asyncrat | 67c12eda1cc8358e06ef29eabf1542bf68db9da45df65c52d0ac03246bf75e03

Resubmissions

09/09/2024, 23:39

240909-3nkmdswdqm 10

09/09/2024, 23:31

09/09/2024, 23:11

09/09/2024, 22:25

09/09/2024, 22:07

09/09/2024, 21:53

09/09/2024, 21:44

Analysis

max time kernel
159s
max time network
259s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/09/2024, 21:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

クラック.zip
Size

13.4MB
MD5

6c5fc1a3ba386a83c87700f54d62a96f
SHA1

a05f08de3e4f218ad2567a2695d0ca500fb48ecf
SHA256

67c12eda1cc8358e06ef29eabf1542bf68db9da45df65c52d0ac03246bf75e03
SHA512

0a2573e40287c35c5a05c9b84fd5fd41bacc16c1bb565ee823ff6a42610c151f460a4be6d7009f0a70b648234aa998af27769ae667f4649c223c39c07449a098
SSDEEP

393216:T0Wxsts7B2+qq0a1n5Gy0vdymghya/2yswYpmTg:wGg1+0a1nYvvJghD/2yMM8

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

puked

147.185.221.20:47570

Mutex

20006afb0ec33f2e48c8c1f17d4d3382

Attributes

reg_key
20006afb0ec33f2e48c8c1f17d4d3382
splitter
|'|'|

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

чучундра

hakim32.ddns.net:2000

safety-bronze.gl.at.ply.gg:4444

Mutex

27b92504703b09d3ee2dae0873e8e3f3

Attributes

reg_key
27b92504703b09d3ee2dae0873e8e3f3
splitter
|'|'|

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-6179872-1886041298-1573312864-1000\FCIADH-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FCIADH The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/246b1105b596b7c2 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAEOH9JOtPcggPewpIOqok1VjKUkjb20nivrXT7nV93VDBa2sWfYiCvsU9efaOnb+mmr+a7Ez4jsD7h86dHzuKbmx/iuGtBLJxOVWLYv1zZd18rNQmWKCSs+iX5yzRbNttDd6yRlwWNlpOK8CQFpjiO5DC1FneZqHxG6GpVLWRGENEuw64UieBzkfuEHgdwBja0EKcUKboxipdqI4Mn0YojV3XDx70HU4UawkfT0EMeJJVu08Ve0R0I1Ln+1RXdZ0SVTEPIkH2duPoYYYv2VemerxTRBADn3mZo3P9SiOOK8/j3HOP6mnd/mli7hWbMCHSvmyZNfDyXGdEuSajumm3hV06y62dY24kbaNElct/U9AeEpMOZY/dSKXXztdide60nGNQiCXA4ilvFOrie5l/u+rKqFNQ57qaHasbhLUrHKRbEkLhEaq76LDXBHsfs2rlUJqNfve97lhu1GswB+1I/KOXPoCRwwowCOwXvSxU4dhhsBmP+MUY9J0RYeWYOElxFe8vl4OsFq32Rh6Btu3TFVw6HnXK+rmWpd6tNtzQTUWtOi3zWQafStNe06VC7QZ2xbEM/NY2LvFl5eNJjGC6lYu9gH94GH7X2EJ0o2KEcz23Og0b1rAVTqKkKPgNWYyG8D4Snqqdcf8FptFKQGJ0hTmTva9+zK9fYbXIQu5xXQs0pv6y9Q0oK0xEYAh5/1wtMH7eJUvptNh9Sk3EpMv1esOnDDIrDGjO28njzNrUKOpU+BE0gBjz62QiL3TV73g45NxFFMEaZ0I+wJjj5OhAOsuNehKChm+n8VBx4xKn/S2tGtbHPCCYDlQO76FVly2HzTbNnu6C0NLwpOHmxDnyj0LScbD1zAC/sDAe5K8cS3Idmo+SSb/UaSEJlCVxhFf1HFWMQo5A0cm2bCNWY7eRnqo2bcaYD9EVO2c0MyEvBqA4SK7/a33tPbPAGasDB21CWtsirLJnmacj+aXIehBcGi+8rK+Z71UUcMZI9HGBXik42t7gnRIrHZyaj/pKZifqLL20zZQ0h1XJrqiTvqg0VDWiskVEAE28tCDe+/YQXHNREaxXk7DnH037Y+k+4z0VspO1YooRsPrTYcvn0A2daQzkoU2y8fZa+qOgPAjiN4h8KZRsFQ44nB0G3sgglTjTXI3y3SKJwipiV9u9D+un9I2gG1UL+1buhe6qmlpF6WhAaVLTjVE/BF9Xu8EW5BiinojaeueyB/Hq2tKjQ5dB3r7jDGpJclJc+4OisE6PHQzUYztDmbsG+uSWIWbaeuzdd9+cAs6unp7mbcNJQkqDa26jVjTgmhJK3hQ3ZWVYDJ79h7+wFkZuPHz8njboC+DSGnyKQD2KOCDXIjf3JVEOYMzMhZzdSXFuHfAQ7GkRuYC7ogEYtNoYdUZT/4PIdSykXtiSofZtHe/vjscvDAy+e3sHzjEzUuZ6QNNNlz1CvpkcedLaYB3HiWLYNNKdGRBSapWKPbfMGxE1xCc2p1pvhjV/qbuDolr6mmxfTx5M1wlsAjwZcXZfFU661Mt8EmEGZn+m0F4CHPfTeesO2rui1Jb65UidZ55zSv1daUco6e2iljk48egG61ePdDinPpZ1AtkhkR7tuIPq0yILc1kbUIlPo2MFyi4peiNk+c4sqpeM0X6lL0FYbK7NTnlHE9smP1sQxM9MUdxf2gNCAd3iJtFzbEqtZ2n9IVBWknyYRB6yIpc2d4WsXUaqv05w2lOP5DkxHZ9PyndoomOBiBX0jI8LfQyAY4cbLEHF2qYVl6e6gXt2RpOovzA/n5829o+5gcGRS3ewWDLDAtxLWjiUzBNiAtq5ovrYd+S4QLsrhpA+q0kEnav0a6omVXnPGlJDKMmTlV6HJpDOu6G2VI49AEvJbuCTgZ7rOTt+/Lv9mEGhlS0WV+pTMP3e1KFod+JtMRcEv8ndgZobdwAAWxWccGUuk5FPus6KnhYa8gwibn/W5kODT50vOXNkpvdNRAFiVGHQsJaoK8yNXqHbJD/BupEj5Te5U45rps1FRDmTS4t01fYRuKvvrYx28Uzbcy5NLFw9MSD8ySq/3Lgm8nBx5Bot7tBwATJ4pXthC2ohfbQhCJ6t05sHzGYd2ITFJzaxEX1OsHq2T+8Qod/peO/jUEz8PZOfgyrxTP4A/+GewH0VNYXLau/q4nRhSCBHYoyr/kgrErtAuzNZhExfipb71Kw6C5b18fvlywYE6IgqvIFbO4jg3WF99yGK97ewDAyQf1slVw= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZeToNRs3YV7nRWs7fbTHOHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4uKg/2A2Q+snGtpYbFqGBnXtqBHfEd8b8ycV4oq4Oab3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDhFM3vPLM+at1wMZNHQWRlGKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/246b1105b596b7c2

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xloader

Version

2.6

Campaign

eido

Decoy

revellbb.com

tempranillowine.net

viralstrategies.info

blacktxu.com

flfththirdbank.com

vaoex.com

theselfdirectedinvestor.com

vinadelmar.travel

othersidejimmythemonkey.com

jaguar-landrovercenter-graz.com

supremeosterreich.com

chatsubs.com

free99.design

serviciosmvs.com

bongmecams.xyz

malikwoodson.com

onlinegamebox.club

694624.com

yeezyzapatos.club

istanbul-hairtransplant.com

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6084	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5728	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5524	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6252	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6488	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6156	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6772	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7160	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7588	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7992	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7712	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7692	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9100	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7372	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8728	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7928	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8216	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7304	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8800	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8940	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9032	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9144	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7228	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7336	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5860	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8680	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8708	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6440	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7188	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8056	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5400	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8824	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8892	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8256	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8188	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8012	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7904	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7748	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8004	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6864	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6848	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6496	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6908	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8324	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8316	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7516	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7320	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6952	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6024	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6444	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7068	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6956	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6800	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6772	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6724	1252	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6464	1252	schtasks.exe	109

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0004000000024f4f-565.dat	family_stormkitty
behavioral2/memory/3448-597-0x00000000008A0000-0x00000000008D2000-memory.dmp	family_stormkitty

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0004000000024f4f-565.dat	family_asyncrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0004000000024f4b-554.dat	dcrat
behavioral2/memory/3632-588-0x0000000000B60000-0x0000000000C36000-memory.dmp	dcrat
behavioral2/files/0x0002000000025c61-634.dat	dcrat
behavioral2/memory/352-645-0x00000000001C0000-0x0000000000296000-memory.dmp	dcrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/9136-3373-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/2008-3558-0x00000000010E0000-0x000000000110B000-memory.dmp	xloader

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
8144	powershell.exe
8344	powershell.exe
8020	powershell.exe
3152	powershell.exe
6484	powershell.exe
7976	powershell.exe
9188	powershell.exe
7372	powershell.exe
8712	powershell.exe
5032	powershell.exe
6212	powershell.exe
3660	Powershell.exe

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
9000	netsh.exe
5572	netsh.exe
5820	netsh.exe
9100	netsh.exe
3528	netsh.exe

Executes dropped EXE 8 IoCs

pid	Process
4424	2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
3632	5e710462c65fe899466e4fb7c1e33c9a.exe
3448	7f1630df6b57af024a3b561bdadc208f.exe
4716	31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
840	34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
1028	57ccb6f0bd910fed428761828ae93553.exe
3688	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
352	73c1c41b9e71c48e752a5cd19fe808b6.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000025c98-675.dat	upx
behavioral2/memory/1436-691-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/1436-2176-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/1436-1053-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/1436-1014-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/1436-2529-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/1436-2683-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/1436-3233-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/1436-3551-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/1436-3763-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/1436-3924-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral2/memory/1436-4125-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0002000000025ca2-760.dat	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
213	discord.com
214	discord.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe	クラック.exe
File created	C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	クラック.exe
File created	C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe	クラック.exe
File created	C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe	クラック.exe
File created	C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe	クラック.exe
File created	C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe	クラック.exe
File created	C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe	クラック.exe
File created	C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe	クラック.exe
File created	C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe	クラック.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7104	6828	WerFault.exe	175

