wannacry | 996de893ce9219a90fa76beab00295734913b55a6b85dd9c227175cf4cc93e3e

Analysis

max time kernel
26s
max time network
27s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

heisenberg.exe
Size

37.3MB
MD5

02cb6d1971fb53861285f273d799ced3
SHA1

16946db5c16d768c0d76fab6761c65358863fc59
SHA256

996de893ce9219a90fa76beab00295734913b55a6b85dd9c227175cf4cc93e3e
SHA512

aed27298d6186bf556da9f0856df0e053e7df67f22e25989d57b741ef1edc6d26e12f44b2b6be13d2c6c1001e5df1266b307f136a1077cc79f733661cdc77c78
SSDEEP

786432:NisAB+Mi4XOBuW8TSHh6MbpTfK9Ua895WhqvEOTVxBwBirBVeUnKyI:NihL+8+B60WhqvE6fwBO+Uu

Score

10^/10

wannacry xworm bootkit defense_evasion discovery persistence ransomware rat trojan upx worm

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

xihYVi6fTjrH6gfk

Attributes

Install_directory
%AppData%
install_file
Telegram.exe
pastebin_url
https://pastebin.com/raw/FdSMTxzR

aes.plain

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a128-518.dat	family_xworm

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 23 IoCs

pid	Process
2624	Antivirus.exe
2872	Antivirus2010.exe
2680	AntivirusPlatinum.exe
1216	AntivirusPro2017.exe
1716	BadRabbit.exe
480	CockroachOnDesktop.exe
2472	ChilledWindows.exe
772	302746537.exe
1152	ColorBug.exe
2968	Cool Spot Deskmate.EXE
492	Delete Windows.exe
2940	DeriaLock.exe
2548	usеrinit.exe
1032	DesktopPuzzle.exe
1268	FakeAdwCleaner.exe
2812	FreeYoutubeDownloader.exe
3144	Goose.exe
3272	HappyAntivirus.exe
3332	HMBlocker.exe
3428	Hydra.exe
3576	Melting.exe
3648	MEMZ.exe
3956	Penis_Cursor.exe

Loads dropped DLL 4 IoCs

pid	Process
2872	Antivirus2010.exe
292	heisenberg.exe
292	heisenberg.exe
292	heisenberg.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7512	icacls.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/772-227-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x0005000000019d03-225.dat	upx
behavioral1/memory/3332-361-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x0005000000019624-360.dat	upx
behavioral1/memory/3332-451-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2968-448-0x0000000000010000-0x0000000000113000-memory.dmp	upx
behavioral1/memory/772-446-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2968-239-0x0000000000010000-0x0000000000113000-memory.dmp	upx
behavioral1/files/0x0005000000019612-238.dat	upx
behavioral1/files/0x00050000000194d4-864.dat	upx
behavioral1/memory/7216-1918-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/7216-1919-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/7216-1920-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/7216-1922-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/files/0x000400000001da1f-1976.dat	upx
behavioral1/memory/10184-2018-0x0000000000490000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/10184-2014-0x0000000000490000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/10184-2017-0x0000000000490000-0x0000000000523000-memory.dmp	upx
behavioral1/files/0x000400000001da2d-2046.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe"	ColorBug.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AntivirusPro2017.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 2808	2872	Antivirus2010.exe	137

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\COMCTL32.OCX	AntivirusPlatinum.exe
File created	C:\Windows\MSCOMCTL.OCX	AntivirusPlatinum.exe
File opened for modification	C:\Windows\MSCOMCTL.OCX	AntivirusPlatinum.exe
File created	C:\Windows\302746537.exe	AntivirusPlatinum.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\302746537.exe	AntivirusPlatinum.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259431331	AntivirusPlatinum.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\antivirus-platinum.exe	AntivirusPlatinum.exe
File opened for modification	C:\Windows\antivirus-platinum.exe	AntivirusPlatinum.exe
File created	C:\Windows\COMCTL32.OCX	AntivirusPlatinum.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	302746537.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AntivirusPro2017.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CockroachOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopPuzzle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HappyAntivirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Antivirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AntivirusPlatinum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeriaLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Antivirus2010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cool Spot Deskmate.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019618-298.dat	nsis_installer_1
behavioral1/files/0x0005000000019618-298.dat	nsis_installer_2

