774bed3b540
SHA512 a6aa4e4e1570822888c25ae6d2ded984f216509a2f185aa0adecc611da40e40afd3a74c507d22793fa4fe4a7189cc9add4d24eaf13d264cd3aa85ed234a0eb5a

memory/164-155-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 18:33

Reported

2024-06-18 19:04

Platform

win10v2004-20240508-en

Max time kernel

1639s

Max time network

1648s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PornHub.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PornHub.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Windows\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Windows\\svchost.exe\" .." C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Windows\\svchost.exe\" .." C:\Windows\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\PornHub.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Windows\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\svchost.exe N/A
Token: 33 N/A C:\Windows\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\PornHub.exe C:\Windows\svchost.exe
PID 5000 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\PornHub.exe C:\Windows\svchost.exe
PID 5000 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\PornHub.exe C:\Windows\System32\cmd.exe
PID 5000 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\PornHub.exe C:\Windows\System32\cmd.exe
PID 5056 wrote to memory of 4780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 5056 wrote to memory of 4780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PornHub.exe

"C:\Users\Admin\AppData\Local\Temp\PornHub.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\PornHub.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/5000-0-0x00007FFE81175000-0x00007FFE81176000-memory.dmp

memory/5000-1-0x000000001BB10000-0x000000001BFDE000-memory.dmp

memory/5000-2-0x00007FFE80EC0000-0x00007FFE81861000-memory.dmp

memory/5000-3-0x000000001C000000-0x000000001C058000-memory.dmp

memory/5000-4-0x000000001C110000-0x000000001C1B6000-memory.dmp

memory/5000-5-0x00007FFE80EC0000-0x00007FFE81861000-memory.dmp

C:\Windows\svchost.exe

MD5 9b95850ba61105402a304d85c4b2fb63
SHA1 82b7de9e072659cb44c4dce2b8fef57ea2824b2f
SHA256 9d91cb90ecc7461de1fc59118a06ebc4adabe2d3e31c918b229a6f49e3c8c87b
SHA512 87828c6af036b083c0ca9bd4781b79a5be137e6a8b333b6aa81f44fba03568f743a327bf16c4b2995d42f4408f956a8846a7a2e2dd6d60ccf13418a7ff505f8c

memory/3528-15-0x00007FFE80EC0000-0x00007FFE81861000-memory.dmp

memory/3528-16-0x00007FFE80EC0000-0x00007FFE81861000-memory.dmp

memory/5000-17-0x00007FFE80EC0000-0x00007FFE81861000-memory.dmp

memory/3528-21-0x000000001D400000-0x000000001D49C000-memory.dmp

memory/3528-22-0x000000001BCF0000-0x000000001BCF8000-memory.dmp

memory/3528-23-0x00007FFE80EC0000-0x00007FFE81861000-memory.dmp

memory/3528-25-0x00007FFE80EC0000-0x00007FFE81861000-memory.dmp