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	クラック.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f1630df6b57af024a3b561bdadc208f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
9988	PING.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
9396	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2008	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
9020	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "11"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
9988	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7588	schtasks.exe
7304	schtasks.exe
8708	schtasks.exe
7732	schtasks.exe
7372	schtasks.exe
8188	schtasks.exe
8860	schtasks.exe
4176	schtasks.exe
6008	schtasks.exe
6180	schtasks.exe
5780	schtasks.exe
5308	schtasks.exe
7692	schtasks.exe
7928	schtasks.exe
6496	schtasks.exe
8344	schtasks.exe
7192	schtasks.exe
8312	schtasks.exe
7992	schtasks.exe
8360	schtasks.exe
4440	schtasks.exe
5584	schtasks.exe
9584	schtasks.exe
9740	schtasks.exe
3640	schtasks.exe
9032	schtasks.exe
5964	schtasks.exe
9596	schtasks.exe
5724	schtasks.exe
4496	schtasks.exe
7228	schtasks.exe
8004	schtasks.exe
6076	schtasks.exe
9160	schtasks.exe
6772	schtasks.exe
1048	schtasks.exe
6464	schtasks.exe
7628	schtasks.exe
7516	schtasks.exe
7336	schtasks.exe
10200	schtasks.exe
1088	schtasks.exe
8216	schtasks.exe
8056	schtasks.exe
6024	schtasks.exe
6444	schtasks.exe
8864	schtasks.exe
6800	schtasks.exe
7752	schtasks.exe
6008	schtasks.exe
8372	schtasks.exe
8824	schtasks.exe
5292	schtasks.exe
7692	schtasks.exe
9144	schtasks.exe
8316	schtasks.exe
7300	schtasks.exe
4716	schtasks.exe
7336	schtasks.exe
8892	schtasks.exe
8256	schtasks.exe
8220	schtasks.exe
3532	schtasks.exe
2172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3632	5e710462c65fe899466e4fb7c1e33c9a.exe
3632	5e710462c65fe899466e4fb7c1e33c9a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4352	firefox.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	3632	5e710462c65fe899466e4fb7c1e33c9a.exe
Token: SeDebugPrivilege	3448	7f1630df6b57af024a3b561bdadc208f.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 3844 wrote to memory of 4352	3844	firefox.exe	86
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 588	4352	firefox.exe	87
PID 4352 wrote to memory of 2216	4352	firefox.exe	88
PID 4352 wrote to memory of 2216	4352	firefox.exe	88
PID 4352 wrote to memory of 2216	4352	firefox.exe	88
PID 4352 wrote to memory of 2216	4352	firefox.exe	88
PID 4352 wrote to memory of 2216	4352	firefox.exe	88
PID 4352 wrote to memory of 2216	4352	firefox.exe	88
PID 4352 wrote to memory of 2216	4352	firefox.exe	88
PID 4352 wrote to memory of 2216	4352	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\クラック.zip
1⤵
PID:3632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5047453b-a1e9-452c-ba76-5e493027ef81} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" gpu
    3⤵
    PID:588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8333f6c7-250e-4287-b309-c0ced8624632} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" socket
    3⤵
    PID:2216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1444 -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 2932 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aff4c20d-537e-4869-88ce-f2d446648949} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 2800 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a4da4cd-e499-4573-9409-eeb6a35c62c6} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:3500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4500 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4504 -prefMapHandle 4496 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40d13b16-578b-4aad-9940-2be90607fd1a} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" utility
    3⤵
    - Checks processor information in registry
    PID:3508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 5336 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29bcae41-584c-475c-a85f-fd67a761b994} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:4008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5516 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d481f3e-4024-4036-ac0d-d1602a6ce581} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:2200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 5 -isForBrowser -prefsHandle 5776 -prefMapHandle 5772 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ccc66e1-9ad8-4d04-9766-f1588748df2a} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:2400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -childID 6 -isForBrowser -prefsHandle 3384 -prefMapHandle 5540 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58ac9916-ed3d-407e-94f7-6e71f6c73e7c} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:1708
- - C:\Program Files (x86)\クラック.exe
    "C:\Program Files (x86)\クラック.exe"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4440
  - - C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
      "C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4424
  - - C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe
      "C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3632
    - - C:\Users\Default User\firefox.exe
        
        "C:\Users\Default User\firefox.exe"
        5⤵
        
        PID:7140
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1qimlHqHJk.bat"
        6⤵
        
        PID:7848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2212
        
        C:\Users\Default\My Documents\RuntimeBroker.exe
        
        "C:\Users\Default\My Documents\RuntimeBroker.exe"
        7⤵
        
        PID:10184
  - - C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe
      "C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3448
  - - C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
      "C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4716
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        
        PID:7860
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:9000
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM Exsample.exe
        6⤵
        Kills process with taskkill
        
        PID:9020
  - - C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
      "C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:840
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe" "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:5820
  - - C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe
      "C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe"
      4⤵
      Executes dropped EXE
      PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\5e710462c65fe899466e4fb7c1e33c9a.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\firefox.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\BTZ.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8712
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3v1kC77S8R.bat"
        5⤵
        
        PID:3456
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:7640
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:9336
      - C:\Recovery\WindowsRE\firefox.exe
        
        "C:\Recovery\WindowsRE\firefox.exe"
        6⤵
        
        PID:9788
  - - C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
      "C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3688
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell.exe" -windowstyle minimized "$Teratism249 = Get-Content 'C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Guldtand.Spi168' ; $Neglefilen=$Teratism249.SubString(69482,3);.$Neglefilen($Teratism249) "
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3660
  - - C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe
      "C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe"
      4⤵
      Executes dropped EXE
      PID:352
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iwyaxIqrZ7.bat"
        5⤵
        
        PID:8376
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:8772
      - C:\Windows\INF\explorer.exe
        
        "C:\Windows\INF\explorer.exe"
        6⤵
        
        PID:6088
  - - C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe
      "C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe"
      4⤵
      PID:2108
  - - C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
      "C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe"
      4⤵
      PID:2168
    - - C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
        
        "C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe"
        5⤵
        
        PID:8336
  - - C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe
      "C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe"
      4⤵
      PID:3368
    - - C:\Windows\winhlp32.exe
        
        winhlp32.exe -x
        5⤵
        
        PID:4592
    - - C:\Windows\winhlp32.exe
        
        winhlp32.exe -x
        5⤵
        
        PID:5576
  - - C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
      "C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
      4⤵
      PID:1436
  - - C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe
      "C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe"
      4⤵
      PID:5140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\firefox.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\kosomk.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7372
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\25pDDin2sd.bat"
        5⤵
        
        PID:8916
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:8068
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9988
      - C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\kosomk.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\kosomk.exe"
        6⤵
        
        PID:9160
  - - C:\Program Files (x86)\BTZ.exe
      "C:\Program Files (x86)\BTZ.exe"
      4⤵
      PID:5276
  - - C:\Program Files (x86)\Cat.exe
      "C:\Program Files (x86)\Cat.exe"
      4⤵
      PID:5412
  - - C:\Program Files (x86)\Client.exe
      "C:\Program Files (x86)\Client.exe"
      4⤵
      PID:5608
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
        5⤵
        
        PID:8024
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8372
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
        5⤵
        
        PID:352
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8360
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
        5⤵
        
        PID:9184
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8860
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
        5⤵
        
        PID:3020
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7192
  - - C:\Program Files (x86)\Darkest Dungeon setub.exe
      "C:\Program Files (x86)\Darkest Dungeon setub.exe"
      4⤵
      PID:5764
    - - C:\Users\Admin\AppData\Roaming\svhost.exe
        
        "C:\Users\Admin\AppData\Roaming\svhost.exe"
        5⤵
        
        PID:8044
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:9100
  - - C:\Program Files (x86)\evil.exe
      "C:\Program Files (x86)\evil.exe"
      4⤵
      PID:5932
    - - C:\Users\Admin\AppData\Local\Temp\evil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\evil.exe"
        5⤵
        
        PID:7340
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\evil.exe" "evil.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:5572
  - - C:\Program Files (x86)\fwclt.exe
      "C:\Program Files (x86)\fwclt.exe"
      4⤵
      PID:6024
  - - C:\Program Files (x86)\Gandcrab5.0.3.exe
      "C:\Program Files (x86)\Gandcrab5.0.3.exe"
      4⤵
      PID:4072
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\System32\wermgr.exe"
        5⤵
        
        PID:6076
      - C:\Windows\SysWOW64\wbem\wmic.exe
        
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        6⤵
        
        PID:9084
  - - C:\Program Files (x86)\Happy18.exe
      "C:\Program Files (x86)\Happy18.exe"
      4⤵
      PID:5656
  - - C:\Program Files (x86)\kosomk.exe
      "C:\Program Files (x86)\kosomk.exe"
      4⤵
      PID:6044
    - - C:\Users\Admin\AppData\Roaming\dicsord.exe
        
        "C:\Users\Admin\AppData\Roaming\dicsord.exe"
        5⤵
        
        PID:2488
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dicsord.exe" "dicsord.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:3528
  - - C:\Program Files (x86)\LightNeuronX0.exe
      "C:\Program Files (x86)\LightNeuronX0.exe"
      4⤵
      PID:5816
  - - C:\Program Files (x86)\malecus.exe
      "C:\Program Files (x86)\malecus.exe"
      4⤵
      PID:3980
  - - C:\Program Files (x86)\see7.exe
      "C:\Program Files (x86)\see7.exe"
      4⤵
      PID:5616
    - - C:\Program Files (x86)\see7.exe
        
        "C:\Program Files (x86)\see7.exe"
        5⤵
        
        PID:9136
      - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\SysWOW64\ipconfig.exe"
        6⤵
        Gathers network information
        