Kills process with taskkill 2 IoCs

evasion

pid	Process
1992	taskkill.exe
12880	taskkill.exe

Modifies Control Panel 21 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\ActiveBorder = "182 69 121"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\AppWorkspace = "149 51 243"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\Scrollbar = "184 62 32"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\Window = "59 237 132"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\WindowText = "168 23 55"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\InactiveBorder = "24 37 215"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\GrayText = "214 88 203"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\ActiveTitle = "83 191 31"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\MenuText = "134 173 138"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\Hilight = "231 10 21"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\ButtonShadow = "177 78 76"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\ButtonText = "40 235 242"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\InactiveTitleText = "46 246 209"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\Background = "67 236 21"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\TitleText = "37 87 73"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\Menu = "187 132 184"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\WindowFrame = "193 234 194"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\HilightText = "126 185 39"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\ButtonFace = "184 108 62"	ColorBug.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Colors\InactiveTitle = "166 123 132"	ColorBug.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}	Antivirus2010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3"	Antivirus2010.exe
Key created	\registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}	Antivirus2010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3"	Antivirus2010.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
9344	schtasks.exe
9404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2548	usеrinit.exe
2548	usеrinit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	Antivirus2010.exe
Token: SeSecurityPrivilege	2872	Antivirus2010.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	2548	usеrinit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
480	CockroachOnDesktop.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
480	CockroachOnDesktop.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
2624	Antivirus.exe
1380	mspaint.exe
1532	mspaint.exe
984	mspaint.exe
892	mspaint.exe
1516	mspaint.exe
336	mspaint.exe
1308	mspaint.exe
1988	mspaint.exe
2512	mspaint.exe
2060	mspaint.exe
1328	mspaint.exe
2300	mspaint.exe
596	mspaint.exe
3016	mspaint.exe
1544	mspaint.exe
876	mspaint.exe
2328	mspaint.exe
2460	mspaint.exe
2088	mspaint.exe
1504	mspaint.exe
872	mspaint.exe
1752	mspaint.exe
1484	mspaint.exe
1932	mspaint.exe
2184	mspaint.exe
1632	mspaint.exe
1556	mspaint.exe
2560	mspaint.exe
1580	mspaint.exe
2624	Antivirus.exe
2368	mspaint.exe
2388	mspaint.exe
2980	mspaint.exe
2864	mspaint.exe
2988	mspaint.exe
1244	mspaint.exe
1324	mspaint.exe
2884	mspaint.exe
2724	mspaint.exe
2340	mspaint.exe
2532	mspaint.exe
2468	mspaint.exe
2120	mspaint.exe
2904	mspaint.exe
2404	mspaint.exe
2240	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 2624	292	heisenberg.exe	30
PID 292 wrote to memory of 2624	292	heisenberg.exe	30
PID 292 wrote to memory of 2624	292	heisenberg.exe	30
PID 292 wrote to memory of 2624	292	heisenberg.exe	30
PID 292 wrote to memory of 2872	292	heisenberg.exe	31
PID 292 wrote to memory of 2872	292	heisenberg.exe	31
PID 292 wrote to memory of 2872	292	heisenberg.exe	31
PID 292 wrote to memory of 2872	292	heisenberg.exe	31
PID 292 wrote to memory of 2680	292	heisenberg.exe	32
PID 292 wrote to memory of 2680	292	heisenberg.exe	32
PID 292 wrote to memory of 2680	292	heisenberg.exe	32
PID 292 wrote to memory of 2680	292	heisenberg.exe	32
PID 292 wrote to memory of 2680	292	heisenberg.exe	32
PID 292 wrote to memory of 2680	292	heisenberg.exe	32
PID 292 wrote to memory of 2680	292	heisenberg.exe	32
PID 292 wrote to memory of 1216	292	heisenberg.exe	33
PID 292 wrote to memory of 1216	292	heisenberg.exe	33
PID 292 wrote to memory of 1216	292	heisenberg.exe	33
PID 292 wrote to memory of 1216	292	heisenberg.exe	33
PID 292 wrote to memory of 1716	292	heisenberg.exe	34
PID 292 wrote to memory of 1716	292	heisenberg.exe	34
PID 292 wrote to memory of 1716	292	heisenberg.exe	34
PID 292 wrote to memory of 1716	292	heisenberg.exe	34
PID 292 wrote to memory of 1716	292	heisenberg.exe	34
PID 292 wrote to memory of 1716	292	heisenberg.exe	34
PID 292 wrote to memory of 1716	292	heisenberg.exe	34
PID 292 wrote to memory of 2760	292	heisenberg.exe	35
PID 292 wrote to memory of 2760	292	heisenberg.exe	35
PID 292 wrote to memory of 2760	292	heisenberg.exe	35
PID 292 wrote to memory of 1196	292	heisenberg.exe	36
PID 292 wrote to memory of 1196	292	heisenberg.exe	36
PID 292 wrote to memory of 1196	292	heisenberg.exe	36
PID 292 wrote to memory of 2472	292	heisenberg.exe	39
PID 292 wrote to memory of 2472	292	heisenberg.exe	39
PID 292 wrote to memory of 2472	292	heisenberg.exe	39
PID 1716 wrote to memory of 1868	1716	BadRabbit.exe	41
PID 1716 wrote to memory of 1868	1716	BadRabbit.exe	41
PID 1716 wrote to memory of 1868	1716	BadRabbit.exe	41
PID 1716 wrote to memory of 1868	1716	BadRabbit.exe	41
PID 1716 wrote to memory of 1868	1716	BadRabbit.exe	41
PID 1716 wrote to memory of 1868	1716	BadRabbit.exe	41
PID 1716 wrote to memory of 1868	1716	BadRabbit.exe	41
PID 292 wrote to memory of 480	292	heisenberg.exe	42
PID 292 wrote to memory of 480	292	heisenberg.exe	42
PID 292 wrote to memory of 480	292	heisenberg.exe	42
PID 292 wrote to memory of 480	292	heisenberg.exe	42
PID 2760 wrote to memory of 892	2760	cmd.exe	43
PID 2760 wrote to memory of 892	2760	cmd.exe	43
PID 2760 wrote to memory of 892	2760	cmd.exe	43
PID 2760 wrote to memory of 2184	2760	cmd.exe	44
PID 2760 wrote to memory of 2184	2760	cmd.exe	44
PID 2760 wrote to memory of 2184	2760	cmd.exe	44
PID 2760 wrote to memory of 336	2760	cmd.exe	45
PID 2760 wrote to memory of 336	2760	cmd.exe	45
PID 2760 wrote to memory of 336	2760	cmd.exe	45
PID 2760 wrote to memory of 1484	2760	cmd.exe	46
PID 2760 wrote to memory of 1484	2760	cmd.exe	46
PID 2760 wrote to memory of 1484	2760	cmd.exe	46
PID 2760 wrote to memory of 1532	2760	cmd.exe	47
PID 2760 wrote to memory of 1532	2760	cmd.exe	47
PID 2760 wrote to memory of 1532	2760	cmd.exe	47
PID 2760 wrote to memory of 1932	2760	cmd.exe	49
PID 2760 wrote to memory of 1932	2760	cmd.exe	49
PID 2760 wrote to memory of 1932	2760	cmd.exe	49

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
7920	attrib.exe
8408	attrib.exe

C:\Users\Admin\AppData\Local\Temp\heisenberg.exe
"C:\Users\Admin\AppData\Local\Temp\heisenberg.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292
- C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
  "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\Antivirus2010.exe
  "C:\Users\Admin\AppData\Local\Temp\Antivirus2010.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2808
- - \??\globalroot\systemroot\system32\usеrinit.exe
    /install
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.exe
  "C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\WINDOWS\302746537.exe
    "C:\WINDOWS\302746537.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\A093.tmp\302746537.bat" "
      4⤵
      PID:2816
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s c:\windows\comctl32.ocx
        5⤵
        