        PID:2008
  - - C:\Program Files (x86)\TEST.exe
      "C:\Program Files (x86)\TEST.exe"
      4⤵
      PID:5164
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3DE.tmp.bat""
        5⤵
        
        PID:996
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:9396
      - C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe
        
        "C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe"
        6⤵
        
        PID:9660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\touhou virus.bat" "
      4⤵
      PID:6240
    - - C:\Windows\SysWOW64\net.exe
        
        net user Shanghai /add
        5⤵
        
        PID:6312
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Shanghai /add
        6⤵
        
        PID:7300
    - - C:\Windows\SysWOW64\net.exe
        
        net user Bad Apple /add
        5⤵
        
        PID:8268
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Bad Apple /add
        6⤵
        
        PID:7768
    - - C:\Windows\SysWOW64\net.exe
        
        net user Marisa
        5⤵
        
        PID:8776
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Marisa
        6⤵
        
        PID:7592
    - - C:\Windows\SysWOW64\net.exe
        
        net user Reimu /add
        5⤵
        
        PID:6620
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Reimu /add
        6⤵
        
        PID:6484
    - - C:\Windows\SysWOW64\mountvol.exe
        
        mountvol X:\ /d
        5⤵
        
        PID:7884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=PTt19B5_V3I
        5⤵
        
        PID:7504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb2e873cb8,0x7ffb2e873cc8,0x7ffb2e873cd8
        6⤵
        
        PID:5780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=tpedaZ0_yyQ
        5⤵
        
        PID:9904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb2e873cb8,0x7ffb2e873cc8,0x7ffb2e873cd8
        6⤵
        
        PID:9588
    - - C:\Windows\SysWOW64\diskpart.exe
        
        diskpart
        5⤵
        
        PID:10000
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer
        5⤵
        
        PID:7720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=ZaFd5xdunKI
        5⤵
        
        PID:9316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb2e873cb8,0x7ffb2e873cc8,0x7ffb2e873cd8
        6⤵
        
        PID:7144
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:9368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=YB0NwvJY39o
        5⤵
        
        PID:3132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb2e873cb8,0x7ffb2e873cc8,0x7ffb2e873cd8
        6⤵
        
        PID:8792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,917719508321712276,4225907053860732161,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1992 /prefetch:2
        6⤵
        
        PID:8848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,917719508321712276,4225907053860732161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
        6⤵
        
        PID:3520
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer
        5⤵
        
        PID:9764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=R8-geAYZtX0
        5⤵
        
        PID:6700
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb2e873cb8,0x7ffb2e873cc8,0x7ffb2e873cd8
        6⤵
        
        PID:6352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9956468799116093403,18206861508522514569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
        6⤵
        
        PID:6116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=EQqgmlXLhF4
        5⤵
        
        PID:8180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb2e873cb8,0x7ffb2e873cc8,0x7ffb2e873cd8
        6⤵
        
        PID:9564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,618557946199706923,17803566532720143540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:3
        6⤵
        
        PID:10100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=PTt19B5_V3I
        5⤵
        
        PID:9488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb2e873cb8,0x7ffb2e873cc8,0x7ffb2e873cd8
        6⤵
        
        PID:9756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=tpedaZ0_yyQ
        5⤵
        
        PID:7684
  - - C:\Program Files (x86)\vbc.exe
      "C:\Program Files (x86)\vbc.exe"
      4⤵
      PID:6520
    - - C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe C:\Users\Admin\AppData\Local\Temp\jplmbcuny
        5⤵
        
        PID:6828
      - C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe C:\Users\Admin\AppData\Local\Temp\jplmbcuny
        6⤵
        
        PID:6936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 600
        6⤵
        Program crash
        
        PID:7104
  - - C:\Program Files (x86)\virus.jk.exe
      "C:\Program Files (x86)\virus.jk.exe"
      4⤵
      PID:6760
    - - C:\Program Files (x86)\virus.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.exe"
        5⤵
        
        PID:6624
      - C:\Program Files (x86)\virus.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.exe"
        6⤵
        
        PID:5708
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.exe"
        7⤵
        
        PID:5816
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.exe"
        8⤵
        
        PID:5972
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.exe"
        9⤵
        
        PID:7704
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.exe"
        10⤵
        
        PID:8300
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        11⤵
        
        PID:8928
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        12⤵
        
        PID:7240
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        13⤵
        
        PID:7884
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        14⤵
        
        PID:6496
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        15⤵
        
        PID:9036
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        16⤵
        
        PID:7752
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        17⤵
        
        PID:8196
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        18⤵
        
        PID:8084
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        19⤵
        
        PID:8984
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        20⤵
        
        PID:7196
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        21⤵
        
        PID:8364
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        22⤵
        
        PID:5336
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        23⤵
        
        PID:5252
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        24⤵
        
        PID:3532
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        25⤵
        
        PID:7004
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        26⤵
        
        PID:7688
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        27⤵
        
        PID:2124
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        28⤵
        
        PID:9836
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        29⤵
        
        PID:10136
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        30⤵
        
        PID:9384
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        31⤵
        
        PID:9524
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        32⤵
        
        PID:9860
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        33⤵
        
        PID:2896
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        34⤵
        
        PID:8752
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        35⤵
        
        PID:9332
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        36⤵
        
        PID:5780
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        37⤵
        
        PID:6008
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        38⤵
        
        PID:7692
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        39⤵
        
        PID:3940
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        40⤵
        
        PID:5336
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        41⤵
        
        PID:7716
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        42⤵
        
        PID:10144
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        43⤵
        
        PID:7996
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        44⤵
        
        PID:8776
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        45⤵
        
        PID:5184
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        46⤵
        
        PID:9104
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        47⤵
        
        PID:1392
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        48⤵
        
        PID:9116
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        49⤵
        
        PID:7384
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        50⤵
        
        PID:7764
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        51⤵
        
        PID:6292
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        52⤵
        
        PID:9604
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        53⤵
        
        PID:9516
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        54⤵
        
        PID:9260
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        55⤵
        
        PID:5496
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        56⤵
        
        PID:9944
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        57⤵
        
        PID:2908
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        58⤵
        
        PID:9232
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        59⤵
        
        PID:6920
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        60⤵
        
        PID:2996

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4788

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:5620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb2e873cb8,0x7ffb2e873cc8,0x7ffb2e873cd8
    3⤵
    PID:5824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2004 /prefetch:2
    3⤵
    PID:3488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
    3⤵
    PID:6788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:8
    3⤵
    PID:6816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
    3⤵
    PID:6728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:7148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
    3⤵
    PID:7412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
    3⤵
    PID:7820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
    3⤵
    PID:7984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
    3⤵
    PID:10052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
    3⤵
    PID:7788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
    3⤵
    PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
    3⤵
    PID:4148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
    3⤵
    PID:7652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5536 /prefetch:8
    3⤵
    PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5968330445804688724,11682708011781012298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
    3⤵
    PID:6620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:6356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb2e873cb8,0x7ffb2e873cc8,0x7ffb2e873cd8
    3⤵
    PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\firefox.exe'" /f
1⤵
PID:5400

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:FESearchUI.AppXbgxsca4vtwz9gsm457zypgjfyczezg85.mca
1⤵
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Default User\firefox.exe'" /rl HIGHEST /f
1⤵
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\Screen\firefox.exe'" /f
1⤵
PID:5532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Windows\Web\Screen\firefox.exe'" /rl HIGHEST /f
1⤵
PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Screen\firefox.exe'" /rl HIGHEST /f
1⤵
PID:5816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\firefox.exe'" /f
1⤵
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Default\Cookies\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
PID:5524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\5e710462c65fe899466e4fb7c1e33c9a.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\INF\explorer.exe'" /rl HIGHEST /f
1⤵
PID:5308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
PID:5224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f1630df6b57af024a3b561bdadc208f7" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\7f1630df6b57af024a3b561bdadc208f.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\SendTo\firefox.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f1630df6b57af024a3b561bdadc208f" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\7f1630df6b57af024a3b561bdadc208f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Default\SendTo\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f1630df6b57af024a3b561bdadc208f7" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\7f1630df6b57af024a3b561bdadc208f.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\5e710462c65fe899466e4fb7c1e33c9a.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\Registry.exe'" /f
1⤵
PID:6324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a" /sc ONLOGON /tr "'C:\Users\Public\Music\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6828 -ip 6828
1⤵
PID:5640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\Saved Pictures\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\Saved Pictures\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:8324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:9100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:8728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office16\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:8012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:8824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:8800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:8940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:9032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:9144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BTZB" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\BTZ.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\ICU\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:8680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BTZ" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\BTZ.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ICU\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BTZB" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\BTZ.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:8864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\sppsvc.exe'" /f
1⤵
PID:8824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /f
1⤵
PID:8792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SchCache\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:8144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:8344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\conhost.exe'" /f
1⤵
PID:8916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kosomkk" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\kosomk.exe'" /f
1⤵
PID:7068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\twain_32\conhost.exe'" /rl HIGHEST /f
1⤵
PID:8848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /f
1⤵
PID:6624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:8824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BTZB" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Downloads\BTZ.exe'" /f
1⤵
PID:7744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BTZ" /sc ONLOGON /tr "'C:\Users\Default\Downloads\BTZ.exe'" /rl HIGHEST /f
1⤵
PID:9092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae93553" /sc ONLOGON /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kosomk" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\kosomk.exe'" /rl HIGHEST /f
1⤵
PID:7236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BTZB" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Downloads\BTZ.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
PID:6864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:7732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kosomkk" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\kosomk.exe'" /rl HIGHEST /f
1⤵
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:8220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /f
1⤵
PID:8160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:8848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:6540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "net1n" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\net1.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:9160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "net1" /sc ONLOGON /tr "'C:\Users\Default User\net1.exe'" /rl HIGHEST /f
1⤵
PID:6180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "net1n" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\net1.exe'" /rl HIGHEST /f
1⤵
PID:8268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:8320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "malecusm" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\en-US\malecus.exe'" /f
1⤵
PID:7192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "malecus" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\malecus.exe'" /rl HIGHEST /f
1⤵
PID:6960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "malecusm" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\malecus.exe'" /rl HIGHEST /f
1⤵
PID:8728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:8312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:7996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:8316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jkv" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe'" /f
1⤵
PID:9168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe'" /rl HIGHEST /f
1⤵
PID:8752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jkv" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe'" /rl HIGHEST /f
1⤵
PID:7756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "evile" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\evil.exe'" /f
1⤵
PID:9156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "evil" /sc ONLOGON /tr "'C:\Users\Default User\evil.exe'" /rl HIGHEST /f
1⤵
PID:5648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "evile" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\evil.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
PID:8240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\RuntimeBroker.exe'" /f
1⤵
PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
PID:7516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
PID:5400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TESTT" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\TEST.exe'" /f
1⤵
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TEST" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\TEST.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TESTT" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\TEST.exe'" /rl HIGHEST /f
1⤵
PID:7428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\firefox.exe'" /f
1⤵
PID:9104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\firefox.exe'" /rl HIGHEST /f
1⤵
PID:8704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\firefox.exe'" /rl HIGHEST /f
1⤵
PID:9160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "netshn" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\netsh.exe'" /f
1⤵
PID:9320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "netsh" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\netsh.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:9584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "netshn" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\netsh.exe'" /rl HIGHEST /f
1⤵
PID:10092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /rl HIGHEST /f
1⤵
PID:9248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\cmd.exe'" /rl HIGHEST /f
1⤵
PID:9340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\security\cap\SearchHost.exe'" /f
1⤵
PID:9504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Windows\security\cap\SearchHost.exe'" /rl HIGHEST /f
1⤵
PID:6908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\security\cap\SearchHost.exe'" /rl HIGHEST /f
1⤵
PID:9624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\wininit.exe'" /f
1⤵
PID:9928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:10200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D0
1⤵
PID:8952