        PID:11412
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s c:\windows\mscomctl.ocx
        5⤵
        
        PID:12460
- C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.exe
  "C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
  "C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:6040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:7844
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1207764158 && exit"
      4⤵
      PID:7348
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1207764158 && exit"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9344
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:54:00
      4⤵
      PID:7504
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:54:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9404
  - - C:\Windows\B7F9.tmp
      "C:\Windows\B7F9.tmp" \\.\pipe\{FC290AB8-11C1-44FE-93BB-E2EB46840BA5}
      4⤵
      PID:7668
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bomba-PC.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:892
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2184
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:336
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1484
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1532
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1932
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1308
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1632
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:984
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1988
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1556
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1516
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1788
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1380
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1376
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1952
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:876
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:936
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2060
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1584
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1328
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1824
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2088
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2148
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2512
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2444
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2460
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1236
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1544
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2564
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:596
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2256
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2300
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1796
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2328
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1684
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2560
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1488
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1504
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:840
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:872
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2476
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1752
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2436
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3016
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:784
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1580
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2504
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2404
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1612
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1324
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2392
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2120
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2116
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2532
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2372
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2388
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2400
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1728
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1844
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1220
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2108
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2240
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2908
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2340
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2912
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2468
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1812
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2368
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2336
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2724
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2832
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2840
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2852
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2900
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2988
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2736
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1244
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2728
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2980
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2880
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2884
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2856
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2072
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2888
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2904
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2740
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1708
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1664
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1448
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2212
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2276
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2092
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2568
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1036
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2820
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2796
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1304
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2208
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1772
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2100
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1288
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2016
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:692
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1360
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2200
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3080
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3136
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3172
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3264
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3284
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3352
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3528
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3660
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3692
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3908
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4072
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3108
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3096
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3552
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2244
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1552
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3752
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2296
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4124
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4264
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4316
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4360
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4436
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4516
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4576
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4588
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4640
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4660
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4700
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4804
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4832
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4848
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4940
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5024
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3380
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4596
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4292
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3128
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5344
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5588
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5908
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6008
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6052
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5628
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5988
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6108
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6032
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6200
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6280
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6348
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6464
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6512
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6640
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6688
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6756
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6816
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6916
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6960
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7036
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7100
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2424
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6236
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6648
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6928
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6308
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5300
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7428
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7564
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7716
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7808
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7900
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7992
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8112
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:5492
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6988
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7312
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7436
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7492
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7828
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7924
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8008
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8128
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7880
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7788
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8188
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7424
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7200
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7596
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8248
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8328
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8556
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8816
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8912
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9168
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8424
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8548
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8868
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8928
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9088
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8648
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8784
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8528
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8964
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9004
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8792
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8688
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9196
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9164
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8628
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8716
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8668
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8836
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8948
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:8996
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9292
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9332
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9380
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9432
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9488
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9540
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9624
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9644
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9692
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9828
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9884
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9968
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10024
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10052
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10104
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10140
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10208
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10224
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9400
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9580
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9708
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9736
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9852
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10044
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10152
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9272
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9552
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10176
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9268
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10320
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10360
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10432
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10476
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10512
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10584
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10628
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10672
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10712
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10992
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11040
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11068
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11140
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11168
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11204
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10248
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10256
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10440
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10624
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11000
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10576
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:10736
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11060
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11320
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11360
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11436
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11484
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11584
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11640
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11700
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11720
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11776
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11788
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11832
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11892
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11924
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11964
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12028
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12072
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12132
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12164
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12212
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12244
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7660
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11428
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11468
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11712
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:11420
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12280
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9652
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12308
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12344
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12364
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12392
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12432
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12500
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12640
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12824
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12980
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:13040
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:13196
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:13212
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:13260
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:13284
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:3336
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12464
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12612
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12768
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12844
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12912
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12952
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:12752
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14712
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14720
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14832
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14840
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14848
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14856
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14876
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14888
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14900
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14912
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14920
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14928
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14936
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14944
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14956
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14964
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14972
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:14980
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BSoD.bat" "
  2⤵
  PID:1196
- - C:\Windows\system32\taskkill.exe
    Taskkill /f /im svchost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Users\Admin\AppData\Local\Temp\ChilledWindows.exe
  "C:\Users\Admin\AppData\Local\Temp\ChilledWindows.exe"
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\CockroachOnDesktop.exe
  "C:\Users\Admin\AppData\Local\Temp\CockroachOnDesktop.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:480
- C:\Users\Admin\AppData\Local\Temp\ColorBug.exe
  "C:\Users\Admin\AppData\Local\Temp\ColorBug.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Control Panel
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\Cool Spot Deskmate.EXE
  "C:\Users\Admin\AppData\Local\Temp\Cool Spot Deskmate.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\Delete Windows.exe
  "C:\Users\Admin\AppData\Local\Temp\Delete Windows.exe"
  2⤵
  - Executes dropped EXE
  PID:492
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\Delete Windows.bat" "
    3⤵
    PID:4172
- - C:\Users\Admin\AppData\Roaming\Telegram.exe
    "C:\Users\Admin\AppData\Roaming\Telegram.exe"
    3⤵
    PID:3152
- C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe
  "C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\DesktopPuzzle.exe
  "C:\Users\Admin\AppData\Local\Temp\DesktopPuzzle.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1032
- C:\Users\Admin\AppData\Local\Temp\FakeAdwCleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\FakeAdwCleaner.exe"
  2⤵
  - Executes dropped EXE
  PID:1268
- - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
    "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
    3⤵
    PID:4924
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\forkbomb.bat" "
  2⤵
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\FreeYoutubeDownloader.exe
  "C:\Users\Admin\AppData\Local\Temp\FreeYoutubeDownloader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gay Porno DDOS.bat" "
  2⤵
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\Goose.exe
  "C:\Users\Admin\AppData\Local\Temp\Goose.exe"
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\HappyAntivirus.exe
  "C:\Users\Admin\AppData\Local\Temp\HappyAntivirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3272
- C:\Users\Admin\AppData\Local\Temp\HMBlocker.exe
  "C:\Users\Admin\AppData\Local\Temp\HMBlocker.exe"
  2⤵
  - Executes dropped EXE
  PID:3332
- - C:\Windows\SysWOW64\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /r /t 6 /f
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
    3⤵
    PID:9320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\HMBlocker.exe\"" /f
    3⤵
    PID:11828
- C:\Users\Admin\AppData\Local\Temp\Hydra.exe
  "C:\Users\Admin\AppData\Local\Temp\Hydra.exe"
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Users\Admin\AppData\Local\Temp\Melting.exe
  "C:\Users\Admin\AppData\Local\Temp\Melting.exe"
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Nuclear[Clean].bat" "
  2⤵
  PID:3760
- C:\Users\Admin\AppData\Local\Temp\Penis_Cursor.exe
  "C:\Users\Admin\AppData\Local\Temp\Penis_Cursor.exe"
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\perda-null.bat" "
  2⤵
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\PizDeath.exe
  "C:\Users\Admin\AppData\Local\Temp\PizDeath.exe"
  2⤵
  PID:824
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bomba-PC.bat" "
    3⤵
    PID:5424
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bruh.vbs"
    3⤵
    PID:6088
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\BSoD.bat" "
    3⤵
    PID:6160
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Debugger.bat" "
    3⤵
    PID:6268
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\free.vbs"
    3⤵
    PID:6656
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gay Porno DDOS.bat" "
    3⤵
    PID:6788
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\KillPC.bat" "
    3⤵
    PID:6880
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pord.vbs"
    3⤵
    PID:6148
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Porno DDOS.bat" "
    3⤵
    PID:6296
- - C:\Users\Admin\AppData\Local\Temp\scream.exe
    "C:\Users\Admin\AppData\Local\Temp\scream.exe"
    3⤵
    PID:6772
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Starter.bat" "
    3⤵
    PID:6716
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
    3⤵
    PID:7584
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\WinDel.bat" "
    3⤵
    PID:7932
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Porno DDOS.bat" "
  2⤵
  PID:3388
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prank.vbs"
  2⤵
  PID:3384
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prank2.vbs"
  2⤵
  PID:1268
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prank3.vbs"
  2⤵
  PID:6584
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prank4.vbs"
  2⤵
  PID:7028
- C:\Users\Admin\AppData\Local\Temp\scream.exe
  "C:\Users\Admin\AppData\Local\Temp\scream.exe"
  2⤵
  PID:7148
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\stopantivirus.bat" "
  2⤵
  PID:6380
- C:\Users\Admin\AppData\Local\Temp\Trololo.exe
  "C:\Users\Admin\AppData\Local\Temp\Trololo.exe"
  2⤵
  PID:6720
- C:\Users\Admin\AppData\Local\Temp\Windows-KB2670838.msu.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows-KB2670838.msu.exe"
  2⤵
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\You_Are_An_Idiot.exe
  "C:\Users\Admin\AppData\Local\Temp\You_Are_An_Idiot.exe"
  2⤵
  PID:6996
- C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe
  "C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe"
  2⤵
  PID:7216
- C:\Users\Admin\AppData\Local\Temp\Illerka.C.exe
  "C:\Users\Admin\AppData\Local\Temp\Illerka.C.exe"
  2⤵
  PID:7292
- C:\Users\Admin\AppData\Local\Temp\InfinityCrypt.exe
  "C:\Users\Admin\AppData\Local\Temp\InfinityCrypt.exe"
  2⤵
  PID:7404
- C:\Users\Admin\AppData\Local\Temp\PowerPoint.exe
  "C:\Users\Admin\AppData\Local\Temp\PowerPoint.exe"
  2⤵
  PID:7512
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    PID:7472
- C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe
  "C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe"
  2⤵
  PID:7676
- C:\Users\Admin\AppData\Local\Temp\2000.exe
  "C:\Users\Admin\AppData\Local\Temp\2000.exe"
  2⤵
  PID:7856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    PID:11268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:12880
- C:\Users\Admin\AppData\Local\Temp\Ana.exe
  "C:\Users\Admin\AppData\Local\Temp\Ana.exe"
  2⤵
  PID:7972
- - C:\Users\Admin\AppData\Local\Temp\AV.EXE
    "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
    3⤵
    PID:8588
- - C:\Users\Admin\AppData\Local\Temp\AV2.EXE
    "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
    3⤵
    PID:9660
  - - C:\ProgramData\gF17766PfDdN17766\gF17766PfDdN17766.exe
      "C:\ProgramData\gF17766PfDdN17766\gF17766PfDdN17766.exe" "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
      4⤵
      PID:13016
- - C:\Users\Admin\AppData\Local\Temp\DB.EXE
    "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:10184
- - C:\Users\Admin\AppData\Local\Temp\EN.EXE
    "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
    3⤵
    PID:10752
- - C:\Users\Admin\AppData\Local\Temp\SB.EXE
    "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
    3⤵
    PID:12676
- C:\Users\Admin\AppData\Local\Temp\Xyeta.exe
  "C:\Users\Admin\AppData\Local\Temp\Xyeta.exe"
  2⤵
  PID:8096
- C:\Users\Admin\AppData\Local\Temp\WannaCrypt0r.exe
  "C:\Users\Admin\AppData\Local\Temp\WannaCrypt0r.exe"
  2⤵
  PID:8156
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:7920
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:7512
- - C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    3⤵
    PID:8344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c 107911724582207.bat
    3⤵
    PID:8460
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      PID:10196
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - Views/modifies file attributes
    PID:8408
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] co
    3⤵
    PID:9584
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    PID:9616
  - - C:\Users\Admin\AppData\Local\Temp\@[email protected]
      @[email protected] vs
      4⤵
      PID:11188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:8232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gF17766PfDdN17766\gF17766PfDdN17766.exe