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5260

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:7900

C:\Windows\SysWOW64\wowmgr.exe
C:\Windows\SysWOW64\wowmgr.exe
1⤵
PID:6208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CatC" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Packages\Microsoft.OneDriveSync_8wekyb3d8bbwe\Cat.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Cat" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.OneDriveSync_8wekyb3d8bbwe\Cat.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CatC" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Packages\Microsoft.OneDriveSync_8wekyb3d8bbwe\Cat.exe'" /rl HIGHEST /f
1⤵
PID:7076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "VSSVCV" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\VSSVC.exe'" /f
1⤵
PID:10132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "VSSVC" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\VSSVC.exe'" /rl HIGHEST /f
1⤵
PID:7968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "VSSVCV" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\VSSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:9740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\WmiPrvSE.exe'" /f
1⤵
PID:9796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:5584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:9596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\FCIADH-DECRYPT.txt

Filesize
8KB

MD5
fc899fcdc84b32bdfd015abec0f073af

SHA1
7ca872f7fbc7e01ed5f29acfa2a4beef5c26913c

SHA256
0e6c799df2e62194e03b46abce255f6bcd15be9d3b4239ed9f38f7c2da70aa34

SHA512
11d970034da63f2452e3695b379ed7d6fb36f84cf9c7512014ecaf7457991ef93f76129d598dd9085add9b23f5cad3d5b6a173c83bd96b3685f4e1ebef08dff6

Download Submit
C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Filesize
233KB

MD5
4ef3177a2e94ce3d15ae9490a73a2212

SHA1
a34f47568ce7fcea97a002eebeae385efa98790c

SHA256
87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

SHA512
635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

Download Submit
C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe

Filesize
55KB

MD5
17315d95e80eb36cc51a7d25e4c8b231

SHA1
95006ad8de0a17dc3df6698e195e62b8ee32475e

SHA256
2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c

SHA512
481a15c46dcf38562aa989f52330e556da90a3ce00190cedb2e00b2a39df5db3bcc3af743060fd8c75933d6ae756aa4bbc176708f36d3b4aa443b4663ca94608

Download Submit
C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe

Filesize
37KB

MD5
5c8eb40a1344bd8b18c1ef0d95d433d4

SHA1
b6c1f037637936ae018cc5e3e17ab9f3cc8cb3ff

SHA256
31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65

SHA512
74aa4c3047e5fff0b0d903841ceb01cd0e9939244c9008a9ae6a77ee5484290e7a0df56bbfc422ff5cf80012e84b75af2cf8840fd6ce6c80ea361fa07e5da577

Download Submit
C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe

Filesize
93KB

MD5
7299c8fe0d2e5c385c4e4711260ee2b5

SHA1
4814f8494c3ff005203838e25a62cdb1ce5f8d68

SHA256
34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219

SHA512
2103b6e574657998159979c0d1e9021175732fffbfcba4ac1c3f778b33010129b9b9467b6f6a1e5f4095e9bf62d2212654f20c5a051cbb72158a2a8f399dfaad

Download Submit
C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe

Filesize
3.2MB

MD5
57ccb6f0bd910fed428761828ae93553

SHA1
71dfe6354ac308d03cf7219686358652b9a8d438

SHA256
7d357b523b5116915747af1fb0d5e6b20a472dd08fd4eda3d0733aeaf70dcd07

SHA512
44423e3df0d34d8917c82103f336cf0c61cd0aa2e3722e3baf9224daf0b620009967136b1625d2f783b1e36207ac529008d49235ae2ae50b01a9b053d0ba0878

Download Submit
C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe

Filesize
828KB

MD5
5e710462c65fe899466e4fb7c1e33c9a

SHA1
a0bee34a8865683de35502c1ed5ff41e86670718

SHA256
f4f54ed5ec3a6e3b427be418fa0f63061e2feffbb9c33ab3911404b1b8f93c7e

SHA512
35c4adede7a4f8baad61876de8821e91dfe4ace4ec721575fc8155f6e7d43c794a7d4741609fda24b16a82d3d9ae18bc35addb299416f59ad1cde74eedbfa0c2

Download Submit
C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe

Filesize
568KB

MD5
4448a3c2ddfdda45009b440faa39a5fe

SHA1
b16a26331d6ebe8f4a45b43e8b0251a715139b10

SHA256
70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2

SHA512
094cef6184c29430be5e4536b54cdfa632b52e7e09c7a4c04104d1b533113f6de6190d6525aac84ddba631220ee0b33a047272b952765977df336a5fa72425b0

Download Submit
C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe

Filesize
827KB

MD5
73c1c41b9e71c48e752a5cd19fe808b6

SHA1
b8bd41a0b9dc7baef6eb01dfe6c852afdfaeed18

SHA256
fce441edb227275c5380194cc7a96a95998de6d75cd601b73bce1be529a68bd6

SHA512
f146a8917d39aa29d52386f5a23bbc01fbfade291d576782b5cc80b0ca363fa24fee80f00cf81ffa40e12503fedd203b422b7ad97dbb0d4500152e86d974cb38

Download Submit
C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe

Filesize
268KB

MD5
fc57a660e24d9c91cb5464b2ece30756

SHA1
6d70e4dcd68ea6dae43cc381d4be84bcfad38eda

SHA256
75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa

SHA512
8f0fa0a2e5553a4059ac3e224ea8106131193f3cec7c23456507f8404c42440267efe88462cf31bcd3a6f9dba57011933a2a43e74b1cccd5d1a363497d1a3a67

Download Submit
C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe

Filesize
205KB

MD5
887b35a87fb75e2d889694143e3c9014

SHA1
c8be4500127bfce10ab38152a8a5003b75613603

SHA256
78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae

SHA512
98cf0e201092e6d43a7ec5db4d80e6cc20ec9a983098b04597039b244535f78a4096b76bc62e591336b810fafa302e1009a64be6e788f24dcc8b3ac0c8eb930a

Download Submit
C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe

Filesize
175KB

MD5
7f1630df6b57af024a3b561bdadc208f

SHA1
9b304cb2eff05f040b76eccc00ee55b914cf1839

SHA256
c9dbac4fe659e8918f50a4a157713e40d71e05367799af66d1d7845d958ee3f7

SHA512
742219cb5c76b9d39ed56cff988a533d19ef3e202e0fa48e9a3aed7dd9de190eef0c313bc974e37e7f363892eb6787bc66657324be2f0fb05d1b0021ae61ec9e

Download Submit
C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe

Filesize
308KB

MD5
938b92958ded4d50a357d22eddf141ad

SHA1
062f16b1cdfacc55f982908ee6c85fce6296805a

SHA256
93c8db29ec3707f13bf5a96d5b8a3dc33c2f5b870acd3df07292c724ce10a13f

SHA512
372942601188751cdbb79cc94469a66434ca2963591bb849137654622485cd92f4ac8fbbc9b83c3acdc128e354bb3b805af0fc0a465e0a2519d330f8ca9a6c36

Download Submit
C:\Program Files (x86)\BTZ.exe

Filesize
73KB

MD5
cff0392ac2a1d782f43f7938ea18af4f

SHA1
1dfd93a3106a1b4fd10cfaf8b8bb4bb606c4093d

SHA256
ecfed4163f7058856e1d253a29d06d808c069670e4a06cad66f42e71cbc83a2e

SHA512
134f6c8343bbcce6e23ae370193aa1b415f337790e13b2cd6171e657c775c7971a7b13146d930b5273b0ea64ee947df1cc5467e4dd52900d70f13550c6b9ae8b

Download Submit
C:\Program Files (x86)\Cat.exe

Filesize
2.1MB

MD5
fadadf302e5b6c4010d700a3802ac678

SHA1
6548d465ae4facaa1d2d1921e423a7b871bcf36b

SHA256
d61f36d7dc8cc8464434ee6fa72fec2d1e210978769d1443db08f1decd845f67

SHA512
571db891718f1cc7e260772054ec39592259fdb3238dab90071a8ab7eeddc5baf2de2719f12f246a4a0466da7b72776a49f51da124afff936cd78f4253b5646b

Download Submit
C:\Program Files (x86)\Client.exe

Filesize
100KB

MD5
21560cb75b809cf46626556cd5fbe3ab

SHA1
f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

SHA256
d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

SHA512
21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

Download Submit
C:\Program Files (x86)\Darkest Dungeon setub.exe

Filesize
284KB

MD5
382c21837fbb296675b92c64bbc6249d

SHA1
ddedd90110497139ee0b5fca0e8ea3b585271f6d

SHA256
6ba1d9cf4b63033c0d9752fbe663eee726a5cf5401b20b8b8e927cca39cf113d

SHA512
3a7cc906a9bc94526b0f0fbaff43fa6230e14d0226439d1558b1e09d258911beb79fbfdb56c9286373856dca958dd5decb10c42e7248763dde1e1e85a3aae727

Download Submit
C:\Program Files (x86)\Gandcrab5.0.3.exe

Filesize
424KB

MD5
95557a29de4b70a25ce62a03472be684

SHA1
5baabf2869278e60d4c4f236b832bffddd6cf969

SHA256
49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200

SHA512
79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103

Download Submit
C:\Program Files (x86)\Happy18.exe

Filesize
9KB

MD5
8c0ec9b7f903dce401ac301fbf43e930

SHA1
46db7e2a37d95eb1265b30c1557a5e80683b48f1

SHA256
ddd60301114f7867605a31a6d7c4c2014fe28bd4e0edfc53024a22d10b7bf3f8

SHA512
5dc630f669ae4ddb6cbe6b6f276d63aaf9f55de964990b4a2a57830bd0fd1127a2ee729bc099b738e813c6e0b23a29c3d73b39bb6055372867eb1dcc57635ae5

Download Submit
C:\Program Files (x86)\LightNeuronX0.exe

Filesize
14KB

MD5
55319464e46e2c31d22b39b46d5477fb

SHA1
a4d1a34fe5effd90ccb6897679586ddc07fbc5cd

SHA256
14f530e16e8c6dbac02f1bde53594f01b7edab9c45c4c371a3093120276ffaf1

SHA512
3a3ad3aa4bf745932d8ea02f3c96774aada2d1d1723be1ceb6cd5b7823e3d0f4e91457dbeebe92c8a2c8e7bdc1134b3b59bb9d9ce7503aeae6c182894203c9a3

Download Submit
C:\Program Files (x86)\TEST.exe

Filesize
37KB

MD5
ca70b79092c1b1e6dc8eb7950864b0ee

SHA1
3396cebc62c348fc96463a73a40eb4e5e6bc09c5

SHA256
2ce66bab757ad6cbee699be5ad711582d837f3e0b216d70cdb933c4c9415b20b

SHA512
9eb6c13096de168c46d8c2dd78ce28a19dd4f0aadded4fcf6b9ed655faac43747f7eb7123f664c8e44d77aaf1c6948ec6072a9d63b98ec69e104a7bbb97ebe34

Download Submit
C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe

Filesize
874KB

MD5
a6a1abaf12a28ea8f6553356c3bdcf57

SHA1
b7613fb9944bc3d8e11b5eb6f7ff706f04e8ad53

SHA256
f2507211585dfe351ff53086f30b42572db223b2646e45f91b7f3e202bb0bb76

SHA512
e525d119128c1ca1c05d379b9ebba9791b7b15390c8999773bff6517fde674178e17ee2c7c126b249c8c54b4dd1c07326ba24d52c8c192f067bc7e8545113a65

Download Submit
C:\Program Files (x86)\evil.exe

Filesize
23KB

MD5
0e0d73422110762ad112c39647865d09

SHA1
4bb94e94e65a8bc12313783df99b96d89d7fd764

SHA256
02ac6f6f2eff68b25be9ec044a2af027fbc915af3053f647086f68ad8d6c2e30

SHA512
e31a21c42c7bcdeb8dd80418fad12d5dc8486e21b609f5636114021fbcadb989ca7a612c0300ebb235c5f7a167a60541125409bd959442116407f48808742607

Download Submit
C:\Program Files (x86)\fwclt.exe

Filesize
1024B

MD5
c98a0d1909d8fad4110c8f35ee6f8391

SHA1
3c2b7bb0f3c8ca829602e4182a816a0905398521

SHA256
0f5ec3b9535d4f956330351c5310626ffaa17f146ff51a8b3b10ea0a7039eadc

SHA512
d3760b816b2a3fc3ec4f3ed9eee869885943d95d8a18f8a8233bc3e1b0f774dc9f55b518a54bcac3f94b2d960a73e53987fc09fa338c5b56d20e042610c0d948

Download Submit
C:\Program Files (x86)\kosomk.exe

Filesize
23KB

MD5
926e2c78bcea51e5309db037b18b4202

SHA1
d4b80f95bfdc9c2ff860ac0cc2012a81b425801d

SHA256
1d74f423f423175189fbe07b34697cae04d6d48181efbed5c3b790a137145f10

SHA512
6962876b91bcf7d40d9250dde094ce560f3b3c7a4766ac5e810d27de46cd4167937042d5ae94b21f21a1b19dc4c39dc0107e2aac1fbcd17680345f2fe06354a1

Download Submit
C:\Program Files (x86)\malecus.exe

Filesize
15KB

MD5
0e741eb3f92a7a739628d04a5fd4aab9

SHA1
87a8865773a791ab3ca68201cee7a0c3fef2fab3

SHA256
1ef41bb945daf62e1a7098b1f9b684e54cb1ac5fbbadf1f49e5a87b1788b9f85

SHA512
1377611e60d25eb456f5d5c911fe16c7d655b7930a8475e7d164d0c536740d286c7c27bcedd191c266c3085f6570892a975fddaee9a9ab3ca4b598b53350283c

Download Submit
C:\Program Files (x86)\see7.exe

Filesize
574KB

MD5
1ccf28645e2d52556487a9710de54d8e

SHA1
e83b5b14a3d08d8838e23c08070ebec713f859ef

SHA256
513624286483a4e172511b412b82445a06eefc904d54de75da656ec1a6f8ae99

SHA512
5a5f4c5fb992bac2119234563a8a7d3418baab3e3519f936f13a598aa9026dbeba571b7981a5a6afa519e18b124d8cf4c6642b30b88a4a091a051e2b41c5f321

Download Submit
C:\Program Files (x86)\touhou virus.bat

Filesize
842B

MD5
ce982443fd7813bf5fac953b19d702af

SHA1
b4ddbc76f4f44ad82547b427ed1f67ca9d3b2665

SHA256
5f930dde52cdb9b2f0118be71c07fa77cf702b1e2d704a08ef9a6af6950413a2

SHA512
40b0e27d5a55633531ade75156a69df58d6cc33400380330a05d9e665f47857d4c1f76779ce790e84ac6208e1a58b468d056edd28a03c4e949dffc09acf0adc0

Download Submit
C:\Program Files (x86)\vbc.exe

Filesize
123KB

MD5
d2ce3b2a5f3efb1fcede96304e57a531

SHA1
d74be8fe0be4ec13340dad9c0fdeb653c9c8b90e

SHA256
e0a4948a58829f4ecd9e6fb9b28e127a6827bd8761ded085d2069a248f6f5462

SHA512
fd0d0b51000b146049db24ecac27885ff4f688b4e40b42061972d21aaa45f8657437db8f56880f5414f00b5e35febce8a339b1d30bd387f8f11a179b222e828b

Download Submit
C:\Program Files (x86)\virus.jk.exe

Filesize
2.0MB

MD5
e0d346913cbf16602edf1aceda2a62b1

SHA1
2387b499cba2684ab293a758413ea2a5f150fa45

SHA256
c1bc3d85a9f78eea49adfb80669570c0cd6cd3dda92223496182e3aadf4e0b30

SHA512
a2c9a2708b4e0a32ab10bd29428ad2583382a5bb56dc6641ae07144d8707efd963004d1a5e71a9c8b9c53e09629b60b9ef7e6a16366ee376083937e717c1977f

Download Submit
C:\Program Files (x86)\virus.jk.jk.exe

Filesize
2.0MB

MD5
7f29146a34aeafc8ef837ab6aed8fd6e

SHA1
10120c15f76b1a7b5a30f8fa829caac88c49d9dd

SHA256
de81bcbb17cde244e05a2b8342d5c8d1be0c344e78d0bc45a7f55a4282230955

SHA512
907a395e0efb69fb4066c9104feed095c0864af36f18bb2abc25b97dbb7c8bb6ccbd177afe42da7974fdee9a05e1d2fa4dd89f1863fee75842a5b7677bfebad6

Download Submit
C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_DEAD.HTA

Filesize
64KB

MD5
d7e4b59d4ca0a7d5ef7913c310a694b8

SHA1
b84a98e4fcfdc447bacca2659b586609d76a045e

SHA256
545a45fddf4f14e1ace656f0177716de1c81684e56e82bf7256305400e5c8823

SHA512
a0f35a43047e20b7c9923b2e393a62de67ef727b994d1fbe7b2303a44f66f18419a0368f02433ace5273fa96bd253d10711c3ee6f936fadc8f4acd9f13e7e1b9

Download Submit
C:\Recovery\WindowsRE\0fc223bdacedc3

Filesize
816B

MD5
46dfa9ee71214ca747712b96cf997587

SHA1
26523403dba7dcf4bcc12a0c9970783c3ccabcf3

SHA256
a49ed4d1482833c87f6b5036b78b00a9a7b9ba513c5209634710776da0264a2f

SHA512
7b434e20967011052e28796de385562f25418f3231a54dfa8bfc6c6264f822220387c88ea43878bb6e470478ed31234dcb1c94efc928fe17a0ce697868d4e739

Download Submit
C:\Users\Admin\AppData\Local\12c9eacd2450ff2a6eb9a8ab73ecc396\Admin@ITMJLVNR_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\12c9eacd2450ff2a6eb9a8ab73ecc396\Admin@ITMJLVNR_en-US\System\Process.txt

Filesize
4KB

MD5
e55234803db3af6ff5c13eadf4819710

SHA1
3de388c1a5949013000f1d55cc6d860cc50e7ef4

SHA256
555a314f9a20e813e3d8e4f9fc19d98130004b1925ed74cbf04d685bec92a7c9

SHA512
bab30564f18b20779e073252f6c51ed0ec18159bd5cdca5d179da51e144d359e5626496efbf40e95d7520050cd60e5b07ffed90dcb811b480f60ff75d86838ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bb7f3f2ea77814c2938199c5b2d1b5c