Filesize
368KB

MD5
425ef33734d4c24a28596644c15af2f9

SHA1
91f041c4bdf978413f8459d1b9f7d8a53669cf1f

SHA256
ae454d17ca20724d53abd2866f7cf697ffa62ceca8c4f56886e93d969b169539

SHA512
6be063e145cb608d4a507dd0c277bb2cf798fb55a9609d9bc8e9a5b3e0ad788998e4e99e67082260f6aa491cf6020753c1fea303c3c39699c4dc08f4e11268a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\107911724582207.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2000.exe

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A093.tmp\302746537.bat

Filesize
348B

MD5
7d8beb22dfcfacbbc2609f88a41c1458

SHA1
52ec2b10489736b963d39a9f84b66bafbf15685f

SHA256
4aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2

SHA512
a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ana.exe

Filesize
2.1MB

MD5
f571faca510bffe809c76c1828d44523

SHA1
7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2

SHA256
117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb

SHA512
a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus.exe

Filesize
2.0MB

MD5
c7e9746b1b039b8bd1106bca3038c38f

SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191

SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus2010.exe

Filesize
775KB

MD5
f49bcb5336b1e1212ae82cbb98f8dfe4

SHA1
fc87518aee297f9c18e40f4604ea048aec0342c4

SHA256
1501affdcf557a9dcb73ae34d43365d5301532a48328564160fdc1f3acb01e2e

SHA512
51a4b1a5ede81e4dbeb9a335fe3a370e6ae452a46d4f4ce8753b37d6e399b00e0de3b066921febf1b5b20f5e3356e0d93da5df366acd2002b792ecb7eb32a7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntivirusPlatinum.exe

Filesize
739KB

MD5
382430dd7eae8945921b7feab37ed36b

SHA1
c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

SHA256
70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

SHA512
26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntivirusPro2017.exe

Filesize
816KB

MD5
7dfbfba1e4e64a946cb096bfc937fbad

SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b

SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSoD.bat

Filesize
203B

MD5
d4fd438d7664f4b7c5ddf11eed8afbe9

SHA1
2a5333fdb56a613c166a4e86a72658034fdf2bf7

SHA256
be148e9514ad3de212d08038ddb0ab66d511a5b92a6f8344da723599b89f2ff0

SHA512
385b853feb8952e8e772ea916b05ff831c9c3c729a448305f0c1f58c1fcbafc0ae6fc271ae515309a2b4f90d1a50c0bde58089e1ad4191782a44345f57c154e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSoD.bat

Filesize
619B

MD5
33d57181f40924f8060f95673db9f96b

SHA1
cdf5c6d7bda238148b5f8cf56c9250153a4ca9aa

SHA256
018c2f47f1f4a9e4c29eb28fbfcae97a0836d78f6d8dc1100fe24e46d2b8be5e

SHA512
9288c1f4f968b82f0d887dfa942460011175c31a99176d5f8736d57d80b03095a69f15b22bbee5dffc192ecf423f3bfcf7f4aadbf185485358a1af269e679c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bomba-PC.bat

Filesize
25B

MD5
f8ad531e39f27a37cbafc6a30133847b

SHA1
4e3b089069e7632c55c298da2fb5faad2a1bba84

SHA256
60c255795ed5bebfa182fd18f0ef19f04c1f5d9317a40a9804bf6ab5e5edecfb

SHA512
6089d92049bf5fc010cefd9e7b5f68f1f1dbb1d3e38602c0400b99c23e1885c0dc8cd516b8ddbdf52c209810a7a6e0e9c06cb4f89a93f14f51120a8333c84505

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bomba-PC.bat

Filesize
36B

MD5
6f20d6714d6ba01a4ad11b1c98114dae

SHA1
fe7d31d579149c84bb34eaf091133bcfcae04ccd

SHA256
387ec1e5800edfa53dca5903bfc777c0bc3d942cc35170ae4142326c8f84f3c6

SHA512
74045dcba9837073ff227018ff16e81d2d10fd83c5302b2b0f7fe1d9ce7a682196222e8773e94017208e9727ac50f0323e8ca564f9b17f5e245ba6b3f9c40492

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChilledWindows.exe

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\AppData\Local\Temp\CockroachOnDesktop.exe

Filesize
3.2MB

MD5
7810ff23f876f29cfb57b5682b978947

SHA1
3752b2236412acca972f90c527a93b65a2f74072

SHA256
3a42fea56a20ecd96ce04e358460e6c0d1fd78c62fcc59e3e5d5373b50abcc67

SHA512
b37d02e913b94536f7b979c2a4ef3b420327bcef6b3f40b3f4c26d4d28316cd8ebf4f1ab11bd2430cf7c8469c20f0e312eb1972c92d79be874c4adfeb77cb00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ColorBug.exe

Filesize
53KB

MD5
6536b10e5a713803d034c607d2de19e3

SHA1
a6000c05f565a36d2250bdab2ce78f505ca624b7

SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

SHA512
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cool Spot Deskmate.EXE

Filesize
1.6MB

MD5
3bd84863fc264eaef2829188ffce31eb

SHA1
a011d1a31afaac671c8ad7075966b30f4363b707

SHA256
bfa7d853f75e885f21fc0e8302d755713aeea8614df2a9b68af6399c2dd67376

SHA512
fdd9f9d2ff444afd252bef9b2502c354a8d359d2b7cd13dfc7ded3e800d6685ccf0ae3e0357c9657836b4fe2cfe071e54ef25efe501dff48ebc8da145c2ba7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\Debugger.bat

Filesize
46B

MD5
8b44df9ad47f705e98d2e7d42c39218f

SHA1
880af4982c6fda042b6cbc877a5e3dac0952aff8

SHA256
59dd544b001e577658e1922bc83379b1aac50c45ad872de318191212ed90d0b4

SHA512
b8a4f8d724ffadb6470d79f654dc7c7ed2b8c966ad92568ba65e96689b81fb8cd9f5bf95369e066afd8f04efc8aa4b6014cbac17595c7b090a345ac279469c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delete Windows.exe