SHA1
5cbd826e7575a6821cf6075cce33b4fa5e1ce090

SHA256
b25a49b1e0067c836156785f5ac7193c1886f3d0a27c5020d306c0c8bdb489d2

SHA512
70e5fab602b8e6e3599ed12f9aafcdbaf966f1c4574a13471b7fac5320df2b18077103a813d6a96d027c69ee1cee1a7027f0538e9f0f5f494921b4c8dbaf418a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a992848049ccd6b84f6d5633dce399b0

SHA1
cc565c74b7405d8c26162a540f1fd97d02cd1abe

SHA256
a468a990635d399db4eb5c5cfe14ed9b09c58e70463a87a604e479eb1b59cd21

SHA512
4acdefd74cb67ccfc8e842afdfe2d381d8b1ae66f5cb52e18cbf44bad8fb0bd408908a855fa3e8e54283677a974bc9597ee1945d0eceecec2652017be55eadd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc09d5a1bd60fac316606e6a2676c8e7

SHA1
d9370276276c0c56710c15ce843b184a7a6e69bc

SHA256
4a4d1a8456ea8b08f0b53b65dc3982a8acd3a7f5a481d09bb4177bc7ce807789

SHA512
4d8c94dd3da37873c27a6dd0900be86e16458070cd41af53214f39236a0e4008a913e8c9cb5ce15c7af24510537c2099e122ba56e1b7430b50729eb2be1f3eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b3e1f129e05f484f6e01fdcd536311b

SHA1
d880ee9c7637cc17762f5df66fc59a3b19060e5e

SHA256
617ba262fec8826300f15f2f421d88e885c611200ad2d27decef16fd92ce5f0c

SHA512
c833dd960ea65b148a0dc4b00773bd35e48268bded075a0b5b1831d70608a90d6104f6c34ccf0759adaa1e3e05c3bceb11f6cc1880d0ff505262a90499bbe804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
47KB

MD5
213af7ac1aa72e2c0c316743695b7cd0

SHA1
c93bf2de82958073a23b3a495356118ef718cecf

SHA256
f5680671f5dc330f962eb3de4164654e2c17284ac3a109f687ddabf104e25ce4

SHA512
d0e11f42a046682805d18a0a133df1c8c4272b94117de503dd4992c34f93e516b7decbf77496f45768aeb1a95f1493f74f5ff732e9b42efa6bff1b47e9b0c1b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
20KB

MD5
5fce8d49fc7540050a4f256e4ef7e96a

SHA1
0602fb48053f32730701109d11bca5bc5ca710ec

SHA256
fca9582db71bedb5f604e90694beda22aa03a1fa56b89b0484797871c5493d8a

SHA512
8103b4b35ecf0d16f88863fce87fd27cf7ae5293474d1688974a5c08b155744db0046d1d5c942c59ec79aef317546c360442f4fa43faa573408a42b61b539ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
18KB

MD5
c83e4437a53d7f849f9d32df3d6b68f3

SHA1
fabea5ad92ed3e2431659b02e7624df30d0c6bbc

SHA256
d9bada3a44bb2ffa66dec5cc781cafc9ef17ed876cd9b0c5f7ef18228b63cebb

SHA512
c2ca1630f7229dd2dec37e0722f769dd94fd115eefa8eeba40f9bb09e4fdab7cc7d15f3deea23f50911feae22bae96341a5baca20b59c7982caf7a91a51e152f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
18KB

MD5
115c2d84727b41da5e9b4394887a8c40

SHA1
44f495a7f32620e51acca2e78f7e0615cb305781

SHA256
ae0e442895406e9922237108496c2cd60f4947649a826463e2da9860b5c25dd6

SHA512
00402945111722b041f317b082b7103bcc470c2112d86847eac44674053fc0642c5df72015dcb57c65c4ffabb7b03ece7e5f889190f09a45cef1f3e35f830f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
17a187950ef97aca0a2e0f5aa295fc33

SHA1
061e8e52e65de72ffd8297ad9ca9b3d8ed020588

SHA256
3b6db165add884436224f209328f860a881b7aa98de662e1a6ec0d1870fa3d9c

SHA512
83e12d1a47c44b0d1ea658cdc696b2278ea5e7ee723878d2f2a0a5004d1d0f720fd868eca34299eba075769cbbdec74bbd33385b7fd10ae08a1046b610a14ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
768e205b9678362558cbb008d5acd1ce

SHA1
cc8becc19fb171cff571399e81f1869eb0ab2d2d

SHA256
ef666f1df9bff9827f54882d1364d299ec4580c4e069b33bd2cc475dee425089

SHA512
5e313a664cf4b1a5eb677041b20813f9b4516654e5cba25db109cb84a2075b73d467540c93a855e4384f2a3ef86ec7784aae2f07696661dd6131a76243224505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec78d6d05ee0cf2beeeacab94931086b

SHA1
d238823acecadcaaab7b1b1274143670ebd97f2e

SHA256
285ae3aa38101871004a96b7ada968c18195c35bb769931e52c3a44e020257fe

SHA512
ff9a485674dcce2d35c7d335a1f3df0348d41d305f2ca914ed8f871d944ba7ab69de7cf8667d05c9e616fd15339915ed69be35fa0db25cb890bc0810758e0033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
c208724c922104bc0813b8ec2cb7e5b7

SHA1
34a01b2326a4f4e5cceb6286241e4153ec32cb6c

SHA256
09ac87ca216c4e569b3b152a439f7c5144711d587a48a23d1a7de531f185722e

SHA512
d3d2c414d3e66e58b8b9d2856e9b2278b8cc6388c39acf440d5dff4a93a758d46024fbcecbdd26a97c82bf7e652ac3237e4704110cf561bdbde432008fb3c5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
7583fd138872b718963385f4273acd85

SHA1
a48c544ecce1d125efe315f5bb525078952d4ca6

SHA256
927d645c929421405b5776c21ac5805a6a2a5a44d11c81a78664f01f87da49bf

SHA512
1c31f5360795eb9059fa4b3b6813af1bde1517ffc299776a7dbfd9900af6a876df9e131c35e5001e3d5ca6ece985757a378e7b65ed3a09847ac3a45f634b606c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
6b0556185c7d6cc797f907f956cdc11d

SHA1
de8c4ba448cf40d9fdef275f1c46bffdb4b0175e

SHA256
eae28dbef0549dd4ebe96fdd5cc989afe6c82c106efa3daa357d948d287e1693

SHA512
0d8eda7366c92ae2ec336e0061469adef8e16b15ba05037c62afc68d3aae36988daad1f013c2cbcbc1b5e99d0864b3b831823cd7fb3db4b0959d75a270a7a02a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
53cb630e018f079e03c9d24041573f90

SHA1
f6e861649f7852f1669759b2ed47430e0f203a9b

SHA256
037f5e97f863696ec6566a73db18f98db9bdfa0f681c0e06fe8531fa32cab01e

SHA512
87cc6742a2cba95f110809c16077520332f8b62a55e85c6f0ad78742387d4c506c0333e9f0c515d22db580f4f5511efb0f71a12ca1c3e88802f6a77b21241ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f539800a6f685bba13dfe2d8fce6d96

SHA1
c29fa17d2275e34eb92c99248e332077881a9553

SHA256
4f73a06d7b60a6de62a991112d3c98eae442a661c12d7c92508d0f0345cb4f99

SHA512
cc3512dacd0a70cc1eb474587ee71c822110b0ce1a9fe83c41fb4412f57a7b7729fc63896630d40405a1a2cf55874e0886980c38143fd2121efb1d4f9a7ca140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
367c10e46035cd3906d232f6adf9c00c

SHA1
a5d60260fd8d4913f1fd1ccd02579eeb4c9872fe

SHA256
6cdf527721045a7d4fcfc133df4d6a7823a23a0769bca958853a2ca728ed4d0e

SHA512
d46146378349fc51feeeb4acfee236b3d347fa1b5307872984caf493e4ccd7c8dc1a32162d93667120b6eff33bb6cf4aebaa6e4d20c7ec20a458d1caaf384fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7f97a59fdf2a9c340e4399aca5956f1

SHA1
0212b971d2826043537f87c1c8c13f723d618fdd

SHA256
5ed28ddeb9124cd12c26363aee681a8d0806f69a7787bca0126bf86e1845e547

SHA512
63297a24ba2c079c9b474756896b844ab41c85bb0063d209bfef212b3d64919e82865e42a2b151298c72eb3cc6aa554401774225a94845edcfd581761de5b2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5aa068.TMP

Filesize
1KB

MD5
ebbd4ce5ad37207aade5d31395bc6644

SHA1
118c8267e6fbef3831beb7e256a31072db9556cd

SHA256
7e6a3cf86b8dd5652f9af1d15ed60cfcf39a5bd2d1bb30367a8cc673c0302f69

SHA512
0659bdd2fe07a45d1e95dd621c1d0decfe6bc8488c641344e47895f8e3161f8dd34e4b2202b8057a0ccfcc86b56dc332eddba12c344b72095f74924909cb6024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
278d5f9cea5a1807877b58d7342a3cbd

SHA1
5e54a03d77b5d22e48016feb59fb0b5c260d5bc6

SHA256
e30a176cfb1bf58935a46737530036c903434bedc03a0fef2fd2a4379a18b98b

SHA512
03280b79e690f2b0d387d17b63f72b78a0c6e36efe3a72197fd2015d841aa97cbd70bb08db1ba483e36400c1f84ed9c6ff033313c5fa90b077988223ce9ccde9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
65KB

MD5
cd28ade5117459e05f1c01e26eb03673

SHA1
c29734e267a1401c3f39addf901b2b58350f1ce4

SHA256
dcc1f29e37c2178ea153cffac776465bbdceb744a5532170361bdc4a58cb5988

SHA512
a470548baf0cf91b5891ebada5dd941802407560cb19efe9d206cbdc08dc1c8dace078a301d9ae3b9501a495de8147266ce4b48455107a09ed7a5ab4d3b67df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_by4ju0gp.fyd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe

Filesize
5KB

MD5
f9e42c92e371cedc22c78e2900418651

SHA1
3e99ba4a4a007d2ad1cfa6e3fda91b01a710839d

SHA256
f340bf91627787a2770c897aa9555bb82382cdcc2232904b5707238ab0a85e39

SHA512
7ca0a18f7ae83f0d11d8b33ddca579fb5e5629b5255eebf28b2e256a0b4449f4dee5bdff2ef6f9e1af323a04111a688d9251629ddecb046746978f94d469de05