Filesize
179KB

MD5
7bc3c76651c932ee205ba8ff08243c4d

SHA1
e36376e70a7f3b5c1597a60f3538e1f26e3247ca

SHA256
e398f3f90b23aa358f2786f0a15f3fac74ed3670433afc60ee733ada330beebc

SHA512
104d1516a12e8e6e107a8d71ee0ff955148a4d84914c998843af6effee55154022ed7f0cacb099abc1bccd9408e1eb08f2a146a5c5b7235d8b773023ab8f94a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeriaLock.exe

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\DesktopPuzzle.exe

Filesize
239KB

MD5
2f8f6e90ca211d7ef5f6cf3c995a40e7

SHA1
f8940f280c81273b11a20d4bfb43715155f6e122

SHA256
1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6

SHA512
2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FakeAdwCleaner.exe

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FreeYoutubeDownloader.exe

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gay Porno DDOS.bat

Filesize
55B

MD5
0ae6a1db8099df5c5a9e1b126aaca8a4

SHA1
f55fab31e4d6002ca8ab6cc70ce3b6f716a2cc4a

SHA256
df8732ebb0adff5579342d5b26664c19edef633881cb694a7fdaa73ac3b61edb

SHA512
ca395ada6f03d4263ab28a4518de7c7234f45e6989772340e1942fc453b50f43e357dc43c408bcb6552a790e514f53873c9ac79a9f50cd9acbf4b205d8c6b73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMBlocker.exe

Filesize
48KB

MD5
21943d72b0f4c2b42f242ac2d3de784c

SHA1
c887b9d92c026a69217ca550568909609eec1c39

SHA256
2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180

SHA512
04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HappyAntivirus.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hydra.exe

Filesize
43KB

MD5
b2eca909a91e1946457a0b36eaf90930

SHA1
3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

SHA256
0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

SHA512
607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illerka.C.exe

Filesize
378KB

MD5
c718a1cbf0e13674714c66694be02421

SHA1
001d5370d3a7ee48db6caaecb1c213b5dfdf8e65

SHA256
cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f

SHA512
ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\InfinityCrypt.exe

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillPC.bat

Filesize
76B

MD5
d2c7470b97c084f048ded5ee66ba6f05

SHA1
13572206159225a9adad02056ec273687f4ea072

SHA256
a7234e1b5a3e6fac816e7c720647b4982319f17a14485adb9196c93fe3e5039a

SHA512
5ce4630a6e70e25386bd70e358eb6a532195e375683525516b5672016788543f1d7cdc0f4c770b2c54bf38d60964185d7eae114f1e32e25edad3ba17aa556c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Melting.exe

Filesize
12KB

MD5
833619a4c9e8c808f092bf477af62618

SHA1
b4a0efa26f790e991cb17542c8e6aeb5030d1ebf

SHA256
92a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76

SHA512
4f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nuclear[Clean].bat

Filesize
14KB

MD5
2b28e925a17bb1794633d1cd9fa0fb47

SHA1
f84740d20331d80ed2d78801dff919b1e022cfac

SHA256
24cd6f42328d475740432921d3bbe4ec934a5ba7dc223acfd6a006e7346e85dc

SHA512
9edfec9d3d359805512f2ecbe4f7e24f28fe9c12eabc18d7163ac3344d355faa9d6f00c87f41702af970e88bdae3bf078ed8922c453413b232d67fabc2147231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Penis_Cursor.exe

Filesize
444KB

MD5
4ccc1c614f8d57fff412b5cc198ab5a8

SHA1
6c1af97d6089c3bcaee67fd492746d55b48e3934

SHA256
9f7085ff7cb2b814da16a02abe921dd42b3c6b992580c8f01e29d05750a0a488

SHA512
d503834c563177527698efc29b3bc762d99beb69e92182509115f0751da0ef3d13cfbaea96d71180fae5a8e08287abf2ed1b704f98dda6dd6042a653254f1e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\PizDeath.exe

Filesize
4.5MB

MD5
01b227aec8f15cfaa65f03494f2fa7eb

SHA1
8d5a6b80d0fec854ea7463fc19f01b629f429b57

SHA256
a15c2aeef67607aac6f960af5aa7285d35d67da06146af02308ba6cc280e4d32

SHA512
7209c7779b47034aa1c2dfa1f9816fe957a6ca15e80f760f0a232f7c8987e37ea28763ce2f6b4dcc8ff66cf85206733f543e4b305c6b97718f0fefc686f1b870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Porno DDOS.bat

Filesize
130B

MD5
245a8ef029b610e7bb3f3a03ac50b263

SHA1
ed2c5ec2d13134747d24b2d41178751395e04dc5

SHA256
4968842207f0efe0cdc83a2ee14c5d1742b446b57769a83701fb100dcd666e70

SHA512
268718222cf4e2b02a2dd715bc49f747f2e4b32f8a0c9b5ff7211c97a85d72300e8f0b5a42114ed137ac0749cf008662f4b6694c70c536950f35e707f52b55ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\PowerPoint.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prank3.vbs

Filesize
42B

MD5
b7d4e96408d1c870570bc7c4a35387dc

SHA1
2f2508b906801265d2d3acbecc899570fe4b791d

SHA256
a50e401e8059fe456a0fb975f88258c8ebd2b73905657300808bb5bcee3ec782

SHA512
d52f7a1278aa7579ddc3fbdf63cbeab1aace7e067233209ae9ef961d78b7bfee29611d4fe2135d2c7813163a04ac4aa4455445bc2cad95867eb3e906dfb0eb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Starter.bat

Filesize
82B

MD5
2e0ea34f8d42f5590d4cf7d49b2fcc93

SHA1
89a37385646eb86f7c283639d8f7f0556fe068c5

SHA256
aa4aae99cca7579c7fa122e4679cc0d4588283fa734c86cdf3efa1ba24d3762a

SHA512
8e14081536388b93a5671d6d80452dd45916c696814cb77f866275be644a4581e84c5d1f9d74206746c75f205f8fe227061358394c05ed53ac43861d7b2f7da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trololo.exe

Filesize
3.0MB

MD5
b6d61b516d41e209b207b41d91e3b90d

SHA1
e50d4b7bf005075cb63d6bd9ad48c92a00ee9444

SHA256
3d0efd55bde5fb7a73817940bac2a901d934b496738b7c5cab7ea0f6228e28fe

SHA512
3217fc904e4c71b399dd273786634a6a6c19064a9bf96960df9b3357001c12b9547813412173149f6185eb5d300492d290342ec955a8347c6f9dcac338c136da

Download Submit
C:\Users\Admin\AppData\Local\Temp\WannaCrypt0r.exe

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows-KB2670838.msu.exe

Filesize
728KB

MD5
6e49c75f701aa059fa6ed5859650b910

SHA1
ccb7898c509c3a1de96d2010d638f6a719f6f400

SHA256
f91f02fd27ada64f36f6df59a611fef106ff7734833dea825d0612e73bdfb621

SHA512
ccd1b581a29de52d2313a97eb3c3b32b223dba1e7a49c83f7774b374bc2d16b13fba9566de6762883f3b64ed8e80327b454e5d32392af2a032c22653fed0fff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xyeta.exe

Filesize
84KB

MD5
9d15a3b314600b4c08682b0202700ee7

SHA1
208e79cdb96328d5929248bb8a4dd622cf0684d1

SHA256
3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

SHA512
9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bruh.vbs

Filesize
56B

MD5
507a5522c34525db4c7f491ae8108239

SHA1
be65986007e4244c877aef236ece167b94f74cb6

SHA256
3427ceed0ca73c5492ae67691f611caa5b08a89bd29ee067ad7c22aaaae1a0ac

SHA512
60239d296437909ba6f8cc40c078bb9af51487af5032eb7f631c5e6c96849244bb8aa93696cc1f16b1e5ba7aa6d441cea47eb49801a987c08e89f2bfacd6ab9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\forkbomb.bat

Filesize
21B

MD5
334099ce7dc622990a731c58185925df

SHA1
f08cff36eae14c289139fa3a3262161fc49e5a24

SHA256
003fde2362d22b41985c2e15be44ddd0ac3f5272fbea6924ec2256499c11859d

SHA512
13f893e2d37201ed7dcd13586dcfdde9001fe02356f4dc33a5a2e0071f96d87bc8d8d13ebcc515c7dfe7b449db313d1330cf5d959ea8e3d09a3df4a4644dc1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\perda-null.bat

Filesize
49B

MD5
05916dda674fd521bb695c6b7063854b

SHA1
d13ca5276b341dcb94ee2a35ef7c5e7672af31ec

SHA256
476aa25bb54fc70cd2da3d786153c106c7241ac85eb071a01c22728b63171b16

SHA512
5eb4c272b96ad04fba05954d9a618510c2917440bf727b73663293a48c4ca969db3c0cf7303460dfe5476e7c63d67eaa004819e7cfe52274445bbe6afe3bef86

Download Submit
C:\Users\Admin\AppData\Local\Temp\pord.vbs

Filesize
58B

MD5
d543dbb26e4f1a0b5c0170d7bed43f1a

SHA1
69733ccba7d6443df90b047d0f195b6aecf4a80f

SHA256
b3db3b6d326f1c98b5ea1c8f7bbaa4f65163f6167478348382b8fa272e72326e

SHA512
2b0664e57035d20d867d642c4ed8f2ac8ce347dab73303ffe8d38728ecf06bcd3eb2cbb5d736ca9f2e9ef435237757fff52168a120dc5325b6ea92efa40907f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scream.exe

Filesize
4.5MB

MD5
ee4566a61663f1a2c25b3af887a364c9

SHA1
f4ce1413a74ed2392949de06197dd7530dc8d551

SHA256
5bc63dd48046ce906ca6f08a60919f48e7d1814690f0e1ffb2654334d119dc7e

SHA512
93f59012bb643646edfdf03ba53dd7eea3e808f4b563efc849e0c863e60402d9a4ac417c0791dd9906c4582c42cddcf4a9c16e01db094f0b1a789b1a359af756

Download Submit
C:\Users\Admin\AppData\Local\Temp\stopantivirus.bat

Filesize
803B

MD5
31f028e35c7558a1ec0ea3a32227db45

SHA1
a91d586155b3bb93536c329ca68a697584b030b4

SHA256
68feb2c42355f24b14b0a93f927c4a830202d2511923d7253eaa590b8d6a4c01

SHA512
c89c6dc35f09940414ea5ae034380f731e0559794a26a73c83e8b063891aa415c9f0966f0acfd67842deaf89b7be761e65a612954c743e0add03ee9bec8f3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

Filesize
60B

MD5
ae6ccac3fb001bbee932d56094f4f1db

SHA1
712bc731f35dca6d24885304a8efcf39ed92ebd4

SHA256
cb6ec854e7800bc56dbfff53a5f79993072ea7d15689d41d3ccd6077817d5210

SHA512
144898ec2e1587ceb9fa4398f53efc912254fb90ad12ff753ed5d24862c943173083e70929d84aabd01576109f852513444eac20823c6ba469ce8487b8472e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Delete Windows.bat

Filesize
34B

MD5
092a87f032a0b0940af78f9f920e409a

SHA1
388a02a3384d325ac369036850c5a6a00a0d48bf

SHA256
dadba73ba4c42ae35d8bb86eb16e026e113d37bd5c679b9931b2e81ff928d91f

SHA512
5a074599f9058987d1d1385ab75a3b96b5fbc1d39d93e5676427c7f8d612431c8a2e44904e4ff30099621520797889bc5296a6b95c71091a61002ffbd295e51c