Download Submit
C:\Users\Admin\AppData\Local\Temp\jplmbcuny

Filesize
4KB

MD5
0dbceb0fc7bcb589c214a5cbdf34b95b

SHA1
e7f948a31c2ce8ac25cce1169654435cec455bef

SHA256
7a5c8835a40792321f57502a295e3972d2b1b1288ae9bd2e8899169a67941097

SHA512
7be085588931f5ca5fe9622e6b758eb5da6dbd683732814e1c570e113b0d144088dbfe52f3c5116619a4df97b45b8d5804581bb807e0725b353520cc4b2432da

Download Submit
C:\Users\Admin\AppData\Local\Temp\jurqlvqzsu80j5x5

Filesize
103KB

MD5
d36bfa103f3793806490cc1e20ceb429

SHA1
9ffc447f3faf0bd6047af095650237c6be04cc5e

SHA256
098b0f7a8e149f3f30525c7d956324bdef23f43648ad136ed21b393f21e64f99

SHA512
7662f73f06600360f83af60bdf9b8be37e8eca9702b804161df59697f26c3f14679dce7c9c0f24a49aadced618a1885b690df8477768068b5f4f2182fde4c7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
8KB

MD5
266e459c0a48c15ab5218af17c024e77

SHA1
ab417cdf65e2c6f1057addbb7d4fcc68cfe5a625

SHA256
bafee25eeedb83398bf9368c132b2454f55e0c6ff066f2917a2853271127a967

SHA512
bf8bc7603d6c5bfa46a1edca2a0daf0c77848738860c5cabeeed9b8155dc3eb89fa27e58359c427f92f0cd30f05a48cdad9a6e5cfab6e9fb317a313229dc28b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
6KB

MD5
557815d7b77401ba8a9c099a2ca24a4e

SHA1
05e22fd1fa90d450c89b0e0450ce292a8aade9d9

SHA256
bf2a3cce7d544d5982833b0284fa076b6f2b11090fc35c6b00237948f746bd78

SHA512
d511dd21030e8ebf0037d0b08c2662e10085ae942eb05b6a64b1004f98aca7905e400f1ec6ea4b322097d408db7c4deab5948e904e3caf62b5b191133d8a029a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
7KB

MD5
f0a05f6376b87093f476766562f17e3e

SHA1
fb8198cbc2465b79fc823cf8054a12208c9647fe

SHA256
c9644e3c2934451f984512246592c4aef14d7e468c78e1a1734b8acf263c1c12

SHA512
be157925d3ac68b010cf9fee712a22a1dbea4609e1a4e1a98ccd167e9d2602a27baa8bd07a1f6ddd03ac748b21e35b65334757005d750fae9a8f05145be2bd25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin

Filesize
13KB

MD5
d12134544e0d00f9d9ae882095c68ba1

SHA1
1a78f50c231c93c0518748b617cef40b947da6f2

SHA256
1518117beed2a757fa697ae9334d6d34ee37b0433eed7d1741d9634d6b4b8749

SHA512
0b4ae905e169d11e5d04b58d42b631cdd6a454e07dce90029cdecf9defd9ebfcae7c45cc07c09096c14bb90b63abddae37bcf7517967189c92a093b9e4750d04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a531ce29ae7d58d1e52e71884e3b8da4

SHA1
2f90bc01d679e82a70a0e3667b031b240da40a77

SHA256
22667c930512a45beb7c5785d418e90bbb09a4b868575462c7a5550b3f2bcb05

SHA512
e6211f2ebda0e4d1f59d97c4136b8284ca1b54025cacc9d774e86be73a40c9eb56dfecb4effd439c89219483c60605aaf3566ab3dd1563ea8ddc462983dd6974

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
834c29be27411c2b246f1108c9349a34

SHA1
1ee7b3747106e1999da4e2019e19973123e66dc5

SHA256
5b59e56bcb146941ae3512d17596c84c3c317adffb14d05e687a42e6d5c6baf9

SHA512
9a2c91b0793b2dbd6592acb96b8cc97da85f4686c53f0623f771fe1f268c0d4c0fe6f6ffef78d74ea7a27dccdfd3371d83d3c8185e765a6cf922a721c9c35d3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
85b418da65f9cb5f548030029e7da20b

SHA1
81c5189ee42cd098362d46041a0ec21498afc407

SHA256
3dafaa0ddd7804b9b622ffd56dfdf1c6facfa5fce6ee760c72d2aa480c232c65

SHA512
974aebbae39506331fdd205bd5b71be267c193510ba1a5f12803a2233088f2997d32320cda4b3646890b8c4b713cd8cd94a3c277c251a4542f76423906ce3190

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\59132904-9ddb-424e-955e-d659063ac4ba

Filesize
26KB

MD5
93adf36c97a85893afbc09fe5b65c346

SHA1
b4313b0efe314036baba54f52ea6f3badb5eba32

SHA256
0b7808f051aaaad87adf562e02ef7089be077d5ba44d7973f9e3e44ee3968988

SHA512
44d8aca7eeba9ec225d38795388aff3ef985d97aa50f3e464501d7e362899c6b8ab1edf2e712bc2595cde2d7042960105aed05cef4336d5e3ef8277bd9eb9877

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\aa042483-9f65-4b9a-ad02-a75175e44127

Filesize
671B

MD5
6d02ac2579f0b9895943e0b3a8d2905f

SHA1
f38f8cf644cab158c76196dcccb97bad32205eba

SHA256
0b1fe2d71ebe2b11230e37e105b3f2ee265398284d29568efc866308dfe65308

SHA512
cb2c5290ecb1e9026b8d6ca411694e519ab073df67c9a1a9093fff31c2e470afa3eb1b244ce0c227d260f7a4dfdc5b3aff1b31bb19124c0e7f7ba99fb6e601e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\ff9de104-285d-4d54-88c2-f420d224de9c

Filesize
982B

MD5
d38e6c1aaaeaefa2f22c4a1c9fba8e1b

SHA1
3d68745b5b4240483f9d3786cf6b21f1cd3fdc04

SHA256
ebc4cde8399fe22559f91bcc0a1b70df992fc7e00f68773263e4865b69ebb8b5

SHA512
e1748dde636dac7cf4fbc93ae6a23a6d027f602a86b53d2c7114f483141d8f9c38f368a3324050712819377299f58aca57a051c05587955b1fcf941015802387

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

Filesize
11KB

MD5
85072cfdd963a184aa4bab3ed7c1371b

SHA1
92e314f664ff5296d0f6356dc3de6fb908938264

SHA256
ef30147e2473866916d59c2eb9b8de7d705514e049a1a7cdc6807c7cd9f68440

SHA512
974239b82d238932ab7408a017a989e147ab1f27a59eb083c1e151bd2444ed1ff366d7aec0aa86337df9f91a5978b7cfaeb21e92c94c96d87f50763d0cb509ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
03fc7b2ec28c5c792ae035d5c4c1df19

SHA1
af010cb4d65a31a83d9c5433246cc4f7a2480817

SHA256
58d54794d31c916f0095457c11d9ca888c5535cde3e1c7b88c753b94462b3084

SHA512
bcc039a96e1257da5dfd381cd1416d3c64f919ec9bb00781f2022435e8ec3a8b49b72335a308f5e098d19b3e45bba8563ae8ca012b72374da0d00853f94f95f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
012129f4daf18f117b591aa25265d4b2

SHA1
6f48d6ae5f18405fbd9633f70243539d20f09f25

SHA256
6b96c31cabe68ada22af93d74283d51bf148a93c1dbdf92411136f9533fd65aa

SHA512
6870d63cb60e015b1354fe4bb942f45bcd353db60972aaf4a36dd22f06366fec158ebfc1edcc8eeec9dac853be08e4595a6c3568e022b28456e54af5427262ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
c483f4d23381c867a6881f513b9b9ecc

SHA1
74ba90efa499a83f71d1f8434952666e253aaa44

SHA256
d765cf7d2528a3aa95e41cfdf35101ef147b843e9f2d8abb60caf141becde53e

SHA512
406fc84536143dbaba95538382e3b919b9800d64b2f49fda4d11adcb3ffcfdf9b91ab7858463f3edda7ca652ac6f3f68953403888282a124e64e6e23c803087c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
73ab8b2b264458e254e9e4c40d914b4b

SHA1
7fae74203feff53a70f34a37d71b4eb7b7b56f96

SHA256
c5e2c8fcf35e9bf48ace7eb71950d2cacb6d90abaa356466b3da62fef23198c6

SHA512
7c6daf361e91bebe050d018d1392be89d1fa3b9d01a474a70db69062c878e800a222667b23059fc82a00a7989ba6005a20c9e74bd7a75018cfcb27c40509f37b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
3061015ccd7cbf856d5d39d2e4fbe928

SHA1
ebea48009f1ed533f45b598bdd995f6da73987db

SHA256
2e249462a9a31b58b2291e22a03479840bf7ddf6d5f04f9aee49f6c1c4ee26cc

SHA512
c9a5fe521cf213d1cc8d5a952807936958bd944cd770ffa50845e54fbadbd9fe69ab125290089d15cc0cea5f467a28705594c196eb4fb41baeb8f7a0bf8da8e8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-6179872-1886041298-1573312864-1000\FCIADH-DECRYPT.txt

Filesize
8KB

MD5
f8de1ca476a4e387ba41a2dc0b86b3a1

SHA1
8ba4cbe6e2d5a61a18519f2965f5d96d18b0e1b3

SHA256
f72d37e47dd6f77d764b9a1a98c59eafe8b256f7ea0f442cdaede0e52fda90d6

SHA512
fcd19effa33f58a62c8fba6b54f126916fdd506493c33ee5c94cdbc586fea00d5a18d0b238b223e933a3bda771effeb7b17d109a5ea1b5a7fce8df5e4272bc77