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram.exe

Filesize
79KB

MD5
3805abbd3aea5d94acaf1ed10e5e23e9

SHA1
776abdffe0d8c34c25085f541b16249bdbc08ce8

SHA256
b39e41e32b18e5ad96b2a50cd72a5eaffde73e2a75c21bc70beddb28176495e3

SHA512
0a5b0feac05ff58f2baf1f0c3ac5884645af7b8c5f71ea1cf276194ff6bec034d8ef61de088b6574bc3453ac53a3fb83410b74a13865372fcdcdc8170c40e040

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Public\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Windows\302746537.exe

Filesize
22KB

MD5
8703ff2e53c6fd3bc91294ef9204baca

SHA1
3dbb8f7f5dfe6b235486ab867a2844b1c2143733

SHA256
3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035

SHA512
d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

Download Submit
C:\Windows\System32\usеrinit.exe

Filesize
139KB

MD5
4acd14244d2cd76d06939163127cfb10

SHA1
75f3e3c764f7d20c9950f5410f753f3210bcc2e7

SHA256
29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb

SHA512
001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
\Users\Admin\AppData\Local\6AdwCleaner.exe

Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
\Users\Admin\AppData\Local\Temp\Goose.exe

Filesize
4.5MB

MD5
5f81ece0c9e38a0e748c5080f49d57b5

SHA1
59aeffa0b1c588a37e6f52a1df2832b06e34cc06

SHA256
fc55fab5d5c56d8a5701b3cf7c024501ea902d3145e0f1cedaf4c0de5e0ff9f9

SHA512
a85093aaa49fe984bbb19e3f7dc439457814284f9fb120be0eec6817397439508ae3a0b5ab00145f2b36a5b0692554558927407d5672d20f484fff04f2e74529

Download Submit
\Users\Admin\AppData\Local\Temp\You_Are_An_Idiot.exe

Filesize
597KB

MD5
0cfeb0915edbdf1a298794c1669ec632

SHA1
fce0832eebe9465f2e6f0a2ef903013db21392c4

SHA256
e90065ab6f60a1a49ea185538d6e32a6269574c96851fcb8a001a7c8a23f3084

SHA512
17230fd8f1946c1e759e941f192142cf8772e8937bd9a0f13a9d7e03f8347348a9b3fc541d9ba1040c1a6d6100e34e076083600404cc8cf1b17c6385f1093f60

Download Submit
\systemroot\system32\msiavjyv.dll

Filesize
718KB

MD5
7943d251821ca441924f0d64946e8a3d

SHA1
cace099a490410260802ee143f7c7e3543f2f4cf

SHA256
be8dbcb59c3181ec518a6934931efc725a128310956fd076f0f0bd537b96a9eb

SHA512
0d4c9f021e07e2a27f3e7f46be591f01ec4c04fce98d9c177697ea4518d0c8d80105d73a29deff925cf28fce89a4fe40e790ef0086748dc169b1a8190e6d40f9

Download Submit
memory/336-444-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/480-971-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/480-2117-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/492-474-0x0000000000F90000-0x0000000000FC2000-memory.dmp

Filesize
200KB

Download
memory/596-466-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/772-446-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/772-227-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/784-563-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/824-514-0x0000000000F20000-0x00000000013AE000-memory.dmp

Filesize
4.6MB

Download
memory/872-411-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/876-416-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/892-450-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/936-552-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/984-449-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1152-241-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1216-970-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/1216-192-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/1220-525-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1236-547-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1244-482-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1308-443-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1324-483-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1328-464-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1376-553-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1380-452-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1484-470-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1488-564-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1504-415-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1516-445-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1532-442-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1544-468-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1556-477-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1580-478-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1584-551-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1612-558-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1632-472-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1664-542-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1728-516-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1752-413-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1788-523-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1796-561-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1812-528-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1824-550-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1844-566-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1868-532-0x0000000000820000-0x0000000000888000-memory.dmp

Filesize
416KB

Download
memory/1868-540-0x0000000000820000-0x0000000000888000-memory.dmp

Filesize
416KB

Download
memory/1868-813-0x0000000000820000-0x0000000000888000-memory.dmp

Filesize
416KB

Download
memory/1932-469-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1952-555-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/1988-447-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2060-462-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2072-519-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2088-412-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2108-565-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2116-556-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2120-495-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2148-560-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2184-471-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2212-531-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2240-511-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2256-567-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2300-463-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2328-410-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2336-522-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2340-494-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2368-479-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2372-559-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2388-480-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2392-546-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2404-510-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2460-414-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2468-497-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2472-308-0x00000000001C0000-0x0000000000624000-memory.dmp

Filesize
4.4MB

Download
memory/2504-562-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2512-465-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2532-496-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2560-476-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2564-557-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2680-211-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2680-215-0x0000000001FB0000-0x0000000001FC0000-memory.dmp

Filesize
64KB

Download
memory/2724-487-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2728-545-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2736-543-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2796-568-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2832-524-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2840-526-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2852-527-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2856-549-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2864-484-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2872-299-0x0000000000400000-0x00000000004C4400-memory.dmp

Filesize
785KB

Download
memory/2880-554-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2884-486-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2888-548-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2900-521-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2904-509-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2940-501-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/2968-239-0x0000000000010000-0x0000000000113000-memory.dmp

Filesize
1.0MB

Download
memory/2968-448-0x0000000000010000-0x0000000000113000-memory.dmp

Filesize
1.0MB

Download
memory/2980-481-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/2988-485-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/3016-467-0x000007FEF6350000-0x000007FEF639C000-memory.dmp

Filesize
304KB

Download
memory/3272-502-0x0000000001020000-0x0000000001212000-memory.dmp

Filesize
1.9MB

Download
memory/3332-426-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3332-361-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3332-451-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3332-425-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3332-427-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3428-475-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/7216-1918-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/7216-1919-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/7216-1922-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/7216-1920-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/8156-951-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/9660-2136-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/10184-2014-0x0000000000490000-0x0000000000523000-memory.dmp

Filesize
588KB

Download
memory/10184-2017-0x0000000000490000-0x0000000000523000-memory.dmp

Filesize
588KB

Download
memory/10184-2018-0x0000000000490000-0x0000000000523000-memory.dmp

Filesize
588KB

Download