Download Submit
memory/352-645-0x00000000001C0000-0x0000000000296000-memory.dmp

Filesize
856KB

Download
memory/1028-821-0x0000000002DB0000-0x0000000002DBE000-memory.dmp

Filesize
56KB

Download
memory/1028-810-0x0000000002D90000-0x0000000002DAC000-memory.dmp

Filesize
112KB

Download
memory/1028-782-0x0000000002D40000-0x0000000002D66000-memory.dmp

Filesize
152KB

Download
memory/1028-815-0x000000001B9B0000-0x000000001B9C8000-memory.dmp

Filesize
96KB

Download
memory/1028-817-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/1028-819-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/1028-825-0x000000001BB00000-0x000000001BB12000-memory.dmp

Filesize
72KB

Download
memory/1028-827-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

Filesize
64KB

Download
memory/1028-835-0x000000001BEB0000-0x000000001BEC6000-memory.dmp

Filesize
88KB

Download
memory/1028-837-0x000000001BED0000-0x000000001BEE2000-memory.dmp

Filesize
72KB

Download
memory/1028-843-0x000000001C420000-0x000000001C948000-memory.dmp

Filesize
5.2MB

Download
memory/1028-857-0x000000001BF50000-0x000000001BFAA000-memory.dmp

Filesize
360KB

Download
memory/1028-847-0x000000001BB20000-0x000000001BB30000-memory.dmp

Filesize
64KB

Download
memory/1028-845-0x000000001B9E0000-0x000000001B9EE000-memory.dmp

Filesize
56KB

Download
memory/1028-855-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/1028-860-0x000000001BB40000-0x000000001BB4E000-memory.dmp

Filesize
56KB

Download
memory/1028-862-0x000000001BEF0000-0x000000001BF00000-memory.dmp

Filesize
64KB

Download
memory/1028-866-0x000000001BF00000-0x000000001BF0E000-memory.dmp

Filesize
56KB

Download
memory/1028-871-0x000000001BF10000-0x000000001BF1C000-memory.dmp

Filesize
48KB

Download
memory/1028-869-0x000000001BF30000-0x000000001BF48000-memory.dmp

Filesize
96KB

Download
memory/1028-621-0x0000000000960000-0x0000000000C92000-memory.dmp

Filesize
3.2MB

Download
memory/1028-813-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/1028-811-0x000000001BB50000-0x000000001BBA0000-memory.dmp

Filesize
320KB

Download
memory/1028-808-0x00000000013E0000-0x00000000013EE000-memory.dmp

Filesize
56KB

Download
memory/1436-1053-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1436-3763-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1436-1014-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1436-2529-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1436-3551-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1436-3233-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1436-691-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1436-4125-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1436-3924-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1436-2176-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1436-2683-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2008-3392-0x0000000000570000-0x000000000057B000-memory.dmp

Filesize
44KB

Download
memory/2008-3558-0x00000000010E0000-0x000000000110B000-memory.dmp

Filesize
172KB

Download
memory/2108-676-0x00000000026D0000-0x00000000026FA000-memory.dmp

Filesize
168KB

Download
memory/2108-677-0x00000000026D0000-0x00000000026FA000-memory.dmp

Filesize
168KB

Download
memory/2996-4132-0x00007FFB56CF0000-0x00007FFB56CF8000-memory.dmp

Filesize
32KB

Download
memory/2996-4129-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/2996-4134-0x00007FFB56740000-0x00007FFB56756000-memory.dmp

Filesize
88KB

Download
memory/2996-4133-0x00007FFB55DF0000-0x00007FFB55E7A000-memory.dmp

Filesize
552KB

Download
memory/2996-4131-0x00007FFB56AD0000-0x00007FFB56B27000-memory.dmp

Filesize
348KB

Download
memory/2996-4130-0x00007FFB56E60000-0x00007FFB57069000-memory.dmp

Filesize
2.0MB

Download
memory/3448-597-0x00000000008A0000-0x00000000008D2000-memory.dmp

Filesize
200KB

Download
memory/3632-588-0x0000000000B60000-0x0000000000C36000-memory.dmp

Filesize
856KB

Download
memory/3660-1480-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

Filesize
136KB

Download
memory/3660-806-0x00000000055F0000-0x0000000005947000-memory.dmp

Filesize
3.3MB

Download
memory/3660-2053-0x0000000007F40000-0x00000000085BA000-memory.dmp

Filesize
6.5MB

Download
memory/3660-4082-0x00000000085C0000-0x000000000ADA4000-memory.dmp

Filesize
39.9MB

Download
memory/3660-720-0x00000000045F0000-0x0000000004626000-memory.dmp

Filesize
216KB

Download
memory/3660-976-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/3660-801-0x0000000005460000-0x0000000005482000-memory.dmp

Filesize
136KB

Download
memory/3660-982-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download
memory/3660-733-0x0000000004DC0000-0x00000000053EA000-memory.dmp

Filesize
6.2MB

Download
memory/3660-803-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/3660-802-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/3660-1477-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

Filesize
104KB

Download
memory/3660-1472-0x0000000006C50000-0x0000000006CE6000-memory.dmp

Filesize
600KB

Download
memory/4072-792-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4440-929-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-994-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-541-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-954-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-842-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-540-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-539-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-538-0x0000000074C31000-0x0000000074C32000-memory.dmp

Filesize
4KB

Download
memory/5140-719-0x00000000006A0000-0x000000000077C000-memory.dmp

Filesize
880KB

Download
memory/5140-778-0x000000001B6F0000-0x000000001B874000-memory.dmp

Filesize
1.5MB

Download
memory/5140-907-0x0000000001060000-0x000000000106E000-memory.dmp

Filesize
56KB

Download
memory/5140-911-0x0000000002930000-0x000000000293C000-memory.dmp

Filesize
48KB

Download
memory/5140-909-0x0000000002920000-0x000000000292E000-memory.dmp

Filesize
56KB

Download
memory/5140-730-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/5140-783-0x0000000000FA0000-0x0000000000FA6000-memory.dmp

Filesize
24KB

Download
memory/5164-932-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/5276-3809-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5276-718-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5412-754-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/5412-740-0x0000000000350000-0x0000000000564000-memory.dmp

Filesize
2.1MB

Download
memory/5412-745-0x00000000054B0000-0x0000000005A56000-memory.dmp

Filesize
5.6MB

Download
memory/5412-746-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/5412-741-0x0000000004E60000-0x0000000004EFC000-memory.dmp

Filesize
624KB

Download
memory/5412-755-0x00000000050A0000-0x00000000050F6000-memory.dmp

Filesize
344KB

Download
memory/5488-2394-0x00000212AED40000-0x00000212AED60000-memory.dmp

Filesize
128KB

Download
memory/5488-2246-0x000002129CD60000-0x000002129CE60000-memory.dmp

Filesize
1024KB

Download
memory/5488-2253-0x00000212D0D00000-0x00000212D0E00000-memory.dmp

Filesize
1024KB

Download
memory/5488-2350-0x00000212D0EF0000-0x00000212D0FF0000-memory.dmp

Filesize
1024KB

Download
memory/5488-2349-0x00000212AED20000-0x00000212AED40000-memory.dmp

Filesize
128KB

Download
memory/5488-2106-0x000002129CD60000-0x000002129CE60000-memory.dmp

Filesize
1024KB

Download
memory/5488-2391-0x00000212D0C00000-0x00000212D0C20000-memory.dmp

Filesize
128KB

Download
memory/5608-744-0x0000000000D80000-0x0000000000DA0000-memory.dmp

Filesize
128KB

Download
memory/5616-934-0x0000000000B20000-0x0000000000BBA000-memory.dmp

Filesize
616KB

Download
memory/5616-3368-0x0000000005750000-0x00000000057C4000-memory.dmp

Filesize
464KB

Download
memory/5616-3370-0x00000000057C0000-0x00000000057F2000-memory.dmp

Filesize
200KB

Download
memory/5616-1013-0x0000000008FD0000-0x0000000008FE8000-memory.dmp

Filesize
96KB

Download
memory/6076-1071-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/6076-3773-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/6208-3798-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/7372-2815-0x000001DEE85D0000-0x000001DEE85D8000-memory.dmp

Filesize
32KB

Download
memory/7372-2609-0x000001DED03D0000-0x000001DED03F2000-memory.dmp

Filesize
136KB

Download
memory/7372-2806-0x000001DEE85C0000-0x000001DEE85CA000-memory.dmp

Filesize
40KB

Download
memory/7372-2816-0x000001DEE85E0000-0x000001DEE85EA000-memory.dmp

Filesize
40KB

Download
memory/7372-2765-0x000001DEE85A0000-0x000001DEE85BC000-memory.dmp

Filesize
112KB

Download
memory/8336-2112-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/8336-2111-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/8336-2113-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/8336-2119-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/8336-2121-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/8336-2117-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/8336-2115-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/8336-2114-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/9136-3373-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/9596-4138-0x00007FFB54380000-0x00007FFB546F4000-memory.dmp

Filesize
3.5MB

Download
memory/9596-4139-0x00007FFB56220000-0x00007FFB562C3000-memory.dmp

Filesize
652KB

Download
memory/9596-4137-0x00007FFB568C0000-0x00007FFB5697D000-memory.dmp

Filesize
756KB

Download
memory/9596-4136-0x00007FFB56E60000-0x00007FFB57069000-memory.dmp

Filesize
2.0MB

Download
memory/9596-4135-0x00007FF7AFA30000-0x00007FF7AFA6F000-memory.dmp

Filesize
252KB

Download
memory/9596-4145-0x00007FFB53450000-0x00007FFB53468000-memory.dmp

Filesize
96KB

Download
memory/9596-4140-0x00007FFB559E0000-0x00007FFB55AB6000-memory.dmp

Filesize
856KB

Download
memory/9596-4141-0x00007FFB54BE0000-0x00007FFB54C7D000-memory.dmp

Filesize
628KB

Download
memory/9596-4142-0x00007FFB54AC0000-0x00007FFB54BD1000-memory.dmp

Filesize
1.1MB

Download
memory/9596-4144-0x00007FFB55F40000-0x00007FFB56060000-memory.dmp

Filesize
1.1MB

Download
memory/9596-4143-0x00007FFB55660000-0x00007FFB559D8000-memory.dmp

Filesize
3.5MB

Download
memory/9596-4146-0x00007FFB54C80000-0x00007FFB54CFF000-memory.dmp

Filesize
508KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads